Analysis Overview
SHA256
5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71
Threat Level: Known bad
The file 5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71 was found to be: Known bad.
Malicious Activity Summary
ZGRat
Detect ZGRat V1
Amadey
RisePro
Rhadamanthys
RedLine
Modifies firewall policy service
RedLine payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies Windows Firewall
Downloads MZ/PE file
Blocklisted process makes network request
Checks BIOS information in registry
Themida packer
Checks computer location settings
Identifies Wine through registry keys
Reads user/profile data of web browsers
Reads local data of messenger clients
Reads WinSCP keys stored on the system
Loads dropped DLL
Executes dropped EXE
Looks up external IP address via web service
Adds Run key to start application
Enumerates connected drives
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
AutoIT Executable
Suspicious use of SetThreadContext
Drops file in Windows directory
Program crash
Enumerates physical storage devices
Unsigned PE
Checks processor information in registry
Creates scheduled task(s)
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Enumerates system info in registry
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Modifies system certificate store
Suspicious use of FindShellTrayWindow
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-03-29 12:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-29 12:02
Reported
2024-03-29 12:05
Platform
win10v2004-20240226-en
Max time kernel
66s
Max time network
156s
Command Line
Signatures
Amadey
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RisePro
ZGRat
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1000042001\8d3bf4fb3f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000042001\8d3bf4fb3f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000042001\8d3bf4fb3f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000042001\8d3bf4fb3f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1000042001\8d3bf4fb3f.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Reads WinSCP keys stored on the system
Reads local data of messenger clients
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\amadka.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1001031001\\amadka.exe" | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8d3bf4fb3f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000042001\\8d3bf4fb3f.exe" | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\go.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000044001\\go.exe" | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\random.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000873001\\random.exe" | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4456 set thread context of 4484 | N/A | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe |
| PID 3244 set thread context of 744 | N/A | C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\explorha.job | C:\Users\Admin\AppData\Local\Temp\5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71.exe | N/A |
| File created | C:\Windows\Tasks\explorgu.job | C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71.exe
"C:\Users\Admin\AppData\Local\Temp\5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71.exe"
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
C:\Users\Admin\AppData\Local\Temp\1000042001\8d3bf4fb3f.exe
"C:\Users\Admin\AppData\Local\Temp\1000042001\8d3bf4fb3f.exe"
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe
"C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8b93946f8,0x7ff8b9394708,0x7ff8b9394718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8b93946f8,0x7ff8b9394708,0x7ff8b9394718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8b93946f8,0x7ff8b9394708,0x7ff8b9394718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,11597890656412693344,12723515643760395449,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,11597890656412693344,12723515643760395449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,11597890656412693344,12723515643760395449,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,11597890656412693344,12723515643760395449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,11597890656412693344,12723515643760395449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1440,6472677649166302999,8829356477561301467,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 /prefetch:3
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,11597890656412693344,12723515643760395449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe
"C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,11597890656412693344,12723515643760395449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,16805724978269496555,4572318665840652242,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,11597890656412693344,12723515643760395449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,11597890656412693344,12723515643760395449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2288 /prefetch:1
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,11597890656412693344,12723515643760395449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,11597890656412693344,12723515643760395449,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,11597890656412693344,12723515643760395449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6100 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,11597890656412693344,12723515643760395449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6100 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,11597890656412693344,12723515643760395449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,11597890656412693344,12723515643760395449,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6368 /prefetch:1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\134859772495_Desktop.zip' -CompressionLevel Optimal
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe
"C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe
"C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe"
C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe
"C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\134859772495_Desktop.zip' -CompressionLevel Optimal
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe
"C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe"
C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe
"C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe" /F
C:\Users\Admin\AppData\Local\Temp\1001052001\Eljlre.exe
"C:\Users\Admin\AppData\Local\Temp\1001052001\Eljlre.exe"
C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe
"C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exe
"C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
C:\Users\Admin\Pictures\dWBvBwmTRm9ZgeQNt2TmrUE0.exe
"C:\Users\Admin\Pictures\dWBvBwmTRm9ZgeQNt2TmrUE0.exe"
C:\Users\Admin\Pictures\HCO2PRsPkFQ0NgdQ26PRiFfk.exe
"C:\Users\Admin\Pictures\HCO2PRsPkFQ0NgdQ26PRiFfk.exe"
C:\Users\Admin\Pictures\u9FbQazZCGbhOPEWw7NysUNU.exe
"C:\Users\Admin\Pictures\u9FbQazZCGbhOPEWw7NysUNU.exe"
C:\Users\Admin\Pictures\MGAPfR4lrm4NgDJ4VS7TTIZQ.exe
"C:\Users\Admin\Pictures\MGAPfR4lrm4NgDJ4VS7TTIZQ.exe"
C:\Users\Admin\Pictures\XdejNUnSWCCGlUoslTtOUNpi.exe
"C:\Users\Admin\Pictures\XdejNUnSWCCGlUoslTtOUNpi.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4844 -ip 4844
C:\Users\Admin\AppData\Local\Temp\u17k.0.exe
"C:\Users\Admin\AppData\Local\Temp\u17k.0.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 852
C:\Users\Admin\Pictures\eXIo32VRSUhp0Y3EPrFjmaEN.exe
"C:\Users\Admin\Pictures\eXIo32VRSUhp0Y3EPrFjmaEN.exe" --silent --allusers=0
C:\Users\Admin\AppData\Local\Temp\u17k.1.exe
"C:\Users\Admin\AppData\Local\Temp\u17k.1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1568 -ip 1568
C:\Users\Admin\Pictures\eXIo32VRSUhp0Y3EPrFjmaEN.exe
C:\Users\Admin\Pictures\eXIo32VRSUhp0Y3EPrFjmaEN.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x6b54e1d0,0x6b54e1dc,0x6b54e1e8
