glupteba | 8408dcfb8751f971ab0f3f4ec16abc52586a90a507ac8e6be0b02219980758f3

Analysis

max time kernel
19s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8408dcfb8751f971ab0f3f4ec16abc52586a90a507ac8e6be0b02219980758f3.exe
Size

389KB
MD5

a3d607292f456d782622bdf10ddcaa72
SHA1

e21e9ec6bc6234993591cd2034a019af59e98071
SHA256

8408dcfb8751f971ab0f3f4ec16abc52586a90a507ac8e6be0b02219980758f3
SHA512

147401e381e5ec0a539cc7272721fd0893c6a603b64217539cef925579c32b9be6cd981b68cfbf6a5f484dddc50ddc9c3195172ce00524301206cbb6786df76e
SSDEEP

6144:hjuZSWCTeEVTAHT6HPqHr3aUb/memWBFU/iBHZGI3XCjA77lyJkJZVKM:hjtXVTAHyc3f/U6OiJZhXCsdyJ6ZVKM

Score

10^/10

glupteba sectoprat stealc zgrat dropper evasion loader rat stealer themida trojan

Malware Config

Extracted

Family

stealc

http://185.172.128.62

Attributes

url_path
/902e53a07830e030.php

Signatures

Detect ZGRat V1 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5664-610-0x000001EC512C0000-0x000001EC54BB8000-memory.dmp	family_zgrat_v1
behavioral1/memory/5664-647-0x000001EC6F4F0000-0x000001EC6F600000-memory.dmp	family_zgrat_v1
behavioral1/memory/5664-651-0x000001EC6F1A0000-0x000001EC6F1C4000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2812-146-0x0000000000400000-0x0000000001DFC000-memory.dmp	family_glupteba
behavioral1/memory/3128-148-0x0000000000400000-0x0000000001DFC000-memory.dmp	family_glupteba
behavioral1/memory/2812-361-0x0000000000400000-0x0000000001DFC000-memory.dmp	family_glupteba
behavioral1/memory/3128-363-0x0000000000400000-0x0000000001DFC000-memory.dmp	family_glupteba
behavioral1/memory/2228-427-0x0000000000400000-0x0000000001DFC000-memory.dmp	family_glupteba
behavioral1/memory/3320-428-0x0000000000400000-0x0000000001DFC000-memory.dmp	family_glupteba
behavioral1/memory/2228-540-0x0000000000400000-0x0000000001DFC000-memory.dmp	family_glupteba
behavioral1/memory/3320-541-0x0000000000400000-0x0000000001DFC000-memory.dmp	family_glupteba

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5676-655-0x0000000000430000-0x00000000004F6000-memory.dmp	family_sectoprat

Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

376 netsh.exe
5468 netsh.exe

pid	process
376	netsh.exe
5468	netsh.exe

Drops startup file 4 IoCs

Processes:

regsvcs.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FnSHo5MW0XzcPIjob1VcZ1Iy.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dSaEVAKeY8uJkoWxfRQGqJA4.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZuwaU6ih2zjFX68PRdq5WaKk.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fV8M0oZhTk3IYluNl4M7Vguh.bat	regsvcs.exe

Executes dropped EXE 3 IoCs

Processes:

W3oaFbRgLnx7bF1fUPzEWyBz.exe12WI0E8coo4xJ48U7KjfKTjv.exedvoE20tDnS1Wc1J5wBJ9hiYP.exe

pid process

2812 W3oaFbRgLnx7bF1fUPzEWyBz.exe
3128 12WI0E8coo4xJ48U7KjfKTjv.exe
2644 dvoE20tDnS1Wc1J5wBJ9hiYP.exe

pid	process
2812	W3oaFbRgLnx7bF1fUPzEWyBz.exe
3128	12WI0E8coo4xJ48U7KjfKTjv.exe
2644	dvoE20tDnS1Wc1J5wBJ9hiYP.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\6ou4zW5YbNkoISVD6ossUyiO.exe	themida
behavioral1/memory/4240-281-0x0000000140000000-0x0000000140726000-memory.dmp	themida
behavioral1/memory/4240-425-0x0000000140000000-0x0000000140726000-memory.dmp	themida

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

20 pastebin.com
21 pastebin.com
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

92 api.myip.com
93 api.myip.com
95 ipinfo.io
96 ipinfo.io

flow	ioc
20	pastebin.com
21	pastebin.com

flow	ioc
92	api.myip.com
93	api.myip.com
95	ipinfo.io
96	ipinfo.io

Suspicious use of SetThreadContext 1 IoCs

Processes:

8408dcfb8751f971ab0f3f4ec16abc52586a90a507ac8e6be0b02219980758f3.exe

description	pid	process	target process
PID 4752 set thread context of 724	4752	8408dcfb8751f971ab0f3f4ec16abc52586a90a507ac8e6be0b02219980758f3.exe	regsvcs.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2284 2644 WerFault.exe dvoE20tDnS1Wc1J5wBJ9hiYP.exe
2168 4332 WerFault.exe u21g.0.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1376 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

regsvcs.exe

description pid process

Token: SeDebugPrivilege 724 regsvcs.exe

pid	pid_target	process	target process
2284	2644	WerFault.exe	dvoE20tDnS1Wc1J5wBJ9hiYP.exe
2168	4332	WerFault.exe	u21g.0.exe

pid	process
1376	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	724	regsvcs.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

