smokeloader | 493e5223dceb96c32286d78a1f91dd148d3e498b97ae767f013bd5f664385964

Resubmissions

04/11/2023, 20:29

231104-y9mlnage95 10

04/11/2023, 20:21

04/11/2023, 20:09

04/11/2023, 19:28

04/11/2023, 19:23

04/11/2023, 19:18

04/11/2023, 19:16

04/11/2023, 18:52

Analysis

max time kernel
67s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
04/11/2023, 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

klyuch-aktivacii-dly-ct7kTVM5Zxs7.exe
Size

8.2MB
MD5

84cc583acaf2d2ce5230bc53f5725f53
SHA1

a36a43bcf7b7966ffec90ffac220938562cc4d65
SHA256

493e5223dceb96c32286d78a1f91dd148d3e498b97ae767f013bd5f664385964
SHA512

92b41d73f877683aa00b609a21539a6210837c92e72efbf1ed0217e826c2a10095268724f18e88ba26b56c4d37501325787e446363cbc78b7aa60973c8dcc477
SSDEEP

196608:gl4/ZHG2jzxzRBJn/Aa5XJNeyxpmz/oxZl1IrKj0sM0AwK3B:gO/ZHV3Jb5XzfxpmzAxZl1cIKoK3B

Score

10^/10

smokeloader up4 backdoor discovery trojan upx

Malware Config

Extracted

Family

smokeloader

Botnet

up4

Extracted

Family

smokeloader

Version

2020

http://host-file-file0.com/

http://file-file-file1.com/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
3252	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
3748	KDDeskVis.exe
2268	KDDeskVis.exe

Loads dropped DLL 1 IoCs

pid	Process
3252	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0021000000022eff-384.dat	upx
behavioral2/files/0x0021000000022eff-405.dat	upx
behavioral2/memory/1612-409-0x0000000000B30000-0x0000000001059000-memory.dmp	upx
behavioral2/files/0x0006000000022f15-420.dat	upx
behavioral2/files/0x0021000000022eff-419.dat	upx
behavioral2/files/0x0006000000022f15-431.dat	upx
behavioral2/memory/3880-481-0x0000000000B90000-0x00000000010B9000-memory.dmp	upx
behavioral2/files/0x0021000000022eff-504.dat	upx
behavioral2/files/0x0021000000022eff-518.dat	upx
behavioral2/memory/3316-392-0x0000000000B30000-0x0000000001059000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\KDDeskVis\is-0EK25.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\is-052LF.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\imageformats\is-SSJAK.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\phonon_backend\is-8QTFG.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\imageformats\is-78C76.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\is-H82O0.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\is-FM9VV.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\imageformats\is-DNKKB.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\shiboken2\is-LKJNP.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\pywin32_system32\is-E9IRI.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\shiboken2\is-15AQ5.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\websockets-10.4.dist-info\is-DRSHN.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\is-40GEG.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\is-LRHRH.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\imageformats\is-5Q8OF.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\imageformats\is-RLNFR.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\imageformats\is-RCPTC.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\phonon_backend\is-H1R5F.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\shiboken2\is-GECO5.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File opened for modification	C:\Program Files (x86)\KDDeskVis\unins000.dat	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\is-1EQI7.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\is-J5BUP.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\is-KDH9H.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\imageformats\is-VU1NP.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\imageformats\is-VAA6S.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\imageformats\is-6QRTC.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\sqldrivers\is-IV5CS.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\imageformats\is-V5V38.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\is-R8PD9.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\is-KBVUK.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\is-2Q9SF.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\is-HPD9A.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\is-364GP.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\is-JDDU5.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\imageformats\is-4GH2K.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\is-7KT2S.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\is-SRR0H.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\is-SOGO8.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\is-A93VP.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\pywin32_system32\is-KQ1J9.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\unins000.dat	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\is-MHID0.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\certifi\is-IIF7G.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\imageformats\is-BVNRL.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\sqldrivers\is-G96KH.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\is-6UTKO.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\is-NTLDE.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\imageformats\is-VPRG0.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\sqldrivers\is-E8IAJ.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\is-SUIMF.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\websockets\is-91V3L.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\websockets-10.4.dist-info\is-UQNVQ.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\websockets-10.4.dist-info\is-HNE7O.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\is-CDGSR.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\is-26364.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\sqldrivers\is-SNLNP.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\websockets-10.4.dist-info\is-FALBF.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\websockets-10.4.dist-info\is-QEIQN.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\is-SHDUJ.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\is-51D82.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\websockets-10.4.dist-info\is-4UIU2.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\win32com\shell\is-PE7PV.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\is-NJ3O5.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
File created	C:\Program Files (x86)\KDDeskVis\is-5NAH2.tmp	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 44 IoCs

pid	pid_target	Process	procid_target
2148	3748	WerFault.exe	92
1196	3748	WerFault.exe	92
2716	3748	WerFault.exe	92
1760	2268	WerFault.exe	105
4896	2268	WerFault.exe	105
4716	2268	WerFault.exe	105
988	2268	WerFault.exe	105
4884	2268	WerFault.exe	105
4776	2268	WerFault.exe	105
4624	2268	WerFault.exe	105
852	2268	WerFault.exe	105
372	2268	WerFault.exe	105
5084	2268	WerFault.exe	105
2768	2268	WerFault.exe	105
5004	2268	WerFault.exe	105
2240	2268	WerFault.exe	105
4644	2268	WerFault.exe	105
4160	2268	WerFault.exe	105
4800	2268	WerFault.exe	105
4652	2268	WerFault.exe	105
3924	2268	WerFault.exe	105
4260	2268	WerFault.exe	105
2052	2268	WerFault.exe	105
1208	2268	WerFault.exe	105
3012	2268	WerFault.exe	105
3964	2268	WerFault.exe	105
5196	2268	WerFault.exe	105
5248	2268	WerFault.exe	105
5476	2268	WerFault.exe	105
5548	2268	WerFault.exe	105
5640	2268	WerFault.exe	105
5696	2268	WerFault.exe	105
5744	2268	WerFault.exe	105
5816	2268	WerFault.exe	105
5928	2268	WerFault.exe	105
5996	2268	WerFault.exe	105
6048	2268	WerFault.exe	105
3624	2268	WerFault.exe	105
5476	2268	WerFault.exe	105
4400	2268	WerFault.exe	105
1072	2268	WerFault.exe	105
4040	2268	WerFault.exe	105
2208	2268	WerFault.exe	105
4200	2268	WerFault.exe	105