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 1444
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\eXIo32VRSUhp0Y3EPrFjmaEN.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\eXIo32VRSUhp0Y3EPrFjmaEN.exe" --version
C:\Users\Admin\Pictures\eXIo32VRSUhp0Y3EPrFjmaEN.exe
"C:\Users\Admin\Pictures\eXIo32VRSUhp0Y3EPrFjmaEN.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=1968 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240329120440" --session-guid=4fc1f868-dbef-4c2d-802c-604818e4e0ed --server-tracking-blob=OGFhNjk3MDk2OGMyZGViZGM5YjQyYzAyOWNjYmZmNGU5YjgyOGQzMzdiMzAyYzZlNWI5ZDA1N2Q3ZTY5ZTVhMDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N180NTYiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMCIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTE3MTM4NzMuMjgyNSIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N180NTYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6IjRiMjI0OWE5LTI2NzQtNGFkNC1iNjBkLTI3ZmQyODY2YzUwNiJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=DC04000000000000
C:\Users\Admin\Pictures\eXIo32VRSUhp0Y3EPrFjmaEN.exe
C:\Users\Admin\Pictures\eXIo32VRSUhp0Y3EPrFjmaEN.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2b4,0x2b8,0x2bc,0x284,0x2c0,0x6a8ee1d0,0x6a8ee1dc,0x6a8ee1e8
C:\Users\Admin\Pictures\bK9TTH2qJlwHcdz6WyToQqiT.exe
"C:\Users\Admin\Pictures\bK9TTH2qJlwHcdz6WyToQqiT.exe"
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5580 -ip 5580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 648
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5580 -ip 5580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 668
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291204401\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291204401\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291204401\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291204401\assistant\assistant_installer.exe" --version
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291204401\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291204401\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0x3d0040,0x3d004c,0x3d0058
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| RU | 193.233.132.56:80 | 193.233.132.56 | tcp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| US | 8.8.8.8:53 | 167.132.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.132.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| DE | 142.250.185.142:443 | www.youtube.com | tcp |
| GB | 157.240.221.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| BE | 74.125.133.84:443 | accounts.google.com | tcp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| RU | 193.233.132.56:80 | 193.233.132.56 | tcp |
| US | 8.8.8.8:53 | 35.221.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.185.250.142.in-addr.arpa | udp |
| DE | 142.250.184.206:443 | consent.youtube.com | tcp |
| US | 8.8.8.8:53 | 84.133.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| BE | 74.125.133.84:443 | accounts.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 206.184.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.185.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.184.250.142.in-addr.arpa | udp |
| RU | 193.233.132.56:80 | 193.233.132.56 | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| DE | 142.250.186.68:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| US | 8.8.8.8:53 | scontent.xx.fbcdn.net | udp |
| US | 8.8.8.8:53 | video.xx.fbcdn.net | udp |
| GB | 157.240.221.16:443 | scontent.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | scontent.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | scontent.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | scontent.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | 68.186.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.221.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.185.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | scontent-lhr8-1.xx.fbcdn.net | udp |
| DE | 142.250.186.68:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| RU | 193.233.132.56:80 | 193.233.132.56 | tcp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| DE | 142.250.185.142:443 | play.google.com | tcp |
| DE | 142.250.185.142:443 | play.google.com | udp |
| RU | 185.215.113.32:80 | 185.215.113.32 | tcp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| US | 8.8.8.8:53 | 32.113.215.185.in-addr.arpa | udp |
| RU | 193.233.132.216:57893 | 193.233.132.216 | tcp |
| US | 8.8.8.8:53 | 216.132.233.193.in-addr.arpa | udp |
| DE | 185.172.128.33:8970 | tcp | |
| DE | 142.250.185.142:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 33.128.172.185.in-addr.arpa | udp |
| RU | 5.42.65.67:48396 | tcp | |
| RU | 185.215.113.32:80 | 185.215.113.32 | tcp |
| US | 8.8.8.8:53 | 67.65.42.5.in-addr.arpa | udp |
| RU | 185.215.113.67:26260 | tcp | |
| US | 8.8.8.8:53 | 67.113.215.185.in-addr.arpa | udp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| US | 142.202.241.217:80 | 142.202.241.217 | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | 217.241.202.142.in-addr.arpa | udp |
| RU | 185.215.113.32:80 | 185.215.113.32 | tcp |
| AT | 5.42.64.17:80 | 5.42.64.17 | tcp |
| RU | 185.215.113.32:80 | 185.215.113.32 | tcp |
| US | 8.8.8.8:53 | 17.64.42.5.in-addr.arpa | udp |
| TR | 217.195.207.156:47721 | tcp | |
| US | 8.8.8.8:53 | 156.207.195.217.in-addr.arpa | udp |
| DE | 4.185.137.132:1632 | tcp | |
| US | 8.8.8.8:53 | 132.137.185.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| US | 104.21.79.77:443 | yip.su | tcp |
| DE | 185.172.128.144:80 | 185.172.128.144 | tcp |
| US | 8.8.8.8:53 | piramidglobaltobacco.id | udp |
| US | 8.8.8.8:53 | shipofdestiny.com | udp |
| US | 172.67.152.98:443 | shipofdestiny.com | tcp |
| AT | 5.42.64.17:80 | 5.42.64.17 | tcp |
| US | 8.8.8.8:53 | lawyerbuyer.org | udp |
| US | 8.8.8.8:53 | sty.ink | udp |
| SG | 217.21.73.190:443 | piramidglobaltobacco.id | tcp |
| US | 8.8.8.8:53 | 143.68.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.79.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | operandotwo.com | udp |
| US | 172.67.200.219:443 | sty.ink | tcp |
| US | 104.21.63.71:443 | lawyerbuyer.org | tcp |
| US | 172.67.160.247:443 | operandotwo.com | tcp |
| US | 172.67.200.219:443 | sty.ink | tcp |
| US | 104.21.63.71:443 | lawyerbuyer.org | tcp |
| US | 8.8.8.8:53 | namemail.org | udp |
| US | 8.8.8.8:53 | cu82342.tw1.ru | udp |
| US | 8.8.8.8:53 | guseman.org | udp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| RU | 176.57.210.144:443 | cu82342.tw1.ru | tcp |
| US | 172.67.173.167:443 | guseman.org | tcp |
| NL | 185.26.182.112:80 | net.geo.opera.com | tcp |
| US | 8.8.8.8:53 | 98.152.67.172.in-addr.arpa | udp |
| NL | 185.26.182.112:443 | net.geo.opera.com | tcp |
| US | 8.8.8.8:53 | 219.200.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.63.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 247.160.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.73.21.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.210.57.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.182.26.185.in-addr.arpa | udp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.67.172.in-addr.arpa | udp |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| US | 8.8.8.8:53 | 65.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.144:80 | 185.172.128.144 | tcp |
| DE | 185.172.128.209:80 | 185.172.128.209 | tcp |
| US | 8.8.8.8:53 | 209.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | autoupdate.geo.opera.com | udp |
| NL | 82.145.216.19:443 | autoupdate.geo.opera.com | tcp |
| NL | 82.145.216.19:443 | autoupdate.geo.opera.com | tcp |
| US | 8.8.8.8:53 | desktop-netinstaller-sub.osp.opera.software | udp |
| US | 8.8.8.8:53 | svc.iolo.com | udp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | 19.216.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 219.135.221.88.in-addr.arpa | udp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 8.8.8.8:53 | iplogger.com | udp |