8408dcfb8751f971ab0f3f4ec16abc52586a90a507ac8e6be0b02219980758f3.exeregsvcs.exe

description	pid	process	target process
PID 4752 wrote to memory of 3188	4752	8408dcfb8751f971ab0f3f4ec16abc52586a90a507ac8e6be0b02219980758f3.exe	msbuild.exe
PID 4752 wrote to memory of 3188	4752	8408dcfb8751f971ab0f3f4ec16abc52586a90a507ac8e6be0b02219980758f3.exe	msbuild.exe
PID 4752 wrote to memory of 3188	4752	8408dcfb8751f971ab0f3f4ec16abc52586a90a507ac8e6be0b02219980758f3.exe	msbuild.exe
PID 4752 wrote to memory of 572	4752	8408dcfb8751f971ab0f3f4ec16abc52586a90a507ac8e6be0b02219980758f3.exe	regasm.exe
PID 4752 wrote to memory of 572	4752	8408dcfb8751f971ab0f3f4ec16abc52586a90a507ac8e6be0b02219980758f3.exe	regasm.exe
PID 4752 wrote to memory of 572	4752	8408dcfb8751f971ab0f3f4ec16abc52586a90a507ac8e6be0b02219980758f3.exe	regasm.exe
PID 4752 wrote to memory of 4428	4752	8408dcfb8751f971ab0f3f4ec16abc52586a90a507ac8e6be0b02219980758f3.exe	installutil.exe
PID 4752 wrote to memory of 4428	4752	8408dcfb8751f971ab0f3f4ec16abc52586a90a507ac8e6be0b02219980758f3.exe	installutil.exe
PID 4752 wrote to memory of 4428	4752	8408dcfb8751f971ab0f3f4ec16abc52586a90a507ac8e6be0b02219980758f3.exe	installutil.exe
PID 4752 wrote to memory of 724	4752	8408dcfb8751f971ab0f3f4ec16abc52586a90a507ac8e6be0b02219980758f3.exe	regsvcs.exe
PID 4752 wrote to memory of 724	4752	8408dcfb8751f971ab0f3f4ec16abc52586a90a507ac8e6be0b02219980758f3.exe	regsvcs.exe
PID 4752 wrote to memory of 724	4752	8408dcfb8751f971ab0f3f4ec16abc52586a90a507ac8e6be0b02219980758f3.exe	regsvcs.exe
PID 4752 wrote to memory of 724	4752	8408dcfb8751f971ab0f3f4ec16abc52586a90a507ac8e6be0b02219980758f3.exe	regsvcs.exe
PID 4752 wrote to memory of 724	4752	8408dcfb8751f971ab0f3f4ec16abc52586a90a507ac8e6be0b02219980758f3.exe	regsvcs.exe
PID 4752 wrote to memory of 724	4752	8408dcfb8751f971ab0f3f4ec16abc52586a90a507ac8e6be0b02219980758f3.exe	regsvcs.exe
PID 4752 wrote to memory of 724	4752	8408dcfb8751f971ab0f3f4ec16abc52586a90a507ac8e6be0b02219980758f3.exe	regsvcs.exe
PID 4752 wrote to memory of 724	4752	8408dcfb8751f971ab0f3f4ec16abc52586a90a507ac8e6be0b02219980758f3.exe	regsvcs.exe
PID 4752 wrote to memory of 2268	4752	8408dcfb8751f971ab0f3f4ec16abc52586a90a507ac8e6be0b02219980758f3.exe	regsvcs.exe
PID 4752 wrote to memory of 2268	4752	8408dcfb8751f971ab0f3f4ec16abc52586a90a507ac8e6be0b02219980758f3.exe	regsvcs.exe
PID 4752 wrote to memory of 2268	4752	8408dcfb8751f971ab0f3f4ec16abc52586a90a507ac8e6be0b02219980758f3.exe	regsvcs.exe
PID 724 wrote to memory of 2812	724	regsvcs.exe	W3oaFbRgLnx7bF1fUPzEWyBz.exe
PID 724 wrote to memory of 2812	724	regsvcs.exe	W3oaFbRgLnx7bF1fUPzEWyBz.exe
PID 724 wrote to memory of 2812	724	regsvcs.exe	W3oaFbRgLnx7bF1fUPzEWyBz.exe
PID 724 wrote to memory of 3128	724	regsvcs.exe	12WI0E8coo4xJ48U7KjfKTjv.exe
PID 724 wrote to memory of 3128	724	regsvcs.exe	12WI0E8coo4xJ48U7KjfKTjv.exe
PID 724 wrote to memory of 3128	724	regsvcs.exe	12WI0E8coo4xJ48U7KjfKTjv.exe
PID 724 wrote to memory of 2644	724	regsvcs.exe	dvoE20tDnS1Wc1J5wBJ9hiYP.exe
PID 724 wrote to memory of 2644	724	regsvcs.exe	dvoE20tDnS1Wc1J5wBJ9hiYP.exe
PID 724 wrote to memory of 2644	724	regsvcs.exe	dvoE20tDnS1Wc1J5wBJ9hiYP.exe

C:\Users\Admin\AppData\Local\Temp\8408dcfb8751f971ab0f3f4ec16abc52586a90a507ac8e6be0b02219980758f3.exe
"C:\Users\Admin\AppData\Local\Temp\8408dcfb8751f971ab0f3f4ec16abc52586a90a507ac8e6be0b02219980758f3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
2⤵
PID:3188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
2⤵
PID:572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
2⤵
PID:4428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:724