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2008	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2268	KDDeskVis.exe
2268	KDDeskVis.exe
2836	msedge.exe
2836	msedge.exe
4860	msedge.exe
4860	msedge.exe
2268	KDDeskVis.exe
2268	KDDeskVis.exe
1196	identity_helper.exe
1196	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 3252	1424	klyuch-aktivacii-dly-ct7kTVM5Zxs7.exe	87
PID 1424 wrote to memory of 3252	1424	klyuch-aktivacii-dly-ct7kTVM5Zxs7.exe	87
PID 1424 wrote to memory of 3252	1424	klyuch-aktivacii-dly-ct7kTVM5Zxs7.exe	87
PID 3252 wrote to memory of 4652	3252	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp	90
PID 3252 wrote to memory of 4652	3252	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp	90
PID 3252 wrote to memory of 4652	3252	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp	90
PID 3252 wrote to memory of 3748	3252	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp	92
PID 3252 wrote to memory of 3748	3252	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp	92
PID 3252 wrote to memory of 3748	3252	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp	92
PID 3252 wrote to memory of 5104	3252	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp	106
PID 3252 wrote to memory of 5104	3252	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp	106
PID 3252 wrote to memory of 5104	3252	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp	106
PID 3252 wrote to memory of 2268	3252	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp	105
PID 3252 wrote to memory of 2268	3252	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp	105
PID 3252 wrote to memory of 2268	3252	klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp	105
PID 2268 wrote to memory of 4860	2268	KDDeskVis.exe	150
PID 2268 wrote to memory of 4860	2268	KDDeskVis.exe	150
PID 4860 wrote to memory of 4272	4860	msedge.exe	152
PID 4860 wrote to memory of 4272	4860	msedge.exe	152
PID 4860 wrote to memory of 2468	4860	msedge.exe	154
PID 4860 wrote to memory of 2468	4860	msedge.exe	154
PID 4860 wrote to memory of 2468	4860	msedge.exe	154
PID 4860 wrote to memory of 2468	4860	msedge.exe	154
PID 4860 wrote to memory of 2468	4860	msedge.exe	154
PID 4860 wrote to memory of 2468	4860	msedge.exe	154
PID 4860 wrote to memory of 2468	4860	msedge.exe	154
PID 4860 wrote to memory of 2468	4860	msedge.exe	154
PID 4860 wrote to memory of 2468	4860	msedge.exe	154
PID 4860 wrote to memory of 2468	4860	msedge.exe	154
PID 4860 wrote to memory of 2468	4860	msedge.exe	154
PID 4860 wrote to memory of 2468	4860	msedge.exe	154
PID 4860 wrote to memory of 2468	4860	msedge.exe	154
PID 4860 wrote to memory of 2468	4860	msedge.exe	154
PID 4860 wrote to memory of 2468	4860	msedge.exe	154
PID 4860 wrote to memory of 2468	4860	msedge.exe	154
PID 4860 wrote to memory of 2468	4860	msedge.exe	154
PID 4860 wrote to memory of 2468	4860	msedge.exe	154
PID 4860 wrote to memory of 2468	4860	msedge.exe	154
PID 4860 wrote to memory of 2468	4860	msedge.exe	154
PID 4860 wrote to memory of 2468	4860	msedge.exe	154
PID 4860 wrote to memory of 2468	4860	msedge.exe	154
PID 4860 wrote to memory of 2468	4860	msedge.exe	154
PID 4860 wrote to memory of 2468	4860	msedge.exe	154
PID 4860 wrote to memory of 2468	4860	msedge.exe	154
PID 4860 wrote to memory of 2468	4860	msedge.exe	154
PID 4860 wrote to memory of 2468	4860	msedge.exe	154
PID 4860 wrote to memory of 2468	4860	msedge.exe	154
PID 4860 wrote to memory of 2468	4860	msedge.exe	154
PID 4860 wrote to memory of 2468	4860	msedge.exe	154
PID 4860 wrote to memory of 2468	4860	msedge.exe	154
PID 4860 wrote to memory of 2468	4860	msedge.exe	154
PID 4860 wrote to memory of 2468	4860	msedge.exe	154
PID 4860 wrote to memory of 2468	4860	msedge.exe	154
PID 4860 wrote to memory of 2468	4860	msedge.exe	154
PID 4860 wrote to memory of 2468	4860	msedge.exe	154
PID 4860 wrote to memory of 2468	4860	msedge.exe	154
PID 4860 wrote to memory of 2468	4860	msedge.exe	154
PID 4860 wrote to memory of 2468	4860	msedge.exe	154
PID 4860 wrote to memory of 2468	4860	msedge.exe	154
PID 4860 wrote to memory of 2836	4860	msedge.exe	155
PID 4860 wrote to memory of 2836	4860	msedge.exe	155
PID 4860 wrote to memory of 2436	4860	msedge.exe	156
PID 4860 wrote to memory of 2436	4860	msedge.exe	156
PID 4860 wrote to memory of 2436	4860	msedge.exe	156

C:\Users\Admin\AppData\Local\Temp\klyuch-aktivacii-dly-ct7kTVM5Zxs7.exe
"C:\Users\Admin\AppData\Local\Temp\klyuch-aktivacii-dly-ct7kTVM5Zxs7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Users\Admin\AppData\Local\Temp\is-LKRI9.tmp\klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-LKRI9.tmp\klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp" /SL5="$11005E,8366906,52224,C:\Users\Admin\AppData\Local\Temp\klyuch-aktivacii-dly-ct7kTVM5Zxs7.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:3252
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Delete /F /TN "KDDV1104-2"
    3⤵
    PID:4652
- - C:\Program Files (x86)\KDDeskVis\KDDeskVis.exe
    "C:\Program Files (x86)\KDDeskVis\KDDeskVis.exe"
    3⤵
    - Executes dropped EXE
    PID:3748
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 944
      4⤵
      Program crash
      PID:2148
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 980
      4⤵
      Program crash
      PID:1196
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 148
      4⤵
      Program crash
      PID:2716
- - C:\Program Files (x86)\KDDeskVis\KDDeskVis.exe
    "C:\Program Files (x86)\KDDeskVis\KDDeskVis.exe" 8db29571b27cd988d95f9cb562d8a6fa
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 928
      4⤵
      Program crash
      PID:1760
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 936
      4⤵
      Program crash
      PID:4896
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 960
      4⤵
      Program crash
      PID:4716
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1136
      4⤵
      Program crash
      PID:988
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1156
      4⤵
      Program crash
      PID:4884
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1236
      4⤵
      Program crash
      PID:4776
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1244
      4⤵
      Program crash
      PID:4624
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1364
      4⤵
      Program crash
      PID:852
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1376
      4⤵
      Program crash
      PID:372
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1240
      4⤵
      Program crash
      PID:5084
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1048
      4⤵
      Program crash
      PID:2768
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1396
      4⤵
      Program crash
      PID:5004
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1744
      4⤵
      Program crash
      PID:2240
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 964
      4⤵
      Program crash
      PID:4644
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1704
      4⤵
      Program crash
      PID:4160
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1356
      4⤵
      Program crash
      PID:4800
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1972
      4⤵
      Program crash
      PID:4652
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 2148
      4⤵
      Program crash
      PID:3924
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://fileek.com/search/?q=klyuch-aktivacii-dlya-rpg-maker-mv
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4860
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7ffaf76146f8,0x7ffaf7614708,0x7ffaf7614718
        5⤵
        
        PID:4272
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,12072233890772875885,14045790300915794129,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
        5⤵
        
        PID:2468
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,12072233890772875885,14045790300915794129,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2836
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,12072233890772875885,14045790300915794129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
        5⤵
        
        PID:2436
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12072233890772875885,14045790300915794129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
        5⤵
        