| US | 104.21.76.57:443 | iplogger.com | tcp |
| US | 8.8.8.8:53 | 121.217.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.76.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.87.157.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | features.opera-api2.com | udp |
| NL | 185.26.182.93:443 | features.opera-api2.com | tcp |
| US | 8.8.8.8:53 | download.opera.com | udp |
| NL | 82.145.216.24:443 | download.opera.com | tcp |
| US | 8.8.8.8:53 | 93.182.26.185.in-addr.arpa | udp |
| US | 46.226.167.187:80 | 46.226.167.187 | tcp |
| US | 8.8.8.8:53 | 187.167.226.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 104.26.8.59:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 59.8.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.186.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.216.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | download5.operacdn.com | udp |
| US | 104.18.11.89:443 | download5.operacdn.com | tcp |
| US | 8.8.8.8:53 | 89.11.18.104.in-addr.arpa | udp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | download.iolo.net | udp |
| FR | 185.93.2.248:443 | download.iolo.net | tcp |
| US | 8.8.8.8:53 | 248.2.93.185.in-addr.arpa | udp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | download3.operacdn.com | udp |
| GB | 95.101.143.243:443 | download3.operacdn.com | tcp |
| US | 8.8.8.8:53 | 243.143.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | svc.iolo.com | udp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
Files
memory/864-0-0x00000000008D0000-0x0000000000D90000-memory.dmp
memory/864-1-0x0000000077434000-0x0000000077436000-memory.dmp
memory/864-8-0x0000000004BE0000-0x0000000004BE1000-memory.dmp
memory/864-7-0x0000000004BB0000-0x0000000004BB1000-memory.dmp
memory/864-6-0x0000000004BA0000-0x0000000004BA1000-memory.dmp
memory/864-5-0x0000000004C00000-0x0000000004C01000-memory.dmp
memory/864-4-0x0000000004BC0000-0x0000000004BC1000-memory.dmp
memory/864-3-0x0000000004BD0000-0x0000000004BD1000-memory.dmp
memory/864-2-0x00000000008D0000-0x0000000000D90000-memory.dmp
memory/864-9-0x0000000004C20000-0x0000000004C21000-memory.dmp
memory/864-10-0x0000000004C10000-0x0000000004C11000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
| MD5 | 8cef71906c123049c0e3a0ebd9f420e3 |
| SHA1 | 60f4c13bc04c536f56b6fcb82fca6ebd556084d6 |
| SHA256 | 5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71 |
| SHA512 | 6561c864d6c684e394160bcec82c36a12a8dc87070f224eae28d08ec92ceff29dedf84cc9307d7f1ccc035ffe4339fb67285e0756b72426658d70710031eacff |
memory/4456-23-0x0000000000F40000-0x0000000001400000-memory.dmp
memory/864-21-0x00000000008D0000-0x0000000000D90000-memory.dmp
memory/4456-25-0x0000000005730000-0x0000000005731000-memory.dmp
memory/4456-30-0x0000000005710000-0x0000000005711000-memory.dmp
memory/4456-29-0x0000000005700000-0x0000000005701000-memory.dmp
memory/4456-28-0x0000000005760000-0x0000000005761000-memory.dmp
memory/4456-27-0x0000000005720000-0x0000000005721000-memory.dmp
memory/4456-26-0x0000000005740000-0x0000000005741000-memory.dmp
memory/4456-24-0x0000000000F40000-0x0000000001400000-memory.dmp
memory/4456-31-0x0000000005790000-0x0000000005791000-memory.dmp
memory/4456-32-0x0000000005780000-0x0000000005781000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000042001\8d3bf4fb3f.exe
| MD5 | 346ddba47f6fabef752b2d9633cf5ca3 |
| SHA1 | b338ea2be5012a72e0681c097feae15c785dafd0 |
| SHA256 | bfdb396a094d7457e243379fd31c3de59a4f00c315f7e8fb6263f7babd12f906 |
| SHA512 | fb51a1223aa77ddb989cfd4195bde63f5ac1d8a3959f68301fa2ab66cd6552f63735a8d165d0944f5a7cc5b024e96ad5af7b162481ea81ea0105f6e84cf3f7a8 |
memory/3152-51-0x0000000000320000-0x00000000006EC000-memory.dmp
memory/3152-53-0x0000000000320000-0x00000000006EC000-memory.dmp
memory/4484-54-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/4484-57-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/4484-58-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/4484-59-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/4484-60-0x0000000000400000-0x00000000007CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe
| MD5 | 2f8912af892c160c1c24c9f38a60c1ab |
| SHA1 | d2deae508e262444a8f15c29ebcc7ebbe08a3fdb |
| SHA256 | 59ff8e0aa665fbbf749c7548906a655cb1869bb58a3b7546efa5b416d19e6308 |
| SHA512 | 0395383bde98d358b0a7f2224f903dff026ce0c6d90feb49ac0e6993ef692143b0eb25da84d9cdc9e7b373a7b75a6dbaef14746eda1bff165d59f07ca51a16bb |
memory/4484-70-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/4484-71-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/4484-72-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/4484-75-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/4484-81-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/4484-82-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/4484-83-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/4484-85-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/4484-61-0x0000000000400000-0x00000000007CC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 5c6aef82e50d05ffc0cf52a6c6d69c91 |
| SHA1 | c203efe5b45b0630fee7bd364fe7d63b769e2351 |
| SHA256 | d9068cf3d04d62a9fb1cdd4c3cf7c263920159171d1b84cb49eff7cf4ed5bc32 |
| SHA512 | 77ad48936e8c3ee107a121e0b2d1216723407f76872e85c36413237ca1c47b8c40038b8a6349b072bbcc6a29e27ddda77cf686fa97569f4d86531e6b2ac485ed |
memory/4484-95-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/4484-96-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/4484-98-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/4484-99-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/4484-100-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/4484-97-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/4484-102-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/4484-103-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/4484-104-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/4484-106-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/4484-113-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/4484-120-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/4484-128-0x0000000000400000-0x00000000007CC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 7c6136bc98a5aedca2ea3004e9fbe67d |
| SHA1 | 74318d997f4c9c351eef86d040bc9b085ce1ad4f |
| SHA256 | 50c3bd40caf7e9a82496a710f58804aa3536b44d57e2ee5e2af028cbebc6c2f2 |
| SHA512 | 2d2fb839321c56e4cb80562e9a1daa4baf48924d635729dc5504a26462796919906f0097dd1fc7fd053394c0eea13c25219dec54ffe6e9abb6e8cb9afa66bada |
memory/4484-129-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/4456-140-0x0000000000F40000-0x0000000001400000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe
| MD5 | 70cc66ea2a3de44e1e0b7e6d6954569a |
| SHA1 | 4468a51f760ff319172c111cce7b54d1ff93efa9 |
| SHA256 | d85047b22c62c35cfac371778dd92db8ac907be315160f34cfb03f00830e703f |
| SHA512 | 1a0f646d3387fb3b35792b9c1d72c33333968b3c3142543c90093f3400739e6bc73d62914807abf26ddd3b4410fe1c7cfd58cb925bd5e74aac8384959f342937 |
memory/4484-141-0x0000000000400000-0x00000000007CC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | ce2e2e764f7af3da488d6e65e95bec7e |
| SHA1 | ac27007ddf051dbb68bc7a9b07c55deb69adeba6 |
| SHA256 | 9f274278f7d792d8b12b431dec44a78ca0bc69963c6ea5526d0cb34df6654553 |
| SHA512 | e1c8dea5611da7e6fa42fbeb087c122531aee2268c516d0c74b4a621c7578190ec5d55e3adbaa04e451a64e64f354f100b1e2edcd33e37d5c7dc642d0f4d8896 |
memory/4484-130-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/4484-131-0x0000000000400000-0x00000000007CC000-memory.dmp
\??\pipe\LOCAL\crashpad_3076_CBNPYMXGYBIGOYWO
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4484-119-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/4484-105-0x0000000000400000-0x00000000007CC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 9ee642b4bfb508f1fe07a81864b49ebc |
| SHA1 | 6544d01c8b1faf63422cb2150eb3952a1537052b |
| SHA256 | 14b0a28d3175a242768625592b10b9fb1536a2f847d4ccd26794053bbbad6fc9 |