C:\Users\Admin\Pictures\W3oaFbRgLnx7bF1fUPzEWyBz.exe
"C:\Users\Admin\Pictures\W3oaFbRgLnx7bF1fUPzEWyBz.exe"
3⤵
- Executes dropped EXE
PID:2812

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:1820

C:\Users\Admin\Pictures\W3oaFbRgLnx7bF1fUPzEWyBz.exe
"C:\Users\Admin\Pictures\W3oaFbRgLnx7bF1fUPzEWyBz.exe"
4⤵
PID:2228

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:5916

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
5⤵
PID:4244

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:376

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:6092

C:\Users\Admin\Pictures\12WI0E8coo4xJ48U7KjfKTjv.exe
"C:\Users\Admin\Pictures\12WI0E8coo4xJ48U7KjfKTjv.exe"
3⤵
- Executes dropped EXE
PID:3128

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:2916

C:\Users\Admin\Pictures\12WI0E8coo4xJ48U7KjfKTjv.exe
"C:\Users\Admin\Pictures\12WI0E8coo4xJ48U7KjfKTjv.exe"
4⤵
PID:3320

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:5924

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
5⤵
PID:5916

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:5468

C:\Users\Admin\Pictures\dvoE20tDnS1Wc1J5wBJ9hiYP.exe
"C:\Users\Admin\Pictures\dvoE20tDnS1Wc1J5wBJ9hiYP.exe"
3⤵
- Executes dropped EXE
PID:2644

C:\Users\Admin\AppData\Local\Temp\u21g.0.exe
"C:\Users\Admin\AppData\Local\Temp\u21g.0.exe"
4⤵
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 2552
5⤵
- Program crash
PID:2168

C:\Users\Admin\AppData\Local\Temp\u21g.2\run.exe
"C:\Users\Admin\AppData\Local\Temp\u21g.2\run.exe"
4⤵
PID:3992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
5⤵
PID:4612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
6⤵
PID:5676

C:\Users\Admin\AppData\Local\Temp\u21g.3.exe
"C:\Users\Admin\AppData\Local\Temp\u21g.3.exe"
4⤵
PID:2100

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
5⤵
PID:5664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 1424
4⤵
- Program crash
PID:2284

C:\Users\Admin\Pictures\VqIrDSf8cXUs7rlzbysmnBsN.exe
"C:\Users\Admin\Pictures\VqIrDSf8cXUs7rlzbysmnBsN.exe" --silent --allusers=0
3⤵
PID:4792

C:\Users\Admin\Pictures\VqIrDSf8cXUs7rlzbysmnBsN.exe
C:\Users\Admin\Pictures\VqIrDSf8cXUs7rlzbysmnBsN.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x2a0,0x2a4,0x2a8,0x27c,0x2ac,0x6f3ce1d0,0x6f3ce1dc,0x6f3ce1e8
4⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\VqIrDSf8cXUs7rlzbysmnBsN.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\VqIrDSf8cXUs7rlzbysmnBsN.exe" --version
4⤵
PID:1648

C:\Users\Admin\Pictures\VqIrDSf8cXUs7rlzbysmnBsN.exe
"C:\Users\Admin\Pictures\VqIrDSf8cXUs7rlzbysmnBsN.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4792 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240428080834" --session-guid=0f893662-beb7-429a-8ee8-8ba1a147d1c0 --server-tracking-blob="NTM3ZDhiOWEyN2MzMjc3M2E0YjAyMDc4NTIyMmJiNTJhZDZiOTAwNjQ3ODgxMjIyNWNlMTAyMWNjN2Y0NTk5OTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fMTIzIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzE0MjkxNjk4Ljg5ODciLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzEyMyIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiNWY3OWJkYjktNDdkYi00YzI3LTkyYzQtOWQyNTcyNjQ2MDc3In0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=9C05000000000000
4⤵
PID:2892

C:\Users\Admin\Pictures\VqIrDSf8cXUs7rlzbysmnBsN.exe
C:\Users\Admin\Pictures\VqIrDSf8cXUs7rlzbysmnBsN.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x298,0x29c,0x2ac,0x274,0x2b0,0x6fe3e1d0,0x6fe3e1dc,0x6fe3e1e8
5⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404280808341\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404280808341\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"
4⤵
PID:6128

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404280808341\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404280808341\assistant\assistant_installer.exe" --version
4⤵
PID:3124

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404280808341\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404280808341\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x2b6038,0x2b6044,0x2b6050
5⤵
PID:5248

C:\Users\Admin\Pictures\6ou4zW5YbNkoISVD6ossUyiO.exe
"C:\Users\Admin\Pictures\6ou4zW5YbNkoISVD6ossUyiO.exe"
3⤵
PID:4240

C:\Users\Admin\Pictures\IHsvNRKn0HYqCxKPnPmCUHzt.exe
"C:\Users\Admin\Pictures\IHsvNRKn0HYqCxKPnPmCUHzt.exe"
3⤵
PID:5504

C:\Users\Admin\AppData\Local\Temp\7zSAE4C.tmp\Install.exe
.\Install.exe /WkfdidVYT "385118" /S
4⤵
PID:5712