        PID:5088
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12072233890772875885,14045790300915794129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
        5⤵
        
        PID:1536
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12072233890772875885,14045790300915794129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
        5⤵
        
        PID:4416
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,12072233890772875885,14045790300915794129,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3508 /prefetch:8
        5⤵
        
        PID:3608
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,12072233890772875885,14045790300915794129,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3508 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1196
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12072233890772875885,14045790300915794129,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:1
        5⤵
        
        PID:2304
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12072233890772875885,14045790300915794129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3760 /prefetch:1
        5⤵
        
        PID:1940
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12072233890772875885,14045790300915794129,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
        5⤵
        
        PID:5268
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12072233890772875885,14045790300915794129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:1
        5⤵
        
        PID:5260
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1704
      4⤵
      Program crash
      PID:4260
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1888
      4⤵
      Program crash
      PID:2052
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1848
      4⤵
      Program crash
      PID:1208
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1944
      4⤵
      Program crash
      PID:3012
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1944
      4⤵
      Program crash
      PID:3964
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1928
      4⤵
      Program crash
      PID:5196
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1888
      4⤵
      Program crash
      PID:5248
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1392
      4⤵
      Program crash
      PID:5476
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 2092
      4⤵
      Program crash
      PID:5548
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1812
      4⤵
      Program crash
      PID:5640
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 2092
      4⤵
      Program crash
      PID:5696
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1876
      4⤵
      Program crash
      PID:5744
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 2212
      4⤵
      Program crash
      PID:5816
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1808
      4⤵
      Program crash
      PID:5928
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 2092
      4⤵
      Program crash
      PID:5996
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1392
      4⤵
      Program crash
      PID:6048
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\gSSr3MGm\s6I07E.exe"
      4⤵
      PID:6084
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\gSSr3MGm\s6I07E.exe"
        5⤵
        
        PID:1608
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\wkTnYHQh\pycl1wn4a.exe"
      4⤵
      PID:6100
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\wkTnYHQh\pycl1wn4a.exe"
        5⤵
        
        PID:5056
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 2200
      4⤵
      Program crash
      PID:3624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\vJ3nNkKQ\CNMP1lZb10XUs3qY.exe"
      4⤵
      PID:5456
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\vJ3nNkKQ\CNMP1lZb10XUs3qY.exe"
        5⤵
        
        PID:5656
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\Nh2zDh4E\25nHCddI67wvfH.exe"
      4⤵
      PID:2412
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\Nh2zDh4E\25nHCddI67wvfH.exe"
        5⤵
        
        PID:5584
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1808
      4⤵
      Program crash
      PID:5476
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\OCQJrUSK\iLwNXDpz.exe"
      4⤵
      PID:1836
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\OCQJrUSK\iLwNXDpz.exe"
        5⤵
        
        PID:5896
  - - C:\Users\Admin\AppData\Local\Temp\wkTnYHQh\pycl1wn4a.exe
      C:\Users\Admin\AppData\Local\Temp\wkTnYHQh\pycl1wn4a.exe -eywhbg73luze
      4⤵
      PID:6004
  - - C:\Users\Admin\AppData\Local\Temp\gSSr3MGm\s6I07E.exe
      C:\Users\Admin\AppData\Local\Temp\gSSr3MGm\s6I07E.exe
      4⤵
      PID:6028
    - - C:\Users\Admin\AppData\Local\Temp\gSSr3MGm\s6I07E.exe
        
        C:\Users\Admin\AppData\Local\Temp\gSSr3MGm\s6I07E.exe
        5⤵
        
        PID:2996
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 2252
      4⤵
      Program crash
      PID:4400
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1532
      4⤵
      Program crash
      PID:1072
  - - C:\Users\Admin\AppData\Local\Temp\OCQJrUSK\iLwNXDpz.exe
      C:\Users\Admin\AppData\Local\Temp\OCQJrUSK\iLwNXDpz.exe --silent --allusers=0
      4⤵
      PID:3316
    - - C:\Users\Admin\AppData\Local\Temp\OCQJrUSK\iLwNXDpz.exe
        
        C:\Users\Admin\AppData\Local\Temp\OCQJrUSK\iLwNXDpz.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=104.0.4944.36 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2e0,0x2f0,0x72755648,0x72755658,0x72755664
        5⤵
        
        PID:1612
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\iLwNXDpz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\iLwNXDpz.exe" --version
        5⤵
        
        PID:3880
    - - C:\Users\Admin\AppData\Local\Temp\OCQJrUSK\iLwNXDpz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OCQJrUSK\iLwNXDpz.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3316 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20231104185332" --session-guid=e56046c1-9b42-4adc-b7c9-23b728b362d8 --server-tracking-blob="NDZiZTNiODdiMjUyNGIzYjZmYzBiM2MzOGZjZDQ3MDc0NTRhMmY1MjMwMjhjZmVhNjA0ODE0YmFjZWJlNDhhMDp7ImNvdW50cnkiOiJOTCIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1SU1RQJnV0bV9jYW1wYWlnbj1vcDEzMiIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTY5OTEyNDAwMC40NjAxIiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzExLjAuNDY2NC4xMzcgU2FmYXJpLzUzNy4zNiIsInV0bSI6eyJjYW1wYWlnbiI6Im9wMTMyIiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoiUlNUUCJ9LCJ1dWlkIjoiMmI4ZTgyNDItNjU5My00YzBjLTkxNjktNmQyMWNkMzQ2YzJiIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=1C05000000000000
        5⤵
        
        PID:5548
      - C:\Users\Admin\AppData\Local\Temp\OCQJrUSK\iLwNXDpz.exe
        
        C:\Users\Admin\AppData\Local\Temp\OCQJrUSK\iLwNXDpz.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=104.0.4944.36 --initial-client-data=0x2e0,0x2f0,0x2f4,0x2bc,0x2f8,0x70c45648,0x70c45658,0x70c45664
        6⤵
        
        PID:5656
  - - C:\Users\Admin\AppData\Local\Temp\vJ3nNkKQ\CNMP1lZb10XUs3qY.exe
      C:\Users\Admin\AppData\Local\Temp\vJ3nNkKQ\CNMP1lZb10XUs3qY.exe
      4⤵
      PID:5256
    - - C:\Users\Admin\AppData\Local\Temp\is-P4FP2.tmp\CNMP1lZb10XUs3qY.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-P4FP2.tmp\CNMP1lZb10XUs3qY.tmp" /SL5="$202AA,4706185,54272,C:\Users\Admin\AppData\Local\Temp\vJ3nNkKQ\CNMP1lZb10XUs3qY.exe"
        5⤵
        
        PID:5836
      - C:\Program Files (x86)\DBuster\DBuster.exe
        
        "C:\Program Files (x86)\DBuster\DBuster.exe" -i
        6⤵
        
        PID:5824
      - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\system32\net.exe" helpmsg 4
        6⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 helpmsg 4
        7⤵
        