| SHA512 | 172c15207094b24b49c0d80c2a7e3a43ac2c91c22763898262ccf3f70aaa2eeadd66e2fcbe39106c3a607198bfac1fac681c8f738a756b2f7ef6d45807facbb7 |
memory/5408-172-0x0000000000550000-0x00000000009FF000-memory.dmp
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
| MD5 | 15a42d3e4579da615a384c717ab2109b |
| SHA1 | 22aeedeb2307b1370cdab70d6a6b6d2c13ad2301 |
| SHA256 | 3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103 |
| SHA512 | 1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444 |
memory/5408-174-0x0000000000550000-0x00000000009FF000-memory.dmp
memory/3152-173-0x0000000000320000-0x00000000006EC000-memory.dmp
memory/5408-175-0x0000000004D60000-0x0000000004D61000-memory.dmp
memory/5408-176-0x0000000004D70000-0x0000000004D71000-memory.dmp
memory/5408-177-0x0000000004D50000-0x0000000004D51000-memory.dmp
memory/5408-178-0x0000000004DA0000-0x0000000004DA1000-memory.dmp
memory/5408-180-0x0000000004D30000-0x0000000004D31000-memory.dmp
memory/5408-184-0x0000000004D90000-0x0000000004D91000-memory.dmp
memory/5408-181-0x0000000004D40000-0x0000000004D41000-memory.dmp
memory/4456-192-0x0000000000F40000-0x0000000001400000-memory.dmp
memory/5408-194-0x0000000004DC0000-0x0000000004DC1000-memory.dmp
memory/5408-195-0x0000000004DB0000-0x0000000004DB1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
memory/5408-215-0x0000000000550000-0x00000000009FF000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 50d47af360c53f0eb3abd34124e9b6b2 |
| SHA1 | 78c1986af709903161d0087efafadb5c9fa53184 |
| SHA256 | dce38b5a0bc16d5fa0c76598550d3ef9d91c298890d0a88f5d07f7a7ba2255f7 |
| SHA512 | 592585b4e2ea3d0c2c32a9e1b4e4eedad5caae97097c90248fcbbaec3e9754bcb5c75223b3cb9619daff9facc39b0c4c3404163b2aa1692a57982d248aac9a1b |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_btcmh1gd.ui5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5752-242-0x000001E2E8880000-0x000001E2E88A2000-memory.dmp
memory/5752-248-0x00007FF8B5380000-0x00007FF8B5E41000-memory.dmp
memory/5752-249-0x000001E2E8910000-0x000001E2E8920000-memory.dmp
memory/5752-250-0x000001E2E8910000-0x000001E2E8920000-memory.dmp
memory/5752-251-0x000001E2E8910000-0x000001E2E8920000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 2942cb98feb0ed69ec43236dc6bce32a |
| SHA1 | e5f1b932335827a64938984713b109e37efe13a9 |
| SHA256 | a036fb21a73b7f0ff74b378f4b80f5f3f2dde6b83c50d7182ad04ac93e1d73ae |
| SHA512 | d5e7e2bf9e42c34a7c6cfe93868b381d32c833d0d7be7618e5dc4724ee3cc5eeb3e56d7b9cf14d649a49d225ac04067bcb3dceb9cd6491a75a8dc8e158a819d6 |
memory/5752-279-0x000001E2E8B80000-0x000001E2E8B92000-memory.dmp
memory/5752-280-0x000001E2E8B70000-0x000001E2E8B7A000-memory.dmp
memory/5752-289-0x00007FF8B5380000-0x00007FF8B5E41000-memory.dmp
memory/3152-349-0x0000000000320000-0x00000000006EC000-memory.dmp
memory/3152-350-0x0000000000320000-0x00000000006EC000-memory.dmp
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | 726cd06231883a159ec1ce28dd538699 |
| SHA1 | 404897e6a133d255ad5a9c26ac6414d7134285a2 |
| SHA256 | 12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46 |
| SHA512 | 9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e |
memory/4456-379-0x0000000000F40000-0x0000000001400000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | e65a2d3ee3430b0d5a32753ef2469f40 |
| SHA1 | 1543d77304979fec82912933a88695d87da494d7 |
| SHA256 | c2e1514c1dbbc551e414540a1a18b7367ba1b7b14fd3bd445aef4e754f353a6a |
| SHA512 | d9fc30ebbf66f21084ba3547a1389a0380ec74cb7b4a36bf723ee19e59afc90827369abed2d9460b8bb16b80541e3d16de92aa7008b693ebc4207d425eab8c7d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | b7a4884e0c4e03e1185a767c1db96a8b |
| SHA1 | 686aeada001b5d43773499dddfa67729e1da29e1 |
| SHA256 | d1090d01f9b65e23fe0394cb41c4d88c8d5b92af985dcf5c4385dc178f0fe57a |
| SHA512 | fd662742641a05c093be5760436ee742b1164e7c73eaf303e45a80841bff6530ff7772c165e40b0734ac31337f662b720457dc7dc8ec947ac2da41d349f8c5e6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f78f.TMP
| MD5 | 65b327d87c51d1367ff6c722d78368e4 |
| SHA1 | e884e861ee98f1b408acafdcf8c1472ad2fc5838 |
| SHA256 | c2f93c77e22c8b002fc26101295ef54e787af49bed7ddc2d434c3994198b351b |
| SHA512 | 5ef39673e2ad9da015934948996a578120f7db7178b6ca054a14720e4864225287df76cace6fe2447140b782430418040aa3cab50a6f8832274975c70cd7987c |
memory/4484-398-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/3152-399-0x0000000000320000-0x00000000006EC000-memory.dmp
memory/4484-400-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/4456-401-0x0000000000F40000-0x0000000001400000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | bbf60a52b48f2f790f871f14a857654f |
| SHA1 | f9872ca843e3ed633d33abc385ea534a93e9956e |
| SHA256 | 038ccc6bdb7d2946cc92681a5d4b1f2fa6569671626b9381179739b5e295a8dc |
| SHA512 | ad90764c3b5e0fdd4b49be085db13a6d0d793e7b642221ab20c06d589ee6aec1a11e98d1755499abe0b01bf487adda3e4c56979a8a8c336a173b0a3eeb26a003 |
memory/3152-412-0x0000000000320000-0x00000000006EC000-memory.dmp
memory/5452-415-0x0000000000F40000-0x0000000001400000-memory.dmp
memory/5884-416-0x0000000000790000-0x0000000000C3F000-memory.dmp
memory/5452-417-0x0000000000F40000-0x0000000001400000-memory.dmp
memory/5452-418-0x0000000005130000-0x0000000005131000-memory.dmp
memory/5452-419-0x0000000005140000-0x0000000005141000-memory.dmp
memory/5452-421-0x0000000005170000-0x0000000005171000-memory.dmp
memory/5452-422-0x0000000005100000-0x0000000005101000-memory.dmp
memory/5452-420-0x0000000005120000-0x0000000005121000-memory.dmp
memory/5452-423-0x0000000005110000-0x0000000005111000-memory.dmp
memory/5452-424-0x0000000005160000-0x0000000005161000-memory.dmp
memory/5884-426-0x0000000004F60000-0x0000000004F61000-memory.dmp
memory/5884-425-0x0000000004F50000-0x0000000004F51000-memory.dmp
memory/5884-427-0x0000000004F40000-0x0000000004F41000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | caadcc327bc76fe2e39532e319b93880 |
| SHA1 | a229ad60948c430d7ad2eae82e57d9239c147974 |
| SHA256 | 8b77a9eedae8155a00aee46a4069cb82b2bd39b0ab7cf19bfceba64ca8c86eac |
| SHA512 | 592bba68890503e30730d6cb297985e4ee479d1578dd0eea97bb733633947da79bf533685de88eed9396284dbb29fa62d3b1ad46444ec5c360f38f1b22bd01f1 |
memory/5452-434-0x0000000000F40000-0x0000000001400000-memory.dmp
memory/5884-435-0x0000000004F20000-0x0000000004F21000-memory.dmp
memory/5884-432-0x0000000004F90000-0x0000000004F91000-memory.dmp
memory/5884-436-0x0000000004F30000-0x0000000004F31000-memory.dmp
memory/5884-437-0x0000000004F80000-0x0000000004F81000-memory.dmp
memory/4456-459-0x0000000000F40000-0x0000000001400000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe
| MD5 | 85a15f080b09acace350ab30460c8996 |
| SHA1 | 3fc515e60e4cfa5b3321f04a96c7fb463e4b9d02 |
| SHA256 | 3a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b |
| SHA512 | ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f |
memory/744-487-0x0000000000400000-0x0000000000592000-memory.dmp
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
| MD5 | cc90e3326d7b20a33f8037b9aab238e4 |
| SHA1 | 236d173a6ac462d85de4e866439634db3b9eeba3 |
| SHA256 | bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7 |
| SHA512 | b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521 |
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
| MD5 | 1fc4b9014855e9238a361046cfbf6d66 |
| SHA1 | c17f18c8246026c9979ab595392a14fe65cc5e9f |
| SHA256 | f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50 |
| SHA512 | 2af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12 |
memory/3152-524-0x0000000000320000-0x00000000006EC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp4929.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/5884-551-0x0000000000790000-0x0000000000C3F000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 92fbdfccf6a63acef2743631d16652a7 |
| SHA1 | 971968b1378dd89d59d7f84bf92f16fc68664506 |
| SHA256 | b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72 |
| SHA512 | b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117 |