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
5⤵
PID:5908

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
6⤵
PID:6104

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
7⤵
PID:2856

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
8⤵
PID:4620

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
6⤵
PID:1288

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
7⤵
PID:5436

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
8⤵
PID:5148

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
6⤵
PID:4064

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
7⤵
PID:2528

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
8⤵
PID:5216

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
6⤵
PID:5196

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
7⤵
PID:5884

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
8⤵
PID:5448

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
6⤵
PID:5548

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
7⤵
PID:4980

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
8⤵
PID:4744

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
9⤵
PID:4388

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
5⤵
PID:5332

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
6⤵
PID:5492

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
7⤵
PID:5560

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
8⤵
PID:5660

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "biPxHmULFllsbMgnpt" /SC once /ST 08:10:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSAE4C.tmp\Install.exe\" Wt /nRzdidlchG 385118 /S" /V1 /F
5⤵
- Creates scheduled task(s)
PID:1376

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn biPxHmULFllsbMgnpt"
5⤵
PID:5240

C:\Windows\SysWOW64\cmd.exe
/C schtasks /run /I /tn biPxHmULFllsbMgnpt
6⤵
PID:5336

\??\c:\windows\SysWOW64\schtasks.exe
schtasks /run /I /tn biPxHmULFllsbMgnpt
7⤵
PID:4960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
2⤵
PID:2268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3560 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:3
1⤵
PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2644 -ip 2644
1⤵
PID:1180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:5204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3812 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:5592

C:\Users\Admin\AppData\Local\Temp\7zSAE4C.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zSAE4C.tmp\Install.exe Wt /nRzdidlchG 385118 /S
1⤵
PID:6108

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
2⤵
PID:5960

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
3⤵
PID:2124

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
4⤵
PID:5476

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
5⤵
PID:2384

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
3⤵
PID:856

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
4⤵
PID:2192

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
5⤵
PID:3628

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
3⤵
PID:1388

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
4⤵
PID:3656

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
5⤵
PID:5136

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
3⤵
PID:5532

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
4⤵
PID:5812

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
5⤵
PID:1168

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
3⤵
PID:5780

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
4⤵
PID:392

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
5⤵
PID:2192

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
2⤵
PID:548

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:5152

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:2648

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:1876

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:4896

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:2172

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:4040

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:1440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4332 -ip 4332
1⤵
PID:5144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5228

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx
Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
a6ea7bfcd3aac150c0caef765cb52281

SHA1
037dc22c46a0eb0b9ad4c74088129e387cffe96b

SHA256
f019af2e5e74cdf13c963910500f9436c66b6f2901f5056d72f82310f20113b9

SHA512
c8d2d373b48a26cf6eec1f5cfc05819011a3fc49d863820ad07b6442dd6d5f64e27022a9e4c381eb58bf7f6b19f8e77d508734ff803073ec2fb32da9081b6f23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
21KB

MD5
f01fdf2e7960e25c28c64cea925bf252

SHA1
3e931ece23bd0f6fd2413f462f41543127d81710

SHA256
4c0982d6e889ffda7c6eb647f2ef689348aa799d625bb0b4c295beb8747253f3

SHA512
1a13ec7a4456186440f09320a984a5ed8c0c926f2fe2ad65043a89053ba9129a877235fe94768c948d9c3270f1e678fad921cfacf9571cdf1298d7c01e4558ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
ec1d8f8e0dda79bb66de2830ed1e6e3f

SHA1
d4c134739211e2338100515b3b0b3da57596a18b

SHA256
e8dd4c3f63e8a6d979afe26ef586c1c8275266e440ba0d28d543f2bea9a863de

SHA512
e03f63d080199987105377d002d0aa9be62c620dd47b049c9ae96d28a03ae9726c7a33ad4e11eebcbc43b33e00f6d246863abe156b4cde91a9e04dc924a6db44

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404280808341\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe
Filesize
2.5MB

MD5
15d8c8f36cef095a67d156969ecdb896

SHA1
a1435deb5866cd341c09e56b65cdda33620fcc95

SHA256
1521c69f478e9ced2f64b8714b9e19724e747cd8166e0f7ab5db1151a523dda8

SHA512
d6f48180d4dcb5ba83a9c0166870ac00ea67b615e749edf5994bc50277bf97ca87f582ac6f374c5351df252db73ee1231c943b53432dbb7563e12bbaf5bb393a

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404280808341\assistant\assistant_installer.exe
Filesize
1.9MB

MD5
976bc8e5fe65f9bb56831e20f1747150

SHA1
f9e7f5628aaaabed9939ef055540e24590a9ccfb

SHA256
f53c916ccf3d24d6793227283de2db0f6cc98a2275413851807cc080643d21a0

SHA512
2858e7e08418b170b21b599afb02236d0480d35a5605de142f10976489e01daf2ad80df0f09c2eb38bc5a971336d1f6aa9909c520bcdb18e9c9a8e903379dcd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404280808341\assistant\dbgcore.dll
Filesize
166KB

MD5
9ebb919b96f6f94e1be4cdc6913ef629

SHA1
31e99ac4fba516f82b36bd81784e8d518b32f9df

SHA256
fdae21127deb16eb8ba36f2493d2255f4cb8ab4c18e8bd8ba5e587f5a7ecd119

SHA512
a1b42f7d2896da270bb3c80cf9b88c4b4f1491084e7aa7760eeea5533b26f041dc79b21d5ffd2bba2221fe118e0a8d912e170f24fd895c9315b1ee9c7adfe700

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404280808341\assistant\dbghelp.dll
Filesize
1.7MB