        PID:1072
      - C:\Program Files (x86)\DBuster\DBuster.exe
        
        "C:\Program Files (x86)\DBuster\DBuster.exe" -s
        6⤵
        
        PID:1468
  - - C:\Users\Admin\AppData\Local\Temp\Nh2zDh4E\25nHCddI67wvfH.exe
      C:\Users\Admin\AppData\Local\Temp\Nh2zDh4E\25nHCddI67wvfH.exe /did=757674 /S
      4⤵
      PID:2496
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        5⤵
        
        PID:5868
      - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        6⤵
        
        PID:5152
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        7⤵
        
        PID:6040
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        7⤵
        
        PID:1684
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        5⤵
        
        PID:4632
      - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        6⤵
        
        PID:5448
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gWKYngvEk" /SC once /ST 16:58:27 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        5⤵
        Creates scheduled task(s)
        
        PID:2008
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gWKYngvEk"
        5⤵
        
        PID:5764
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1808
      4⤵
      Program crash
      PID:4040
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1532
      4⤵
      Program crash
      PID:2208
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 2000
      4⤵
      Program crash
      PID:4200
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Query
    3⤵
    PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3748 -ip 3748
1⤵
PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3748 -ip 3748
1⤵
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3748 -ip 3748
1⤵
PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2268 -ip 2268
1⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2268 -ip 2268
1⤵
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2268 -ip 2268
1⤵
PID:3420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2268 -ip 2268
1⤵
PID:932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2268 -ip 2268
1⤵
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2268 -ip 2268
1⤵
PID:916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2268 -ip 2268
1⤵
PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2268 -ip 2268
1⤵
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2268 -ip 2268
1⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2268 -ip 2268
1⤵
PID:936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2268 -ip 2268
1⤵
PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2268 -ip 2268
1⤵
PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2268 -ip 2268
1⤵
PID:1184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2268 -ip 2268
1⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2268 -ip 2268
1⤵
PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2268 -ip 2268
1⤵
PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2268 -ip 2268
1⤵
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2268 -ip 2268
1⤵
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2268 -ip 2268
1⤵
PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2268 -ip 2268
1⤵
PID:2304

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3404

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2268 -ip 2268
1⤵
PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2268 -ip 2268
1⤵
PID:3196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2268 -ip 2268
1⤵
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2268 -ip 2268
1⤵
PID:5156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2268 -ip 2268
1⤵
PID:5224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2268 -ip 2268
1⤵
PID:5452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2268 -ip 2268
1⤵
PID:5520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2268 -ip 2268
1⤵
PID:5616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2268 -ip 2268
1⤵
PID:5672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2268 -ip 2268
1⤵
PID:5724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2268 -ip 2268
1⤵
PID:5792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2268 -ip 2268
1⤵
PID:5904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2268 -ip 2268
1⤵
PID:5976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2268 -ip 2268
1⤵
PID:6028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2268 -ip 2268
1⤵
PID:6136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2268 -ip 2268
1⤵
PID:5276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2268 -ip 2268
1⤵
PID:6080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2268 -ip 2268
1⤵
PID:5136

C:\Program Files\WProxy\WinProxy\WinProxy.exe
"C:\Program Files\WProxy\WinProxy\WinProxy.exe"
1⤵
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2268 -ip 2268
1⤵
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2268 -ip 2268
1⤵
PID:4920

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
1⤵
PID:4400

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
1⤵
PID:5128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2268 -ip 2268
1⤵
PID:6000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\DBuster\DBuster.exe

Filesize
3.7MB

MD5
fc767b27baff0c6f4b6e492038b065db

SHA1
6937ca48e055e560a2565a2c24aec748f8bbeba4

SHA256
f541560281495dabe50972f214684838a49530fca57bc2011c8bdc5205f37407

SHA512
4c9a3288a807fc191572dd05394e7f56495fd9ec738d8440a26150fd557b439beb7c39f6d9648aefe79a4377575b7d248810a1bf4b16367d0762114327854b8e

Download Submit
C:\Program Files (x86)\DBuster\DBuster.exe

Filesize
3.7MB

MD5
fc767b27baff0c6f4b6e492038b065db

SHA1
6937ca48e055e560a2565a2c24aec748f8bbeba4

SHA256
f541560281495dabe50972f214684838a49530fca57bc2011c8bdc5205f37407

SHA512
4c9a3288a807fc191572dd05394e7f56495fd9ec738d8440a26150fd557b439beb7c39f6d9648aefe79a4377575b7d248810a1bf4b16367d0762114327854b8e

Download Submit
C:\Program Files (x86)\DBuster\DBuster.exe

Filesize
3.7MB

MD5
fc767b27baff0c6f4b6e492038b065db

SHA1
6937ca48e055e560a2565a2c24aec748f8bbeba4

SHA256
f541560281495dabe50972f214684838a49530fca57bc2011c8bdc5205f37407

SHA512
4c9a3288a807fc191572dd05394e7f56495fd9ec738d8440a26150fd557b439beb7c39f6d9648aefe79a4377575b7d248810a1bf4b16367d0762114327854b8e

Download Submit
C:\Program Files (x86)\KDDeskVis\KDDeskVis.exe

Filesize
6.2MB

MD5
3c8b67abf2ab018f27cc24164bf5acfd

SHA1
b766d1e6396908f6fb45ed5848ca6893f20b857d

SHA256
bfe91fe04365efd150de8cdb7f39ac5280a9351ec08e8e45a734f9208b0d7f2a

SHA512
b2cfce329fa185bb661241b0ca4a2a0829595fc658e8c365adec6ff1a49c74d3da5e4baaa32ab2884c839fa340f2feffbf315686dc01b57d28087410f5db3832

Download Submit
C:\Program Files (x86)\KDDeskVis\KDDeskVis.exe

Filesize
6.2MB

MD5
3c8b67abf2ab018f27cc24164bf5acfd

SHA1
b766d1e6396908f6fb45ed5848ca6893f20b857d

SHA256
bfe91fe04365efd150de8cdb7f39ac5280a9351ec08e8e45a734f9208b0d7f2a

SHA512
b2cfce329fa185bb661241b0ca4a2a0829595fc658e8c365adec6ff1a49c74d3da5e4baaa32ab2884c839fa340f2feffbf315686dc01b57d28087410f5db3832

Download Submit
C:\Program Files (x86)\KDDeskVis\KDDeskVis.exe

Filesize
6.2MB

MD5
3c8b67abf2ab018f27cc24164bf5acfd

SHA1
b766d1e6396908f6fb45ed5848ca6893f20b857d

SHA256
bfe91fe04365efd150de8cdb7f39ac5280a9351ec08e8e45a734f9208b0d7f2a

SHA512
b2cfce329fa185bb661241b0ca4a2a0829595fc658e8c365adec6ff1a49c74d3da5e4baaa32ab2884c839fa340f2feffbf315686dc01b57d28087410f5db3832

Download Submit
C:\Program Files\WProxy\WinProxy\WinProxy.exe

Filesize
134KB

MD5
7885ed380e28b9faf74e2ba250705874

SHA1
0bbe19447500840eee7eb90e990fbd3e236884e9

SHA256
18632ff9ea1de800577a9abfdf6ad5436f729ccb2b5bdf54e0a5d8aeb955c727

SHA512
1aa2f5d90ff542908d609c299a2e91304fcc286dafd88c54ca124f78f39f579ee5336d1e924577eb687e6412077c64720a388682a76fe40f8895e76699a3c15a