memory/4456-582-0x0000000000F40000-0x0000000001400000-memory.dmp
memory/1652-585-0x0000000000820000-0x0000000000BEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe
| MD5 | 832eb4dc3ed8ceb9a1735bd0c7acaf1b |
| SHA1 | b622a406927fbb8f6cd5081bd4455fb831948fca |
| SHA256 | 2a82243697e2eec45bedc754adcdc1f6f41724a40c6d7d96fd41ad144899b6f7 |
| SHA512 | 3ab8b25732a7152608be101a3daf0d55833c554ab968be8b3b79a49e1831f3ee0eeeb9586a3334fa387b1f160fd15e98a80dcfece559c9c257b44ef962874894 |
memory/2252-617-0x0000000000AC0000-0x0000000000F80000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | fe3aab3ae544a134b68e881b82b70169 |
| SHA1 | 926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6 |
| SHA256 | bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b |
| SHA512 | 3fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280 |
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe
| MD5 | 83d0b41c7a3a0d29a268b49a313c5de5 |
| SHA1 | 46f3251c771b67b40b1f3268caef8046174909a5 |
| SHA256 | 09cc3364d5e1c15228822926bc65ce290c487dc3b7c0345bf265538110fa9cc9 |
| SHA512 | 705ecc7c421338e37ed0d58c2d9fad03fb3565db422a0c9d895e75a399bf5f2a70cfe3ffdc860ffe010d4d1a213e0a844aeadb89ea8e0c830a2fc8c03b7669b5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4b6a25a6c2228d5e8c6d21de29f7ab9b |
| SHA1 | 08b46ff30e31bb8b32ed835458f40885d5f3f305 |
| SHA256 | a2ac48e136a9d05230a7710bf2a0777dc5537066ba16a4dd0cc5f904040677e7 |
| SHA512 | c67ac96967fcd644d2c6c27de99bda74e05adf169a10b0126af3558f71ec019882df92a554e9fdd368eed797a3c27b2afb409a681e9c35ae879ad93ee08cad7a |
C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe
| MD5 | 0099a99f5ffb3c3ae78af0084136fab3 |
| SHA1 | 0205a065728a9ec1133e8a372b1e3864df776e8c |
| SHA256 | 919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226 |
| SHA512 | 5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 32a43d52cd39b5663504aacb566b2045 |
| SHA1 | b96b35555c7d193c97b3564d06d151082886104e |
| SHA256 | e4b690fd5b57890e83fdda0c40bf21220129b0bc0ee18225de2a3503d4773890 |
| SHA512 | a4929b7c39ce2b2587a84ece6c5f403273c8c2674a51866facefd0443fc6efd61fd2b94e36ab16be13088c1ec0c8768f127a56aac42b910373a4e63d8c8ea374 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies
| MD5 | 011104582436434f5a076eae510f010a |
| SHA1 | 7874b0f4d18c76906b0a6497c62b3b79cf969c09 |
| SHA256 | 591549e538ecf662dba41aa254e68bea2f1979cec52386cc9a4db6f556c4db17 |
| SHA512 | 35f7f6affcc3a0ce533e3ffa2f7ec8c655245db1bb3ee602a496f79d3590ba29ea23d52f3e3eba5dc031a9f6ee22185b5a580d967cfcabb4d1e8a811ad4c0906 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 0f76ea941064db73cae0f43777da332e |
| SHA1 | e7e532dd8564799b24241065cb163ddcc95ac059 |
| SHA256 | 2defb341bb7a59f3585e98187961ef08fdf5e816e961ef1d695212b16905c4c2 |
| SHA512 | c3b63f03c26f137d65c707fecb9263e48648b4e4918de4affbd408b3ed4de7e460f88d983f69e0abec4b0b88b22cd8c6724e959216db72c5967e193ec345ec87 |
C:\Users\Admin\AppData\Local\Temp\tmp71C2.tmp
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\Users\Admin\AppData\Local\Temp\tmp7291.tmp
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
C:\Users\Admin\AppData\Local\Temp\tmp72C3.tmp
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
C:\Users\Admin\AppData\Local\Temp\1001052001\Eljlre.exe
| MD5 | 1e1152424d7721a51a154a725fe2465e |
| SHA1 | 62bc3d11e915e1dbd3cc3ef5a11afec755c995d9 |
| SHA256 | 674cf1a8997ec6ac5b29b8d7eb6a5fb63ce5aaf4b19ff1ec7749b0225c49906c |
| SHA512 | 752e7912d30a2f006ef79600b7412db61644630471ec44bab1e5b2565ef62ccb490ea69159420bb7626248cc8113fe07c09fa51f5c630646b179d880e18b7c02 |
memory/3152-776-0x0000000000320000-0x00000000006EC000-memory.dmp
memory/5884-777-0x0000000000790000-0x0000000000C3F000-memory.dmp
memory/4988-796-0x0000000004F80000-0x0000000005196000-memory.dmp
memory/4988-797-0x0000000004F80000-0x0000000005196000-memory.dmp
memory/4988-799-0x0000000004F80000-0x0000000005196000-memory.dmp
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | 3c3d26c73493270ca5a0d508fcf46e38 |
| SHA1 | 36dbcda94bed3cb3c76d4b1af1adc7bf9afb5ff4 |
| SHA256 | 41fb7b62cd614dd22a2f4660b71a33324f7c06d75512b2953f3c14f3b7bf0b9c |
| SHA512 | 60dfe8ea51ca82a53dc6308a6a83e9b51498f7de91919d4d8fa3eddd37f598b164b9b0e2732ef3ae08efdd607a7372f07dd6473a08eccfe37c72d3ab13bbd0a1 |
memory/4988-804-0x0000000004F80000-0x0000000005196000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe
| MD5 | c084d6f6ba40534fbfc5a64b21ef99ab |
| SHA1 | 0b4a17da83c0a8abbc8fab321931d5447b32b720 |
| SHA256 | afd83290a2adb219c3f1b8fbf23c27b0994fe76dfbb7dc0b416530dc0e21f624 |
| SHA512 | a5384a2f7029cf946fde44e1ff30775754ce525ca5a6fdac14184872b6e684cb6e585053cb86d32f82cbd3db48eb195ba3a642d8ee3774be579fccd993938ca1 |
memory/4988-815-0x0000000004F80000-0x0000000005196000-memory.dmp
memory/4988-819-0x0000000004F80000-0x0000000005196000-memory.dmp
memory/4988-827-0x0000000004F80000-0x0000000005196000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 2afdbe3b99a4736083066a13e4b5d11a |
| SHA1 | 4d4856cf02b3123ac16e63d4a448cdbcb1633546 |
| SHA256 | 8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee |
| SHA512 | d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f |
C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exe
| MD5 | 16f67f1a6e10f044bc15abe8c71b3bd6 |
| SHA1 | ce0101205b919899a2a2f577100377c2a6546171 |
| SHA256 | 41cca3fa0f500dc6c17d1f02fc906d2b0c769210af9c4286760b84ecf46cab89 |
| SHA512 | a11db01bf55e3497644918c7dcc6180e0911261f39f062e653f000e1365dc9668fe5bd1d0fee0ae5c740a6477bcea510ba8c5ff6831c3bdb0d7c0590d2487e3c |
C:\Users\Admin\Pictures\Ob7LVKuJzve3QMh7UyQ2ulEE.exe
| MD5 | 5b423612b36cde7f2745455c5dd82577 |
| SHA1 | 0187c7c80743b44e9e0c193e993294e3b969cc3d |
| SHA256 | e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09 |
| SHA512 | c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c |
C:\Users\Admin\Pictures\dWBvBwmTRm9ZgeQNt2TmrUE0.exe
| MD5 | a05eb8eeeb2ec539e4f54ac435ba86bc |
| SHA1 | 72ed93362d4c17434981cf5fd0e3888c44587dfb |
| SHA256 | e57e37490a710106cb78deba4b189fc867b994d4ade9f040dc5486665f549708 |
| SHA512 | 69456e5c0f237820642c8790746866979db14c40099287b6b3409b305a314cafccbe2a443812824096cd5a9dac9a1e6710a8154479cb050a6aa17d3054143201 |
C:\Users\Admin\Pictures\nvXybaDMWSJ6ZxwmjlszRMNc.exe
| MD5 | 8af5e641db960af56d7703111adfd158 |
| SHA1 | 95ff33db38f6b4ea85b7079d074ebb3487e306a3 |
| SHA256 | 98f8414500344a14423222267583335b85de486277c10af1cb34f5929ad99725 |
| SHA512 | 305013c60fac56c61901a3972d5e3af46a6c786c2893b08a4a0cd9cb9fe12b23f08265dd2d3509532a26738a05a6b5556872fc8a3f695bbbabf6a9ec6215bc44 |
C:\Users\Admin\Pictures\QsVIm1ykYw6tcPUBpJMtZUmr.exe
| MD5 | 97eabf8d34c74368bd8318eb587100af |
| SHA1 | a092bb69599eb898a4625f93cfa888787fc4ed88 |
| SHA256 | 5cd32e0b1b5429e83a09ab7d6f6d8b378c4dbe3ec9774523bb6354fa62b100a7 |
| SHA512 | a4759805283c08cccd616c4f533bf67fed864239e6060f601fc6b9d106a993e10d5ba397319454d5892c4d34e9856699769382395643fe89575222367c2322bc |
C:\Users\Admin\AppData\Local\9YP0OZtxe49udlLQMGyFujVJ.exe
| MD5 | 98273a3121a2516cda6f31e67ec2d52f |
| SHA1 | 01c6990adecce2b1e4794429f478fc3f63baaf83 |
| SHA256 | 1c65e140170310153ba3929cdedecf221ae57e55c79b97fa1a4601f4d97ee988 |
| SHA512 | c633c87af70740d7d147a62ea91cd7fe8764b816fe7b2a076955d6a35474dd745a2c5d05f39efd32b204e59845914d2e4d571d2440f78bbc6d2ab71491343118 |
C:\Users\Admin\Pictures\MGAPfR4lrm4NgDJ4VS7TTIZQ.exe
| MD5 | 7960d8afbbac06f216cceeb1531093bb |
| SHA1 | 008221bf66a0749447cffcb86f2d1ec80e23fc76 |
| SHA256 | f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84 |
| SHA512 | 35d12e81eb892aeb2237049beca61a81469dea5b1c9b7a0b9f49fbf95a95c756509d9e76c732fb10b504f9f9692e1fbe83ea2fd09d791f793a928c01974b8147 |
C:\Users\Admin\AppData\Local\Temp\u17k.0.exe
| MD5 | 87188a05666ced303bb17f04ec29042f |
| SHA1 | 651ae4e7b98655fd4dd2de62b0111dacac47cd9e |
| SHA256 | 97332596f72bc538f176fddac06e1c2ba40922ee87329d8be32d7ac80127de97 |
| SHA512 | 14301c8b8641e5e19203abfcc17755ccefe2b551c3e6ff235b21ccb17e4ee977a060ed7ee7268c446d86191f271bddcb8a59d22e61e1cf9ff7a46d0ee09dbb99 |