MD5
544255258f9d45b4608ccfd27a4ed1dd

SHA1
571e30ceb9c977817b5bbac306366ae59f773497

SHA256
3b02fc85602e83059f611c658e3cad6bc59c3c51214d4fe7e31f3ac31388dd68

SHA512
2093da881fa90eec2b90d1ca6eaaff608fe16ac612571a7fd5ed94dd5f7ff7e5c1e8c862bab0a228850829527886473e3942abd23a81d10cab8f9baad2cc7664

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404280808341\opera_package
Filesize
38.5MB

MD5
fdcfeea71ca1d292580f9ac178487215

SHA1
e12a24f613cdbde1884e19e14f2f8a90c88ae5c1

SHA256
7e8f4f250de07d0ea67b61206af3aeef06c988b203a132448be1df7b2790d221

SHA512
7a6ebfc6eeefab2960f5dd36cbaabc7afcd95a33d3dd3ece7053e6736d6201e54353a0d09ba04f7d3572e7382c12812907dbcf1a9c0e638d4e63f24842794883

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ea5b475
Filesize
1.4MB

MD5
4ce86612158d7e6493fc7e10e274c042

SHA1
af24874b5b14bc79b41e260a83c8b6fea3d18f24

SHA256
fea32dcbed2d3c8e42ee68fe85486e4d6c608d16193e2aa8b634a62c7c6328d9

SHA512
648b31184f160948e7bf46d40cc673e8562f8b5a16837f58a9913a3e7e1687d1435e34791161b9f2312d947c2b41f090a70e4ac44d371c6c5fb485f0c9c176fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAE4C.tmp\Install.exe
Filesize
6.4MB

MD5
90487eb500021dbcb9443a2cf972a204

SHA1
62ae31665d462c8e5d6632f389b1e94afb9bf00d

SHA256
4a86ca84b985a5228eccd13f225bb403e9574e7f64b900a9acc4d32bcb732ff2

SHA512
8cb3b1ae44246bee8bf2b81220d7a5782c4e82b2b871a81bdc9ea170fbe477d7be59c3543554f2cdefde7422bcc88b6624b966dff1603c79d277329fb2074d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404280808300084792.dll
Filesize
4.6MB

MD5
45fe60d943ad11601067bc2840cc01be

SHA1
911d70a6aad7c10b52789c0312c5528556a2d609

SHA256
0715f9558363b04526499fcd6abf0b1946950af0a7f046a25f06b20dddb67add

SHA512
30c82f6b329fefa5f09a5974c36b70ea2bdab273e7d6eadd456fddcc2aa693f8f1cf096d57c3719d1106e9f85d50a4ffbf0ed7e66da2da0a5f23b6ee8c7194ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b4ecmsvo.44j.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
Filesize
2KB

MD5
551abb00053a4a314b16ac470ae86ee1

SHA1
244b7a7204ab22100cc1f875654f65b57f8b93f5

SHA256
c680c4c749220c279ea661dd0dcf7a4de33070600c61b68165932390a1d0658a

SHA512
09aac4170e1310301b87a9942fcd0dc1f8f0e88e184a839881c0a87372f8c54c61001ce24ee3ea186750a7d2d146739876fb12961d3ca27c91dafca5df0910d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
Filesize
3KB

MD5
8be9a81153500d03b06693576cad3cb9

SHA1
fe96c89dd197e792b945a05f503ec056b845596b

SHA256
b809d13c4529fba91ade429bcaaab9bc301be0e5ba9565dde025329d6c9ba2e9

SHA512
05af6aa83f8f18a1c1eea7f2f93503090d132cc261fa8e05d679bbd0725274e9e3c888a5f817e899096f656e5f55aafd4345430eb3633e725ab8387ad4167177

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8C68.tmp
Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8CE8.tmp
Filesize
20KB

MD5
91dbaf73c1a8c55254d90272f998e412

SHA1
2b86b31c8c00c937291e5ac3b1d134a5df959acf

SHA256
0628922305d2478ba75a48efadf932d439616eaf1ff908be334793f7bde28107

SHA512
109f4f59616cc1d1682b4d9468804f7668c77ce1878afec06a57037193f31a9c1c39f5d269277462936373b129d26488cddcc34d455c27185534e7754baaa988

Download Submit
C:\Users\Admin\AppData\Local\Temp\u21g.0.exe
Filesize
311KB

MD5
d8f0480ffd9a82c2532b6be3fbee1a76

SHA1
c72dc3cab1dc67c8039e7acabef9776fb244d74a

SHA256
76b73bd1533ce48cd2cf55316e62b3869e920992c4d7673339f9c5eefa7d922a

SHA512
13daf8bf9853043ad1913f45b634ac4d7b59d9320101e5b30ce9407ec1ca15fa1a990e67409cf9d3aeab10107a6e8ead6e79f55fee718a844a38556817c92116

Download Submit
C:\Users\Admin\AppData\Local\Temp\u21g.1.zip
Filesize
3.7MB

MD5
78d3ca6355c93c72b494bb6a498bf639

SHA1
2fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e

SHA256
a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001

SHA512
1b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\u21g.2\UIxMarketPlugin.dll
Filesize
1.6MB

MD5
d1ba9412e78bfc98074c5d724a1a87d6

SHA1
0572f98d78fb0b366b5a086c2a74cc68b771d368

SHA256
cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15

SHA512
8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\u21g.2\bunch.dat
Filesize
1.3MB