Download Submit
C:\Program Files\WProxy\WinProxy\WinProxy.exe

Filesize
134KB

MD5
7885ed380e28b9faf74e2ba250705874

SHA1
0bbe19447500840eee7eb90e990fbd3e236884e9

SHA256
18632ff9ea1de800577a9abfdf6ad5436f729ccb2b5bdf54e0a5d8aeb955c727

SHA512
1aa2f5d90ff542908d609c299a2e91304fcc286dafd88c54ca124f78f39f579ee5336d1e924577eb687e6412077c64720a388682a76fe40f8895e76699a3c15a

Download Submit
C:\Program Files\WProxy\WinProxy\p2p-sdk.dll

Filesize
222KB

MD5
52c574de153622dfd330fa9d9c2a5edc

SHA1
ecb5121bc8160cc65a013c2f5f260a65b9987ca3

SHA256
9796a9f313f7592047314369b7515cc86fa25c4d7acec200090cce585564346b

SHA512
8fa4438c48408798d6fc82fef81a14144d6159df941991832f80bff2ebc4480863034b25a59c4c6a8d6feed132b6fabca3b84d82024b67392ea79d35792d32c4

Download Submit
C:\Program Files\WProxy\WinProxy\p2p-sdk.dll

Filesize
222KB

MD5
52c574de153622dfd330fa9d9c2a5edc

SHA1
ecb5121bc8160cc65a013c2f5f260a65b9987ca3

SHA256
9796a9f313f7592047314369b7515cc86fa25c4d7acec200090cce585564346b

SHA512
8fa4438c48408798d6fc82fef81a14144d6159df941991832f80bff2ebc4480863034b25a59c4c6a8d6feed132b6fabca3b84d82024b67392ea79d35792d32c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
483924abaaa7ce1345acd8547cfe77f4

SHA1
4190d880b95d9506385087d6c2f5434f0e9f63e8

SHA256
9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684

SHA512
e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1ebfc5e8fa000efd6bd300eeb4e04a6e

SHA1
f5ecf7a61a53ecbae329d06e1363077c8c86b0d4

SHA256
a0c8d27c394f1095126d2d665cdb552897c1ad7e1647bba699978441988e21ad

SHA512
8e28d71006b69606e5dc3943b5363c48659896820a0fd23d6537127ce183b26252735436c699a43ba869d51353d99c37d67a21cf03d1a61019f8abbb33b4c7ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3437e3fe9f78e3ec883dbc3278bbd300

SHA1
be28c5329ff7395978370756c9de2b2f1fd280cc

SHA256
3b3a4ad1bf52cf0de7affc12189852504905a84262b1a36425c187002bc0a2e8

SHA512
a66beea45508c5cdd973763744d0229358f33b3f416a518008ebe6e7c74a301639dfa0636c01e2f786105cdc0aae23c28acc9c7315979cad77b0544b9b1d1a05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
1c706d53e85fb5321a8396d197051531

SHA1
0d92aa8524fb1d47e7ee5d614e58a398c06141a4

SHA256
80c44553381f37e930f1c82a1dc2e77acd7b955ec0dc99d090d5bd6b32c3c932

SHA512
d43867392c553d4afffa45a1b87a74e819964011fb1226ee54e23a98fc63ca80e266730cec6796a2afa435b1ea28aed72c55eae1ae5d31ec778f53be3e2162fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f08e536d667a22ed08262dcc485a9fdb

SHA1
bef5cc54b1ce1f453b8e6d4802d5026ce0792797

SHA256
c7fecf60082de5f3785313028bd73209e59d0f23351dcb19e860008efcd22b56

SHA512
cdb18b6ccaa16885b597ba4236da00e26cbcba2f052508932df03da18577b26b9b3b23a64acf11a5059d441857aa613f0df86220124475d3493156a68448054f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
b83179d47bdb9836d40c3455613b6c24

SHA1
0d540eb02c729099fbe73c2b0810def0a72b04c4

SHA256
10da0e6abd755c685d347fc2d083ab51f9f8d5ce7e9b47b3728320f9ca57227a

SHA512
aa898024e0b9c29c454531ca92ba2f7f71b7cecbf0733433cd97d8ed98f467ee44b160f7e360d5bb07725fc830595fb6c1ad31947765ca25f42e43d713a63267

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
b83179d47bdb9836d40c3455613b6c24

SHA1
0d540eb02c729099fbe73c2b0810def0a72b04c4

SHA256
10da0e6abd755c685d347fc2d083ab51f9f8d5ce7e9b47b3728320f9ca57227a

SHA512
aa898024e0b9c29c454531ca92ba2f7f71b7cecbf0733433cd97d8ed98f467ee44b160f7e360d5bb07725fc830595fb6c1ad31947765ca25f42e43d713a63267

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
6b3dd6632131af14f5b27d024cad77ef

SHA1
91568df8d017cf5d38520f65586dd0474ff442f8

SHA256
e5ec274c31d7d2db962c7391df621510fdc82f176f0d50c08b86f4005e153061

SHA512
88030af434ef7310e1e6dc3a989afc3c660c379dc809d48ee7dfa3b62c5448345a4b9117f8162299eac89ce953b63374e9b486322f4854b5c8babb462967228a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
c2b1610455abaa564c9f94395fa62e75

SHA1
b5cf21f01113ea628c5f78685d2b43aeb5bf7b99

SHA256
331d28c62fd400f99f820ff4d76ee0b71524592f6ede47ff9ce7b8b91b31f4fd

SHA512
67094dace7236cd146c4c3694a727204f5d4e338d55eec1d29ee692e159686731ade83299046e7a976fc5a38987713c7f9929000db91d3ff393a4aaba9546792

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\iLwNXDpz.exe

Filesize
2.8MB

MD5
f90d1d4ecc00f29cf9c09e1141386d6a

SHA1
09b2ee3093bee0c0be2b3b6800b7db36341a3ce5

SHA256
8830aaa7ef230f79aeb70c698ecdaba06bdfd79348cbf5ef80a1389aa2849785

SHA512
a73db82f7b583cbb7ce20f73eba46405a77204ce941b78a2b8b681bc3cb8b4f1165ca2a81078e4df19f8f6fc944f0b445c3f9e08184e4b656849782c7cb51c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\iLwNXDpz.exe

Filesize
2.8MB

MD5
f90d1d4ecc00f29cf9c09e1141386d6a

SHA1
09b2ee3093bee0c0be2b3b6800b7db36341a3ce5

SHA256
8830aaa7ef230f79aeb70c698ecdaba06bdfd79348cbf5ef80a1389aa2849785

SHA512
a73db82f7b583cbb7ce20f73eba46405a77204ce941b78a2b8b681bc3cb8b4f1165ca2a81078e4df19f8f6fc944f0b445c3f9e08184e4b656849782c7cb51c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nh2zDh4E\25nHCddI67wvfH.exe