C:\Users\Admin\Pictures\eXIo32VRSUhp0Y3EPrFjmaEN.exe
| MD5 | 1699bed6ce65a5cdf0bdd13f8bda5eea |
| SHA1 | d850a5052a50627e866cc5804b4e667ebd45d11c |
| SHA256 | d6f95dc5497f820882ad6bc4667202d9b6d83e7086f70feaad137db921fe4fa8 |
| SHA512 | c7973eaf3feb08f5b4650d209ebef379d15dc057dffcfeeb296e4b5b4ac698128878495994df9c4a0703922582fd44659609b8d0e07a2a2c3fa8dc3a0f56e0e0 |
C:\Users\Admin\AppData\Local\Temp\u17k.1.exe
| MD5 | 397926927bca55be4a77839b1c44de6e |
| SHA1 | e10f3434ef3021c399dbba047832f02b3c898dbd |
| SHA256 | 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7 |
| SHA512 | cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954 |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403291204400155680.dll
| MD5 | 117176ddeaf70e57d1747704942549e4 |
| SHA1 | 75e3ab6b3469d93cce9ea2f7e22b71b987ccdf2b |
| SHA256 | 3c5b34de987116a4d3240e319c0da89a951c96b81e6705476a0fea27b22b20af |
| SHA512 | ca2a356929c92d314aab63d7f3b246d72783212dfa3a4507f28d41a51ca0eedc78e85b1cd453aa8e02c12509f847a0216bb702154f903291c804c8a98ec378b9 |
C:\Users\Admin\Pictures\bK9TTH2qJlwHcdz6WyToQqiT.exe
| MD5 | 858bb0a3b4fa6a54586402e3ee117076 |
| SHA1 | 997c31f043347883ea5ed2323a558b6cc5ea9c8e |
| SHA256 | d97a7fc44bf341b9b2b2e65b46dab4f7d329afe15b4308b5aa56d5bfd7b99d35 |
| SHA512 | e8374b115f056b5d345c9b5f9c42b3d49e0640d7fad869448f686add6e52b783ecc7fd35ee15a67b944843491a91becf5b7c0bd5603eda01042dd2904c1ad8fd |
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 8ef9853d1881c5fe4d681bfb31282a01 |
| SHA1 | a05609065520e4b4e553784c566430ad9736f19f |
| SHA256 | 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2 |
| SHA512 | 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | b9cfe1b665fd0f71b81947f9385863e6 |
| SHA1 | cb4bcc6a73f500a87a4c80e578c809587af0c522 |
| SHA256 | 5512fe266bd13f0972b2ac26e474da710051ace530bd24432dcedeecd898bbbb |
| SHA512 | d5f5e22f5d08b034967a0b1f75abe402215e5387006a697534d577858dad3e784003d9adee597ee00fe4541f8841c07fe549a04312753872ced2d1a1d106c6b2 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291204401\opera_package
| MD5 | 5665a7a6149d83fa3990b0bfcafdf90f |
| SHA1 | 14fbf350ceb7f7debe7743faa0baaa5521efae50 |
| SHA256 | 46b20184dcc42ba8671ab9af22810c3fb6825e390273b3cbe405ffc5e1a07be2 |
| SHA512 | de4980f697e06f800e3ddac36ad5528183b5ee2f2793f189e02138572edeffd262a0749b2b629bea9c526841d9c9a2e2e5e3dee40626382d684aebf52c42df11 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291204401\additional_file0.tmp
| MD5 | 20d293b9bf23403179ca48086ba88867 |
| SHA1 | dedf311108f607a387d486d812514a2defbd1b9e |
| SHA256 | fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348 |
| SHA512 | 5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6 |
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | dc733b1258f7bebafb5410701c758931 |
| SHA1 | e53ebc45917fbc08e425eb1e9807e2a9385f1fb0 |
| SHA256 | ed4892bff3ec8c5e1cba88edf8e800f7a812013d2a04642b59e1775f18a8cf2b |
| SHA512 | 348fb198f191c962d78c0d71ca5b20ca8b69bca50dc485f0efa81a02f5660d9ff7f16eebe7ab11f42e69d87e6f9a5593db017b0ba480aaa88859c22622445edf |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-29 12:02
Reported
2024-03-29 12:05
Platform
win11-20240214-en
Max time kernel
106s
Max time network
148s
Command Line
Signatures
Amadey
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" | C:\Users\Admin\Pictures\kwYlaP9uD9LrQoim5vqU1u4e.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Rhadamanthys
RisePro
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4732 created 2932 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | C:\Windows\system32\sihost.exe |
ZGRat
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1000042001\fa136186c5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Pictures\kwYlaP9uD9LrQoim5vqU1u4e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000042001\fa136186c5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Pictures\kwYlaP9uD9LrQoim5vqU1u4e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000042001\fa136186c5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Pictures\kwYlaP9uD9LrQoim5vqU1u4e.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1000042001\fa136186c5.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\GJtEpu5Q82iE8KmlETcVsp6w.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\GJtEpu5Q82iE8KmlETcVsp6w.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\GJtEpu5Q82iE8KmlETcVsp6w.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\GJtEpu5Q82iE8KmlETcVsp6w.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\GJtEpu5Q82iE8KmlETcVsp6w.exe | N/A |
Reads WinSCP keys stored on the system
Reads local data of messenger clients
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Microsoft\Windows\CurrentVersion\Run\amadka.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1001031001\\amadka.exe" | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Microsoft\Windows\CurrentVersion\Run\fa136186c5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000042001\\fa136186c5.exe" | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Microsoft\Windows\CurrentVersion\Run\go.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000044001\\go.exe" | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Microsoft\Windows\CurrentVersion\Run\random.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000873001\\random.exe" | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Pictures\kwYlaP9uD9LrQoim5vqU1u4e.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\F: | C:\Users\Admin\Pictures\GJtEpu5Q82iE8KmlETcVsp6w.exe | N/A |
| File opened (read-only) | \??\D: | C:\Users\Admin\Pictures\GJtEpu5Q82iE8KmlETcVsp6w.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\Pictures\GJtEpu5Q82iE8KmlETcVsp6w.exe | N/A |
| File opened (read-only) | \??\D: | C:\Users\Admin\Pictures\GJtEpu5Q82iE8KmlETcVsp6w.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\Pictures\kwYlaP9uD9LrQoim5vqU1u4e.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\Pictures\kwYlaP9uD9LrQoim5vqU1u4e.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Users\Admin\Pictures\kwYlaP9uD9LrQoim5vqU1u4e.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\Pictures\kwYlaP9uD9LrQoim5vqU1u4e.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\kwYlaP9uD9LrQoim5vqU1u4e.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5828 set thread context of 5940 | N/A | C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 2064 set thread context of 2096 | N/A | C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 5980 set thread context of 3012 | N/A | C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe |
| PID 2884 set thread context of 4732 | N/A | C:\Users\Admin\Pictures\sBQBvSsSDy0nlGEPLWZcnRx8.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\explorha.job | C:\Users\Admin\AppData\Local\Temp\5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71.exe | N/A |
| File created | C:\Windows\Tasks\explorgu.job | C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u4d8.1.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u4d8.1.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u4d8.1.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\u4d8.0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\u4d8.0.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71.exe
"C:\Users\Admin\AppData\Local\Temp\5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71.exe"
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
C:\Users\Admin\AppData\Local\Temp\1000042001\fa136186c5.exe
"C:\Users\Admin\AppData\Local\Temp\1000042001\fa136186c5.exe"
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe
"C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ffe7f4d3cb8,0x7ffe7f4d3cc8,0x7ffe7f4d3cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xfc,0xd8,0x7ffe7f4d3cb8,0x7ffe7f4d3cc8,0x7ffe7f4d3cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe7f4d3cb8,0x7ffe7f4d3cc8,0x7ffe7f4d3cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1848 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,12120944477741708760,4476226757659418759,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 /prefetch:3