MD5
1e8237d3028ab52821d69099e0954f97

SHA1
30a6ae353adda0c471c6ed5b7a2458b07185abf2

SHA256
9387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742

SHA512
a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\u21g.2\relay.dll
Filesize
1.5MB

MD5
10d51becd0bbce0fab147ff9658c565e

SHA1
4689a18112ff876d3c066bc8c14a08fd6b7b7a4a

SHA256
7b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed

SHA512
29faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29

Download Submit
C:\Users\Admin\AppData\Local\Temp\u21g.2\run.exe
Filesize
2.4MB

MD5
9fb4770ced09aae3b437c1c6eb6d7334

SHA1
fe54b31b0db8665aa5b22bed147e8295afc88a03

SHA256
a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3

SHA512
140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

Download Submit
C:\Users\Admin\AppData\Local\Temp\u21g.2\whale.dbf
Filesize
85KB

MD5
a723bf46048e0bfb15b8d77d7a648c3e

SHA1
8952d3c34e9341e4425571e10f22b782695bb915

SHA256
b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422

SHA512
ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273

Download Submit
C:\Users\Admin\AppData\Local\Temp\u21g.3.exe
Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
Filesize
40B

MD5
85bb0477766cd274d44c26b6a6e2d089

SHA1
8983aa1de29f663b2fe8ea8e78656846d537aa0a

SHA256
c7794942de1e28386c1053df33c27361bf5ddd8a33dbf1b0d3c653b24b1bdaf3

SHA512
7d4a5eacd1bd2033feb0ae3bc9cf56c6333f2ebf8574a2e85861f8f00b6f1f0acf3596c0af1e0abc8846731739dc90b50eea01db40ae54fa90b2f58fcf52f8f9

Download Submit
C:\Users\Admin\Pictures\6ou4zW5YbNkoISVD6ossUyiO.exe
Filesize
5.5MB

MD5
6594ae629a57ed2f362580f965c35e6d

SHA1
22265be65a195e010590861d000457f80009976c

SHA256
798ae52b486efb40cdb543396442d66aaee8c2176a469e045437b32418b9297e

SHA512
d641e7cb0661d30edd5c8ca7bea935018f8206073fa88d95974825ca33a90850cd2627b23bb30c6244b35e87e671b13d7433d621afbc948791884d26883f9597

Download Submit
C:\Users\Admin\Pictures\IHsvNRKn0HYqCxKPnPmCUHzt.exe
Filesize
6.3MB

MD5
a63018cc078f57c640ac2ec8ed84dead

SHA1
1f5c17894a755114527e92304f4a74195c48031d

SHA256
41d01d8fc610b6ceb17687c58973ee8f6a7bbdc1eb6deb19297e3f4c4c62b558

SHA512
a42f522745bbe8b36ea60d7688a713bce89df2f7b0f5c7ad7b32bc43989fca71e00d817692263ea4004ad6be23e64dd9d3d2f1dfbe7b5038cf4b79b7064a9864

Download Submit
C:\Users\Admin\Pictures\VqIrDSf8cXUs7rlzbysmnBsN.exe
Filesize
5.1MB

MD5
5d4929a0f53e92632974b6941e6d2a2e

SHA1
f05155ab616e48202bce84e762b342a009a85a14

SHA256
dc22945c0a9cbafc04a4d622b62007dfac2031c63c3117ee7aa7130a9a416c35

SHA512
f69ef0e56a1cddc782030a3c6bae5f8aac2f8e71ea57a9d41a2f77b10a7bc1b9ca25d5e56ac0dfaa22d995edaef05f1615dee650e5b3c7a3109f18cd785c2975

Download Submit
C:\Users\Admin\Pictures\W3oaFbRgLnx7bF1fUPzEWyBz.exe
Filesize
4.2MB

MD5
93d6b0ac7b5a6f52f42de208d3e1f94f

SHA1
fb2c7e05f10cc470bdfe963199f044971323a4f5

SHA256
9d406ab6a332a3089457fa7ec493e3b1722a9ac81584215423335fdb391391ae

SHA512
f042c5463ad02fd927d147f6430182659585b48b8cba0498d1823b58abf6c48ab496333abbcdc2dc878a05a9d238679436ede31ff44fc1295367ea37884bd1b1

Download Submit
C:\Users\Admin\Pictures\Xa2FYO4mopfvlaXDBUfIo3B3.exe
Filesize
7KB

MD5
5b423612b36cde7f2745455c5dd82577

SHA1
0187c7c80743b44e9e0c193e993294e3b969cc3d

SHA256
e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

SHA512
c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

Download Submit
C:\Users\Admin\Pictures\dvoE20tDnS1Wc1J5wBJ9hiYP.exe
Filesize
456KB

MD5
66cf4b0695b91283420f4e68a239e078

SHA1
2a8c72655d939cf0489566b24b065394b8cb2136

SHA256
4d1259d2ca725766850d79a00a0dbbc6ab0d0b7d904fddb14980f56b630f0fcd

SHA512
4b80947dc59bd7f0ea72e1db552ae5de9d99c0d562f0ddb5c2d3dd467f0ce1ae996b06aac192967b2385840773e18d9519db263ea7f9323bf0b7aab4eccc8bb3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
49KB

MD5
cdb70dc039771fcf9e67cc141d6df24d

SHA1
4dcb1fadbaf419515b1268ea89207cc6c7069950

SHA256
421c1a2bc981103c332c94391868a5a519badcd9867a6063b8fc4518596da3f3

SHA512
a1c2096f2657daa625be64b4ecf295d24a5d50c46302fe9a8f1df809ae2a9fe27a0340978cecb8f057cb6eb8ac11236d47717ecd80d894268c4bb9167a28225d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
b541c52b0ff7949723f1317ddb6ee046