Filesize
6.7MB

MD5
adb436adfc033480160354c9d17471c0

SHA1
f5204a945ff65eaf377023362133aa6333c28a33

SHA256
a463fbaae3961e25c8dd86bccc9638c63a00de43a0e35a93200346c76e0e7434

SHA512
bac36f063218d172147a6188959ccfc2600e6fd0a8403653909415b51392ee0d3f6ad9dbfba547e085aa740d7564b8869c42d47aa239edd6da67eaa64a889fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OCQJrUSK\iLwNXDpz.exe

Filesize
2.8MB

MD5
f90d1d4ecc00f29cf9c09e1141386d6a

SHA1
09b2ee3093bee0c0be2b3b6800b7db36341a3ce5

SHA256
8830aaa7ef230f79aeb70c698ecdaba06bdfd79348cbf5ef80a1389aa2849785

SHA512
a73db82f7b583cbb7ce20f73eba46405a77204ce941b78a2b8b681bc3cb8b4f1165ca2a81078e4df19f8f6fc944f0b445c3f9e08184e4b656849782c7cb51c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\OCQJrUSK\iLwNXDpz.exe

Filesize
2.8MB

MD5
f90d1d4ecc00f29cf9c09e1141386d6a

SHA1
09b2ee3093bee0c0be2b3b6800b7db36341a3ce5

SHA256
8830aaa7ef230f79aeb70c698ecdaba06bdfd79348cbf5ef80a1389aa2849785

SHA512
a73db82f7b583cbb7ce20f73eba46405a77204ce941b78a2b8b681bc3cb8b4f1165ca2a81078e4df19f8f6fc944f0b445c3f9e08184e4b656849782c7cb51c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\OCQJrUSK\iLwNXDpz.exe

Filesize
2.8MB

MD5
f90d1d4ecc00f29cf9c09e1141386d6a

SHA1
09b2ee3093bee0c0be2b3b6800b7db36341a3ce5

SHA256
8830aaa7ef230f79aeb70c698ecdaba06bdfd79348cbf5ef80a1389aa2849785

SHA512
a73db82f7b583cbb7ce20f73eba46405a77204ce941b78a2b8b681bc3cb8b4f1165ca2a81078e4df19f8f6fc944f0b445c3f9e08184e4b656849782c7cb51c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\OCQJrUSK\iLwNXDpz.exe

Filesize
2.8MB

MD5
f90d1d4ecc00f29cf9c09e1141386d6a

SHA1
09b2ee3093bee0c0be2b3b6800b7db36341a3ce5

SHA256
8830aaa7ef230f79aeb70c698ecdaba06bdfd79348cbf5ef80a1389aa2849785

SHA512
a73db82f7b583cbb7ce20f73eba46405a77204ce941b78a2b8b681bc3cb8b4f1165ca2a81078e4df19f8f6fc944f0b445c3f9e08184e4b656849782c7cb51c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\OCQJrUSK\iLwNXDpz.exe

Filesize
2.8MB

MD5
f90d1d4ecc00f29cf9c09e1141386d6a

SHA1
09b2ee3093bee0c0be2b3b6800b7db36341a3ce5

SHA256
8830aaa7ef230f79aeb70c698ecdaba06bdfd79348cbf5ef80a1389aa2849785

SHA512
a73db82f7b583cbb7ce20f73eba46405a77204ce941b78a2b8b681bc3cb8b4f1165ca2a81078e4df19f8f6fc944f0b445c3f9e08184e4b656849782c7cb51c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2311041853303283316.dll

Filesize
4.6MB

MD5
68001bcf377466ec4609ee69c69a60c6

SHA1
703dfb6e1da43c378c1f9ee8ea55195b756df7be

SHA256
fa8e4113a3b61f494284a8e95c1eef20953cadce31f2dba82bb2f3ed902053da

SHA512
4e55d6592db8fee915eaf34a02e00698f63d3dfb8a9730fadaa74b4c66df1d1b1891af141a86ef93c2eeab0a480f0e526c8e24ad7305c1cd8e01863aca6507db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2311041853308281612.dll

Filesize
4.6MB

MD5
68001bcf377466ec4609ee69c69a60c6

SHA1
703dfb6e1da43c378c1f9ee8ea55195b756df7be

SHA256
fa8e4113a3b61f494284a8e95c1eef20953cadce31f2dba82bb2f3ed902053da

SHA512
4e55d6592db8fee915eaf34a02e00698f63d3dfb8a9730fadaa74b4c66df1d1b1891af141a86ef93c2eeab0a480f0e526c8e24ad7305c1cd8e01863aca6507db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2311041853316843880.dll

Filesize
4.6MB

MD5
68001bcf377466ec4609ee69c69a60c6

SHA1
703dfb6e1da43c378c1f9ee8ea55195b756df7be

SHA256
fa8e4113a3b61f494284a8e95c1eef20953cadce31f2dba82bb2f3ed902053da

SHA512
4e55d6592db8fee915eaf34a02e00698f63d3dfb8a9730fadaa74b4c66df1d1b1891af141a86ef93c2eeab0a480f0e526c8e24ad7305c1cd8e01863aca6507db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2311041853316843880.dll

Filesize
4.6MB

MD5
68001bcf377466ec4609ee69c69a60c6

SHA1
703dfb6e1da43c378c1f9ee8ea55195b756df7be

SHA256
fa8e4113a3b61f494284a8e95c1eef20953cadce31f2dba82bb2f3ed902053da

SHA512
4e55d6592db8fee915eaf34a02e00698f63d3dfb8a9730fadaa74b4c66df1d1b1891af141a86ef93c2eeab0a480f0e526c8e24ad7305c1cd8e01863aca6507db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2311041853327465548.dll

Filesize
4.6MB

MD5
68001bcf377466ec4609ee69c69a60c6

SHA1
703dfb6e1da43c378c1f9ee8ea55195b756df7be

SHA256
fa8e4113a3b61f494284a8e95c1eef20953cadce31f2dba82bb2f3ed902053da

SHA512
4e55d6592db8fee915eaf34a02e00698f63d3dfb8a9730fadaa74b4c66df1d1b1891af141a86ef93c2eeab0a480f0e526c8e24ad7305c1cd8e01863aca6507db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2311041853333875656.dll

Filesize
4.6MB

MD5
68001bcf377466ec4609ee69c69a60c6

SHA1
703dfb6e1da43c378c1f9ee8ea55195b756df7be

SHA256
fa8e4113a3b61f494284a8e95c1eef20953cadce31f2dba82bb2f3ed902053da

SHA512
4e55d6592db8fee915eaf34a02e00698f63d3dfb8a9730fadaa74b4c66df1d1b1891af141a86ef93c2eeab0a480f0e526c8e24ad7305c1cd8e01863aca6507db

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sqdawfwi.woa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gSSr3MGm\s6I07E.exe

Filesize
250KB

MD5
8964ec464bbd02f89370b7d9c885e804

SHA1
c6c48ebc623aa8f9c630538204f9a0ec6cded66f

SHA256
82a2cd4b4149a4f282174caad4a2f51c408c64d4e3e46414d8738f3c39a16c4a

SHA512
861aceca4a133890622de725903e319b159295388ef03f50c3b7b6c6a06e6d48de4a32112335fef44adbbdf96aa1a2fd8d990d795f2dc61208a096f23ecd0e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\gSSr3MGm\s6I07E.exe