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,1769692498864712888,10771721504036366289,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe
"C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3276 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5996 /prefetch:8
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,432994451060306919,15555851715209833864,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\567984660271_Desktop.zip' -CompressionLevel Optimal
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe
"C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"
C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe
"C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe"
C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe
"C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe"
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe
"C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe
"C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe" /F
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\567984660271_Desktop.zip' -CompressionLevel Optimal
C:\Users\Admin\AppData\Local\Temp\1001052001\Eljlre.exe
"C:\Users\Admin\AppData\Local\Temp\1001052001\Eljlre.exe"
C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe
"C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exe
"C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
C:\Users\Admin\Pictures\7XOdWfBvqYD2zr7D32WZ5nBW.exe
"C:\Users\Admin\Pictures\7XOdWfBvqYD2zr7D32WZ5nBW.exe"
C:\Users\Admin\Pictures\QczTYBqaeUMB72OyxPvWtk3N.exe
"C:\Users\Admin\Pictures\QczTYBqaeUMB72OyxPvWtk3N.exe"
C:\Users\Admin\Pictures\E5NymT1DuZ5SVrBCmwRAhkW7.exe
"C:\Users\Admin\Pictures\E5NymT1DuZ5SVrBCmwRAhkW7.exe"
C:\Users\Admin\Pictures\sBQBvSsSDy0nlGEPLWZcnRx8.exe
"C:\Users\Admin\Pictures\sBQBvSsSDy0nlGEPLWZcnRx8.exe"
C:\Users\Admin\Pictures\oJ5kiJCUAy0r5oi0Sd1oMiVU.exe
"C:\Users\Admin\Pictures\oJ5kiJCUAy0r5oi0Sd1oMiVU.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2884 -ip 2884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 872
C:\Users\Admin\AppData\Local\Temp\u4d8.0.exe
"C:\Users\Admin\AppData\Local\Temp\u4d8.0.exe"
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4732 -ip 4732
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4732 -ip 4732
C:\Users\Admin\Pictures\kwYlaP9uD9LrQoim5vqU1u4e.exe
"C:\Users\Admin\Pictures\kwYlaP9uD9LrQoim5vqU1u4e.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 556
C:\Users\Admin\Pictures\GJtEpu5Q82iE8KmlETcVsp6w.exe
"C:\Users\Admin\Pictures\GJtEpu5Q82iE8KmlETcVsp6w.exe" --silent --allusers=0
C:\Users\Admin\Pictures\GJtEpu5Q82iE8KmlETcVsp6w.exe
C:\Users\Admin\Pictures\GJtEpu5Q82iE8KmlETcVsp6w.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2b0,0x2b4,0x2b8,0x28c,0x2bc,0x6b8ce1d0,0x6b8ce1dc,0x6b8ce1e8
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\GJtEpu5Q82iE8KmlETcVsp6w.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\GJtEpu5Q82iE8KmlETcVsp6w.exe" --version
C:\Users\Admin\AppData\Local\Temp\u4d8.1.exe
"C:\Users\Admin\AppData\Local\Temp\u4d8.1.exe"
C:\Users\Admin\Pictures\GJtEpu5Q82iE8KmlETcVsp6w.exe
"C:\Users\Admin\Pictures\GJtEpu5Q82iE8KmlETcVsp6w.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=6000 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240329120436" --session-guid=3a216780-4c1f-45f8-b410-6c7859a29b85 --server-tracking-blob=MWIxZDI5ZDE5MWFmNzZiZDlhODZjZTNmNmU4NmM3NzM1OGYwNjgzNDJiYTNhYWNlZTlkMjcxOWMyNzczNWI0Mjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N180NTYiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMSIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTE3MTM4NjguMjc2NSIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N180NTYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6ImEyNDQzNzlmLWIyYWUtNDQ2My1hNTg0LWM2MTA5OWI4MmRmNyJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=2804000000000000
C:\Users\Admin\Pictures\GJtEpu5Q82iE8KmlETcVsp6w.exe
C:\Users\Admin\Pictures\GJtEpu5Q82iE8KmlETcVsp6w.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2bc,0x2c0,0x2c4,0x28c,0x2c8,0x6af4e1d0,0x6af4e1dc,0x6af4e1e8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291204361\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291204361\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291204361\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291204361\assistant\assistant_installer.exe" --version
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291204361\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291204361\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x1140040,0x114004c,0x1140058
C:\Users\Admin\Pictures\QczTYBqaeUMB72OyxPvWtk3N.exe
"C:\Users\Admin\Pictures\QczTYBqaeUMB72OyxPvWtk3N.exe"
C:\Users\Admin\Pictures\oJ5kiJCUAy0r5oi0Sd1oMiVU.exe
"C:\Users\Admin\Pictures\oJ5kiJCUAy0r5oi0Sd1oMiVU.exe"
C:\Users\Admin\Pictures\E5NymT1DuZ5SVrBCmwRAhkW7.exe
"C:\Users\Admin\Pictures\E5NymT1DuZ5SVrBCmwRAhkW7.exe"
C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\ECGDHDHJEB.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 1456 -ip 1456
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 3520
C:\Users\Admin\AppData\Local\Temp\ECGDHDHJEB.exe
"C:\Users\Admin\AppData\Local\Temp\ECGDHDHJEB.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\ECGDHDHJEB.exe
C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
Network
| Country | Destination | Domain | Proto |
| RU | 193.233.132.56:80 | 193.233.132.56 | tcp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| US | 8.8.8.8:53 | 56.132.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.132.233.193.in-addr.arpa | udp |
| DE | 142.250.185.142:443 | www.youtube.com | tcp |
| FR | 157.240.195.35:443 | www.facebook.com | tcp |
| BE | 74.125.133.84:443 | accounts.google.com | tcp |
| DE | 142.250.184.206:443 | consent.youtube.com | tcp |
| BE | 74.125.133.84:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | 35.195.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.133.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.185.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.185.250.142.in-addr.arpa | udp |
| GB | 157.240.221.16:443 | scontent.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | scontent.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | scontent.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | scontent.xx.fbcdn.net | tcp |
| DE | 142.250.186.68:443 | tcp | |
| DE | 142.250.186.68:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| RU | 193.233.132.56:80 | 193.233.132.56 | tcp |
| DE | 142.250.185.142:443 | play.google.com | tcp |
| DE | 142.250.185.142:443 | play.google.com | udp |
| RU | 193.233.132.56:80 | 193.233.132.56 | tcp |
| DE | 142.250.185.142:443 | play.google.com | udp |
| RU | 185.215.113.32:80 | 185.215.113.32 | tcp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| RU | 193.233.132.216:57893 | 193.233.132.216 | tcp |
| DE | 185.172.128.33:8970 | tcp | |
| RU | 185.215.113.67:26260 | tcp | |
| RU | 185.215.113.32:80 | 185.215.113.32 | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| RU | 185.215.113.32:80 | 185.215.113.32 | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| RU | 5.42.65.67:48396 | tcp | |
| US | 142.202.241.217:80 | 142.202.241.217 | tcp |
| TR | 217.195.207.156:47721 | tcp | |
| BE | 74.125.133.84:443 | accounts.google.com | udp |
| AT | 5.42.64.17:80 | 5.42.64.17 | tcp |
| DE | 4.185.137.132:1632 | tcp | |
| RU | 185.215.113.32:80 | 185.215.113.32 | tcp |
| US | 104.21.79.77:443 | yip.su | tcp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| DE | 185.172.128.144:80 | 185.172.128.144 | tcp |
| SG | 217.21.73.190:443 | piramidglobaltobacco.id | tcp |
| US | 172.67.152.98:443 | shipofdestiny.com | tcp |
| AT | 5.42.64.17:80 | 5.42.64.17 | tcp |