SHA1
df54f7e5a39df974aed3362865c370336b6b366e

SHA256
6f9faffa2c0035d924eca4dff79faf9cf6f367193278f7073a890f454515c786

SHA512
91caab6312561b6254a474b297faf884f277d666b45a3aa331e9a0e50088f1fcb5f9d14276552b70945fc556c137882175d131feb31178595b5df51ae050551d

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini
Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
C:\Windows\system32\GroupPolicy\Machine\Registry.pol
Filesize
1KB

MD5
cdfd60e717a44c2349b553e011958b85

SHA1
431136102a6fb52a00e416964d4c27089155f73b

SHA256
0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f

SHA512
dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

Download Submit
memory/724-8-0x0000000002DE0000-0x0000000002DF0000-memory.dmp

Filesize
64KB

Download
memory/724-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/724-6-0x0000000075330000-0x0000000075AE0000-memory.dmp

Filesize
7.7MB

Download
memory/1820-65-0x0000000005130000-0x0000000005196000-memory.dmp

Filesize
408KB

Download
memory/1820-86-0x0000000005E90000-0x0000000005EAE000-memory.dmp

Filesize
120KB

Download
memory/1820-62-0x0000000002540000-0x0000000002576000-memory.dmp

Filesize
216KB

Download
memory/1820-255-0x0000000007690000-0x0000000007698000-memory.dmp

Filesize
32KB

Download
memory/1820-63-0x0000000005220000-0x0000000005848000-memory.dmp

Filesize
6.2MB

Download
memory/1820-66-0x00000000051A0000-0x0000000005206000-memory.dmp

Filesize
408KB

Download
memory/1820-142-0x0000000007550000-0x0000000007561000-memory.dmp

Filesize
68KB

Download
memory/1820-136-0x00000000075F0000-0x0000000007686000-memory.dmp

Filesize
600KB

Download
memory/1820-194-0x00000000075A0000-0x00000000075B4000-memory.dmp

Filesize
80KB

Download
memory/1820-116-0x0000000007430000-0x00000000074D3000-memory.dmp

Filesize
652KB

Download
memory/1820-89-0x0000000006FA0000-0x0000000007016000-memory.dmp

Filesize
472KB

Download
memory/1820-107-0x00000000073D0000-0x00000000073EE000-memory.dmp

Filesize
120KB

Download
memory/1820-95-0x000000006FBB0000-0x000000006FF04000-memory.dmp

Filesize
3.3MB

Download
memory/1820-90-0x00000000078D0000-0x0000000007F4A000-memory.dmp

Filesize
6.5MB

Download
memory/1820-91-0x0000000007250000-0x000000000726A000-memory.dmp

Filesize
104KB

Download
memory/1820-93-0x000000006F980000-0x000000006F9CC000-memory.dmp

Filesize
304KB

Download
memory/2100-594-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/2100-426-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/2100-539-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/2228-427-0x0000000000400000-0x0000000001DFC000-memory.dmp