Filesize
250KB

MD5
8964ec464bbd02f89370b7d9c885e804

SHA1
c6c48ebc623aa8f9c630538204f9a0ec6cded66f

SHA256
82a2cd4b4149a4f282174caad4a2f51c408c64d4e3e46414d8738f3c39a16c4a

SHA512
861aceca4a133890622de725903e319b159295388ef03f50c3b7b6c6a06e6d48de4a32112335fef44adbbdf96aa1a2fd8d990d795f2dc61208a096f23ecd0e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\gSSr3MGm\s6I07E.exe

Filesize
250KB

MD5
8964ec464bbd02f89370b7d9c885e804

SHA1
c6c48ebc623aa8f9c630538204f9a0ec6cded66f

SHA256
82a2cd4b4149a4f282174caad4a2f51c408c64d4e3e46414d8738f3c39a16c4a

SHA512
861aceca4a133890622de725903e319b159295388ef03f50c3b7b6c6a06e6d48de4a32112335fef44adbbdf96aa1a2fd8d990d795f2dc61208a096f23ecd0e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DAS89.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DCU69.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DCU69.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DCU69.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LKRI9.tmp\klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp

Filesize
679KB

MD5
c698899ced5b1c16ea714d9022a20acd

SHA1
0b4aa773d111194388387910d12359d27696fb66

SHA256
26dd3b6dfb6863f37a6e2407b07ca2d934b40616f6c14a2630c8d3e21f62a2d8

SHA512
dce6b00f420a43f9bced9ed4eda18b1c305cba1bb408ccfecf0e735ea32786ce522754bfd02cfa0a38d393deda9d2f6c040eb7f95d12859b0e9c4a41c5a883ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LKRI9.tmp\klyuch-aktivacii-dly-ct7kTVM5Zxs7.tmp

Filesize
679KB

MD5
c698899ced5b1c16ea714d9022a20acd

SHA1
0b4aa773d111194388387910d12359d27696fb66

SHA256
26dd3b6dfb6863f37a6e2407b07ca2d934b40616f6c14a2630c8d3e21f62a2d8

SHA512
dce6b00f420a43f9bced9ed4eda18b1c305cba1bb408ccfecf0e735ea32786ce522754bfd02cfa0a38d393deda9d2f6c040eb7f95d12859b0e9c4a41c5a883ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P4FP2.tmp\CNMP1lZb10XUs3qY.tmp

Filesize
680KB

MD5
27d62e7d59d5de98c027ce6cebeacb1f

SHA1
9985ff73f6c880d1560320d1c7378b1405313d9c

SHA256
2ff75404383b2999841f8e9156ea2f9eb27270c4bd6033e827ce1a2660f3044f

SHA512
f1421589b508dcc9b7e9fe5df620d8c537cb06bd02e44853c59e61c1877a1c8ae47042b4051b732301adf734e41a2122b0a5a2f51cb61ee4c927ebb20826ffaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P4FP2.tmp\CNMP1lZb10XUs3qY.tmp

Filesize
680KB

MD5
27d62e7d59d5de98c027ce6cebeacb1f

SHA1
9985ff73f6c880d1560320d1c7378b1405313d9c

SHA256
2ff75404383b2999841f8e9156ea2f9eb27270c4bd6033e827ce1a2660f3044f

SHA512
f1421589b508dcc9b7e9fe5df620d8c537cb06bd02e44853c59e61c1877a1c8ae47042b4051b732301adf734e41a2122b0a5a2f51cb61ee4c927ebb20826ffaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vJ3nNkKQ\CNMP1lZb10XUs3qY.exe

Filesize
4.8MB

MD5
006e818a17e9ba90b85ab0883f82dc4e

SHA1
194a37cd01943ad0b8296031e6ea6bdff859555d

SHA256
aa303b7960b31a5ed34ada0e15b2dd81a1103a8f79e6f3446d34f8904852b3f0

SHA512
65de0b8499240b987d46dc662043243d533b95a05de3a7682ec56b7621ec9570399c7969eda748e723bb301311faa9baccfa595e670acd3e7f22494e59866ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vJ3nNkKQ\CNMP1lZb10XUs3qY.exe

Filesize
4.8MB

MD5
006e818a17e9ba90b85ab0883f82dc4e

SHA1
194a37cd01943ad0b8296031e6ea6bdff859555d

SHA256
aa303b7960b31a5ed34ada0e15b2dd81a1103a8f79e6f3446d34f8904852b3f0

SHA512
65de0b8499240b987d46dc662043243d533b95a05de3a7682ec56b7621ec9570399c7969eda748e723bb301311faa9baccfa595e670acd3e7f22494e59866ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkTnYHQh\pycl1wn4a.exe

Filesize
1.2MB

MD5
488708196cbca559d82fe2bd772b8885

SHA1
a3dc01bb19eeabf51cbb911b21058fc2e176ba35

SHA256
02f5e9101540411f936337ff0869010f8ccab6d1ebfa2676f28a6a0d56cdcf2b

SHA512
d96b7ef7fc227d363c84fc301841193422727f57e6f3d1b76faa44f139e115a9d18b768f171f19bf3bb77f11915995502563e33c62b0c73bd56786dce70b0325

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkTnYHQh\pycl1wn4a.exe

Filesize
1.2MB

MD5
488708196cbca559d82fe2bd772b8885

SHA1
a3dc01bb19eeabf51cbb911b21058fc2e176ba35

SHA256
02f5e9101540411f936337ff0869010f8ccab6d1ebfa2676f28a6a0d56cdcf2b

SHA512
d96b7ef7fc227d363c84fc301841193422727f57e6f3d1b76faa44f139e115a9d18b768f171f19bf3bb77f11915995502563e33c62b0c73bd56786dce70b0325

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
3907c178d17adffb89dbb56dccfb208c

SHA1
f21e3856cf2763b19f0a574800f4ec4620c6bf1a

SHA256
5b48f7c87a8f79c9c2470186696480740adec9a3840f260bdf30e1fd67f6041c

SHA512
928c99e329fa243cb46c3eb660714881518e7f6ebc54e1cb9910b5c9aad12ffe33b0d10b273270f448fcbfb802362ccd9a79e55cfd5cde45a395d3b66bb97bf0

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
3907c178d17adffb89dbb56dccfb208c

SHA1
f21e3856cf2763b19f0a574800f4ec4620c6bf1a

SHA256
5b48f7c87a8f79c9c2470186696480740adec9a3840f260bdf30e1fd67f6041c

SHA512
928c99e329fa243cb46c3eb660714881518e7f6ebc54e1cb9910b5c9aad12ffe33b0d10b273270f448fcbfb802362ccd9a79e55cfd5cde45a395d3b66bb97bf0

Download Submit
memory/1424-164-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1424-1-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1468-594-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/1608-278-0x0000000006150000-0x00000000061B6000-memory.dmp