Filesize
26.0MB

Download
memory/2228-540-0x0000000000400000-0x0000000001DFC000-memory.dmp

Filesize
26.0MB

Download
memory/2644-406-0x0000000000400000-0x0000000001A3D000-memory.dmp

Filesize
22.2MB

Download
memory/2644-150-0x0000000000400000-0x0000000001A3D000-memory.dmp

Filesize
22.2MB

Download
memory/2812-361-0x0000000000400000-0x0000000001DFC000-memory.dmp

Filesize
26.0MB

Download
memory/2812-146-0x0000000000400000-0x0000000001DFC000-memory.dmp

Filesize
26.0MB

Download
memory/2916-105-0x000000006FBB0000-0x000000006FF04000-memory.dmp

Filesize
3.3MB

Download
memory/2916-92-0x0000000007010000-0x0000000007042000-memory.dmp

Filesize
200KB

Download
memory/2916-64-0x0000000004990000-0x00000000049B2000-memory.dmp

Filesize
136KB

Download
memory/2916-117-0x0000000007140000-0x000000000714A000-memory.dmp

Filesize
40KB

Download
memory/2916-171-0x00000000071A0000-0x00000000071AE000-memory.dmp

Filesize
56KB

Download
memory/2916-247-0x0000000007950000-0x000000000796A000-memory.dmp

Filesize
104KB

Download
memory/2916-94-0x000000006F980000-0x000000006F9CC000-memory.dmp

Filesize
304KB

Download
memory/2916-88-0x0000000006AA0000-0x0000000006AE4000-memory.dmp

Filesize
272KB

Download
memory/2916-82-0x0000000005460000-0x00000000057B4000-memory.dmp

Filesize
3.3MB

Download
memory/2916-87-0x0000000005F60000-0x0000000005FAC000-memory.dmp

Filesize
304KB

Download
memory/3128-363-0x0000000000400000-0x0000000001DFC000-memory.dmp

Filesize
26.0MB

Download
memory/3128-148-0x0000000000400000-0x0000000001DFC000-memory.dmp

Filesize
26.0MB

Download
memory/3320-428-0x0000000000400000-0x0000000001DFC000-memory.dmp

Filesize
26.0MB

Download
memory/3320-541-0x0000000000400000-0x0000000001DFC000-memory.dmp

Filesize
26.0MB

Download
memory/3992-296-0x00007FFD97290000-0x00007FFD97485000-memory.dmp

Filesize
2.0MB

Download
memory/3992-359-0x000000006E460000-0x000000006E5DB000-memory.dmp

Filesize
1.5MB

Download
memory/3992-292-0x000000006E460000-0x000000006E5DB000-memory.dmp

Filesize
1.5MB

Download
memory/4240-425-0x0000000140000000-0x0000000140726000-memory.dmp

Filesize
7.1MB

Download
memory/4240-281-0x0000000140000000-0x0000000140726000-memory.dmp

Filesize
7.1MB

Download
memory/4332-424-0x0000000000400000-0x0000000001A19000-memory.dmp

Filesize
22.1MB

Download
memory/4332-274-0x0000000000400000-0x0000000001A19000-memory.dmp

Filesize
22.1MB

Download
memory/4332-118-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4332-529-0x0000000000400000-0x0000000001A19000-memory.dmp

Filesize
22.1MB

Download
memory/4612-582-0x000000006E460000-0x000000006E5DB000-memory.dmp

Filesize
1.5MB

Download
memory/4612-407-0x00007FFD97290000-0x00007FFD97485000-memory.dmp

Filesize
2.0MB

Download
memory/4744-633-0x0000000006240000-0x0000000006262000-memory.dmp

Filesize
136KB

Download
memory/4744-634-0x00000000072B0000-0x0000000007854000-memory.dmp

Filesize
5.6MB

Download
memory/4752-1-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

Filesize
10.8MB

Download
memory/4752-2-0x0000019CDF970000-0x0000019CDF980000-memory.dmp

Filesize
64KB

Download
memory/4752-3-0x0000019CC6EF0000-0x0000019CC6EFC000-memory.dmp

Filesize
48KB

Download
memory/4752-4-0x0000019CC7080000-0x0000019CC70DC000-memory.dmp

Filesize
368KB

Download
memory/4752-7-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

Filesize
10.8MB

Download
memory/4752-0-0x0000019CC5330000-0x0000019CC533C000-memory.dmp

Filesize
48KB

Download
memory/5664-610-0x000001EC512C0000-0x000001EC54BB8000-memory.dmp

Filesize
57.0MB

Download
memory/5664-647-0x000001EC6F4F0000-0x000001EC6F600000-memory.dmp

Filesize
1.1MB

Download
memory/5664-651-0x000001EC6F1A0000-0x000001EC6F1C4000-memory.dmp

Filesize
144KB

Download
memory/5664-650-0x000001EC56810000-0x000001EC56824000-memory.dmp

Filesize
80KB

Download
memory/5664-648-0x000001EC54FB0000-0x000001EC54FC0000-memory.dmp

Filesize
64KB

Download
memory/5664-649-0x000001EC56960000-0x000001EC5696C000-memory.dmp

Filesize
48KB

Download
memory/5676-659-0x0000000004C50000-0x0000000004E12000-memory.dmp

Filesize
1.8MB

Download
memory/5676-656-0x00000000049A0000-0x0000000004A32000-memory.dmp

Filesize
584KB

Download
memory/5676-664-0x0000000004A60000-0x0000000004A6A000-memory.dmp

Filesize
40KB

Download
memory/5676-665-0x0000000005D50000-0x000000000627C000-memory.dmp

Filesize
5.2MB

Download
memory/5676-663-0x0000000004BD0000-0x0000000004C20000-memory.dmp

Filesize
320KB

Download
memory/5676-619-0x000000006C100000-0x000000006D354000-memory.dmp

Filesize
18.3MB

Download
memory/5676-666-0x0000000005890000-0x00000000058AE000-memory.dmp

Filesize
120KB

Download
memory/5676-655-0x0000000000430000-0x00000000004F6000-memory.dmp

Filesize
792KB

Download
memory/5712-430-0x0000000000310000-0x0000000000984000-memory.dmp

Filesize
6.5MB

Download
memory/5712-464-0x0000000010000000-0x00000000105E1000-memory.dmp

Filesize
5.9MB

Download
memory/5916-498-0x000000006D690000-0x000000006D9E4000-memory.dmp

Filesize
3.3MB

Download
memory/5916-521-0x0000000007620000-0x0000000007631000-memory.dmp

Filesize
68KB

Download
memory/5916-508-0x0000000007140000-0x00000000071E3000-memory.dmp

Filesize
652KB

Download
memory/5916-547-0x0000000007690000-0x00000000076A4000-memory.dmp

Filesize
80KB

Download
memory/5916-497-0x000000006E770000-0x000000006E7BC000-memory.dmp

Filesize
304KB

Download
memory/5924-445-0x00000000054E0000-0x0000000005834000-memory.dmp

Filesize
3.3MB

Download
memory/5924-510-0x000000006E770000-0x000000006E7BC000-memory.dmp

Filesize
304KB

Download
memory/5924-466-0x0000000006070000-0x00000000060BC000-memory.dmp

Filesize
304KB

Download
memory/5924-511-0x000000006D690000-0x000000006D9E4000-memory.dmp

Filesize
3.3MB

Download
memory/6108-564-0x0000000000310000-0x0000000000984000-memory.dmp

Filesize
6.5MB

Download
memory/6108-616-0x0000000010000000-0x00000000105E1000-memory.dmp

Filesize
5.9MB

Download