Filesize
408KB

Download
memory/1608-342-0x0000000071420000-0x0000000071BD0000-memory.dmp

Filesize
7.7MB

Download
memory/1608-275-0x0000000005370000-0x0000000005380000-memory.dmp

Filesize
64KB

Download
memory/1608-271-0x0000000071420000-0x0000000071BD0000-memory.dmp

Filesize
7.7MB

Download
memory/1608-273-0x0000000005370000-0x0000000005380000-memory.dmp

Filesize
64KB

Download
memory/1608-320-0x0000000005370000-0x0000000005380000-memory.dmp

Filesize
64KB

Download
memory/1612-409-0x0000000000B30000-0x0000000001059000-memory.dmp

Filesize
5.2MB

Download
memory/2268-581-0x0000000000400000-0x0000000000E29000-memory.dmp

Filesize
10.2MB

Download
memory/2268-168-0x0000000000400000-0x0000000000E29000-memory.dmp

Filesize
10.2MB

Download
memory/2268-174-0x0000000000400000-0x0000000000E29000-memory.dmp

Filesize
10.2MB

Download
memory/2268-234-0x0000000000400000-0x0000000000E29000-memory.dmp

Filesize
10.2MB

Download
memory/2268-173-0x0000000000400000-0x0000000000E29000-memory.dmp

Filesize
10.2MB

Download
memory/2268-178-0x0000000000400000-0x0000000000E29000-memory.dmp

Filesize
10.2MB

Download
memory/2268-304-0x0000000000400000-0x0000000000E29000-memory.dmp

Filesize
10.2MB

Download
memory/2268-170-0x0000000003BD0000-0x0000000003BD1000-memory.dmp

Filesize
4KB

Download
memory/2268-169-0x0000000000400000-0x0000000000E29000-memory.dmp

Filesize
10.2MB

Download
memory/2268-176-0x0000000003BD0000-0x0000000003BD1000-memory.dmp

Filesize
4KB

Download
memory/2268-499-0x0000000000400000-0x0000000000E29000-memory.dmp

Filesize
10.2MB

Download
memory/2496-400-0x0000000000320000-0x00000000009E1000-memory.dmp

Filesize
6.8MB

Download
memory/2496-410-0x0000000010000000-0x000000001056C000-memory.dmp

Filesize
5.4MB

Download
memory/2996-553-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2996-574-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3252-166-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/3252-172-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3252-7-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/3316-392-0x0000000000B30000-0x0000000001059000-memory.dmp

Filesize
5.2MB

Download
memory/3352-570-0x00000000028F0000-0x0000000002906000-memory.dmp

Filesize
88KB

Download
memory/3748-157-0x0000000000400000-0x0000000000E29000-memory.dmp

Filesize
10.2MB

Download
memory/3748-159-0x0000000000400000-0x0000000000E29000-memory.dmp

Filesize
10.2MB

Download
memory/3748-160-0x0000000000400000-0x0000000000E29000-memory.dmp

Filesize
10.2MB

Download
memory/3748-161-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

Filesize
4KB

Download
memory/3748-163-0x0000000000400000-0x0000000000E29000-memory.dmp

Filesize
10.2MB

Download
memory/3880-481-0x0000000000B90000-0x00000000010B9000-memory.dmp

Filesize
5.2MB

Download
memory/5056-270-0x0000000002CA0000-0x0000000002CD6000-memory.dmp

Filesize
216KB

Download
memory/5056-297-0x0000000005DC0000-0x0000000006114000-memory.dmp

Filesize
3.3MB

Download
memory/5056-269-0x0000000071420000-0x0000000071BD0000-memory.dmp

Filesize
7.7MB

Download
memory/5056-272-0x0000000005470000-0x0000000005A98000-memory.dmp

Filesize
6.2MB

Download
memory/5056-274-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/5056-276-0x00000000051D0000-0x00000000051F2000-memory.dmp

Filesize
136KB

Download
memory/5056-277-0x0000000005370000-0x00000000053D6000-memory.dmp

Filesize
408KB

Download
memory/5056-338-0x0000000071420000-0x0000000071BD0000-memory.dmp

Filesize
7.7MB

Download
memory/5056-298-0x00000000062A0000-0x00000000062BE000-memory.dmp

Filesize
120KB

Download
memory/5056-299-0x00000000062D0000-0x000000000631C000-memory.dmp

Filesize
304KB

Download
memory/5056-326-0x0000000006790000-0x00000000067AA000-memory.dmp

Filesize
104KB

Download
memory/5056-325-0x00000000079E0000-0x000000000805A000-memory.dmp

Filesize
6.5MB

Download
memory/5056-321-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/5256-404-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5256-397-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5584-306-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/5584-371-0x0000000071420000-0x0000000071BD0000-memory.dmp

Filesize
7.7MB

Download
memory/5584-378-0x0000000071420000-0x0000000071BD0000-memory.dmp

Filesize
7.7MB

Download
memory/5584-373-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/5584-305-0x0000000071420000-0x0000000071BD0000-memory.dmp

Filesize
7.7MB

Download
memory/5584-372-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/5584-309-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/5584-369-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/5656-322-0x0000000071420000-0x0000000071BD0000-memory.dmp

Filesize
7.7MB

Download
memory/5656-379-0x0000000071420000-0x0000000071BD0000-memory.dmp

Filesize
7.7MB

Download
memory/5656-370-0x0000000002380000-0x0000000002390000-memory.dmp

Filesize
64KB

Download
memory/5656-323-0x0000000002380000-0x0000000002390000-memory.dmp

Filesize
64KB

Download
memory/5824-535-0x0000000000400000-0x00000000007BA000-memory.dmp

Filesize
3.7MB

Download
memory/5836-437-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

Filesize
4KB

Download
memory/5836-580-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/5896-344-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/5896-345-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/5896-382-0x0000000071420000-0x0000000071BD0000-memory.dmp

Filesize
7.7MB

Download
memory/5896-343-0x0000000071420000-0x0000000071BD0000-memory.dmp

Filesize
7.7MB

Download
memory/6004-403-0x000000001C3C0000-0x000000001C3DE000-memory.dmp

Filesize
120KB

Download
memory/6004-364-0x000000001B390000-0x000000001B406000-memory.dmp

Filesize
472KB

Download
memory/6004-500-0x000000001B350000-0x000000001B360000-memory.dmp

Filesize
64KB

Download
memory/6004-366-0x0000000000F40000-0x0000000000F6E000-memory.dmp

Filesize
184KB

Download
memory/6004-363-0x00007FFAF30B0000-0x00007FFAF3B71000-memory.dmp

Filesize
10.8MB

Download
memory/6004-374-0x000000001B350000-0x000000001B360000-memory.dmp

Filesize
64KB

Download
memory/6004-365-0x000000001B350000-0x000000001B360000-memory.dmp

Filesize
64KB

Download
memory/6004-433-0x00007FFAF30B0000-0x00007FFAF3B71000-memory.dmp

Filesize
10.8MB

Download
memory/6004-367-0x000000001B320000-0x000000001B332000-memory.dmp

Filesize
72KB

Download
memory/6004-368-0x000000001B310000-0x000000001B31A000-memory.dmp

Filesize
40KB

Download
memory/6004-362-0x0000000000610000-0x0000000000752000-memory.dmp

Filesize
1.3MB

Download