| US | 172.67.152.98:443 | shipofdestiny.com | tcp |
| US | 172.67.200.219:443 | sty.ink | tcp |
| US | 172.67.200.219:443 | sty.ink | tcp |
| US | 172.67.160.247:443 | operandotwo.com | tcp |
| US | 104.21.63.71:443 | lawyerbuyer.org | tcp |
| RU | 176.57.210.144:443 | cu82342.tw1.ru | tcp |
| US | 104.21.63.71:443 | lawyerbuyer.org | tcp |
| NL | 185.26.182.111:80 | net.geo.opera.com | tcp |
| NL | 185.26.182.111:443 | net.geo.opera.com | tcp |
| US | 172.67.173.167:443 | guseman.org | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| DE | 185.172.128.144:80 | 185.172.128.144 | tcp |
| DE | 185.172.128.209:80 | 185.172.128.209 | tcp |
| NL | 185.26.182.124:443 | autoupdate.geo.opera.com | tcp |
| NL | 185.26.182.124:443 | autoupdate.geo.opera.com | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 46.226.167.187:80 | 46.226.167.187 | tcp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 172.67.75.163:443 | api.myip.com | tcp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| NL | 185.26.182.93:443 | features.opera-api2.com | tcp |
| NL | 82.145.216.23:443 | download.opera.com | tcp |
| US | 104.18.11.89:443 | download5.operacdn.com | tcp |
| FR | 143.244.56.51:443 | download.iolo.net | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| GB | 95.101.143.243:443 | download3.operacdn.com | tcp |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| US | 20.9.155.148:443 | westus2-2.in.applicationinsights.azure.com | tcp |
Files
memory/1736-0-0x0000000000E00000-0x00000000012C0000-memory.dmp
memory/1736-1-0x0000000077B46000-0x0000000077B48000-memory.dmp
memory/1736-2-0x0000000000E00000-0x00000000012C0000-memory.dmp
memory/1736-7-0x0000000004C60000-0x0000000004C61000-memory.dmp
memory/1736-6-0x0000000004CC0000-0x0000000004CC1000-memory.dmp
memory/1736-8-0x0000000004C70000-0x0000000004C71000-memory.dmp
memory/1736-5-0x0000000004C80000-0x0000000004C81000-memory.dmp
memory/1736-4-0x0000000004CA0000-0x0000000004CA1000-memory.dmp
memory/1736-3-0x0000000004C90000-0x0000000004C91000-memory.dmp
memory/1736-9-0x0000000004CE0000-0x0000000004CE1000-memory.dmp
memory/1736-10-0x0000000004CD0000-0x0000000004CD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
| MD5 | 8cef71906c123049c0e3a0ebd9f420e3 |
| SHA1 | 60f4c13bc04c536f56b6fcb82fca6ebd556084d6 |
| SHA256 | 5c02baf7cc1a89b9248b0e80103e1ceafa4f2307adcb233e8b18151c6804ca71 |
| SHA512 | 6561c864d6c684e394160bcec82c36a12a8dc87070f224eae28d08ec92ceff29dedf84cc9307d7f1ccc035ffe4339fb67285e0756b72426658d70710031eacff |
memory/652-23-0x0000000000980000-0x0000000000E40000-memory.dmp
memory/1736-21-0x0000000000E00000-0x00000000012C0000-memory.dmp
memory/652-28-0x0000000004F00000-0x0000000004F01000-memory.dmp
memory/652-30-0x0000000004EA0000-0x0000000004EA1000-memory.dmp
memory/652-31-0x0000000004EF0000-0x0000000004EF1000-memory.dmp
memory/652-29-0x0000000004E90000-0x0000000004E91000-memory.dmp
memory/652-27-0x0000000004EB0000-0x0000000004EB1000-memory.dmp
memory/652-26-0x0000000004ED0000-0x0000000004ED1000-memory.dmp
memory/652-25-0x0000000004EC0000-0x0000000004EC1000-memory.dmp
memory/652-24-0x0000000000980000-0x0000000000E40000-memory.dmp
memory/652-33-0x0000000004F10000-0x0000000004F11000-memory.dmp
memory/652-32-0x0000000004F20000-0x0000000004F21000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000042001\fa136186c5.exe
| MD5 | 346ddba47f6fabef752b2d9633cf5ca3 |
| SHA1 | b338ea2be5012a72e0681c097feae15c785dafd0 |
| SHA256 | bfdb396a094d7457e243379fd31c3de59a4f00c315f7e8fb6263f7babd12f906 |
| SHA512 | fb51a1223aa77ddb989cfd4195bde63f5ac1d8a3959f68301fa2ab66cd6552f63735a8d165d0944f5a7cc5b024e96ad5af7b162481ea81ea0105f6e84cf3f7a8 |
memory/232-52-0x00000000005E0000-0x00000000009AC000-memory.dmp
memory/232-53-0x00000000005E0000-0x00000000009AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe
| MD5 | 2f8912af892c160c1c24c9f38a60c1ab |
| SHA1 | d2deae508e262444a8f15c29ebcc7ebbe08a3fdb |
| SHA256 | 59ff8e0aa665fbbf749c7548906a655cb1869bb58a3b7546efa5b416d19e6308 |
| SHA512 | 0395383bde98d358b0a7f2224f903dff026ce0c6d90feb49ac0e6993ef692143b0eb25da84d9cdc9e7b373a7b75a6dbaef14746eda1bff165d59f07ca51a16bb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 7656e81014b9872f6a1697828a9cc60f |
| SHA1 | 60e1b4b1574d100e821bdfe8c46dd82c91196dcd |
| SHA256 | 885097327a3e85d7476d570a4c4261e78261fa6560c4f99e7e815b51d5c9fb67 |
| SHA512 | 72931405c2b50a0776885b6e3d445d71c0f2dc81774bb4794c34cf983f334b869d20870edbd6a3804c4c0a0ae7cde74632a35f0b2f8385fd29d4f63c691a4353 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ec7568123e3bee98a389e115698dffeb |
| SHA1 | 1542627dbcbaf7d93fcadb771191f18c2248238c |
| SHA256 | 5b5e61fe004e83477411dd2b6194e90591d36f2f145cc3b4faa20cf7ae266a75 |
| SHA512 | 4a53fbbd7281a1a391f0040f6ff5515cedf6e1f97f2dae4ab495b4f76eb4f929dcda6b347f9bf7f66a899330f8897e1ed117314945d1de27b035cc170fa447d3 |
\??\pipe\LOCAL\crashpad_1484_EGBEDJGEJCPFJUGD
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 0b5e151c3ed57f27b9e8d43e4fdafb9f |
| SHA1 | f3a115e022abfc0a3f3be704b3bd7dc7c64c1178 |
| SHA256 | 8eeb0ab7bde4e50ee4e56d46bd4c8efdb7fdfe7500f6bd548d996f0f498025d5 |
| SHA512 | 1bcb4ca3adff6234eed72d60ae1a11f5702499a35e337d1ba69a516c800db2a77844380a26b2426bd82e69dd7fbb4f23884e063f10ed61c39ce74ffd57a247be |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | b303bf6bfdc2b4e87660ac0468a40b8c |
| SHA1 | 1368ee96c498677df7e07b61e8d5b25fb6c2769d |
| SHA256 | 0ada73cb8615c8bb7d4d267a10140482ea4fa512c1fab8394d0abe63174af171 |
| SHA512 | c304407b824c78e4b4e71044065d7a4bfc8fa2424be351acb026ed776df7cd464848c984004e952447c9bfe7e89081adc873c3129ce935e6db6bad8009cdc928 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | fc0425fd99b9675a7a613368796e6e32 |
| SHA1 | 3d1d9876812266f5e09b8cfaad6e109871d25475 |
| SHA256 | 8d07c0ee64b501fb1c60ce99ed40baefdb604e50190579ae193fa954c01a8470 |
| SHA512 | cca79cacb58265d2192164f1d81487994a5a0a76c4eb69688fbc11c667cae07b93eecfc11c956f3459bf9e761051fe17c0f1cb3271db4e3a58f771e221ed35d5 |
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe
| MD5 | 70cc66ea2a3de44e1e0b7e6d6954569a |
| SHA1 | 4468a51f760ff319172c111cce7b54d1ff93efa9 |
| SHA256 | d85047b22c62c35cfac371778dd92db8ac907be315160f34cfb03f00830e703f |
| SHA512 | 1a0f646d3387fb3b35792b9c1d72c33333968b3c3142543c90093f3400739e6bc73d62914807abf26ddd3b4410fe1c7cfd58cb925bd5e74aac8384959f342937 |
memory/652-253-0x0000000000980000-0x0000000000E40000-memory.dmp
memory/5496-257-0x0000000000EF0000-0x000000000139F000-memory.dmp
memory/5496-258-0x0000000004B00000-0x0000000004B01000-memory.dmp
memory/5496-259-0x0000000004AF0000-0x0000000004AF1000-memory.dmp
memory/5496-263-0x0000000004B30000-0x0000000004B31000-memory.dmp
memory/5496-264-0x0000000000EF0000-0x000000000139F000-memory.dmp
memory/5496-262-0x0000000004AE0000-0x0000000004AE1000-memory.dmp
memory/5496-261-0x0000000004AD0000-0x0000000004AD1000-memory.dmp
memory/5496-260-0x0000000004B50000-0x0000000004B51000-memory.dmp
memory/5496-313-0x0000000000EF0000-0x000000000139F000-memory.dmp
memory/5496-309-0x0000000004B60000-0x0000000004B61000-memory.dmp
memory/5496-308-0x0000000004B70000-0x0000000004B71000-memory.dmp
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
| MD5 | 15a42d3e4579da615a384c717ab2109b |
| SHA1 | 22aeedeb2307b1370cdab70d6a6b6d2c13ad2301 |
| SHA256 | 3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103 |
| SHA512 | 1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
memory/652-339-0x0000000000980000-0x0000000000E40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2z5d3uee.gzd.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2580-340-0x00007FFE6B6F0000-0x00007FFE6C1B2000-memory.dmp
memory/2580-346-0x0000023EAA4F0000-0x0000023EAA512000-memory.dmp
memory/2580-347-0x0000023E92400000-0x0000023E92410000-memory.dmp
memory/2580-351-0x0000023E92400000-0x0000023E92410000-memory.dmp
memory/2580-356-0x0000023EAA860000-0x0000023EAA872000-memory.dmp
memory/2580-357-0x0000023EAA750000-0x0000023EAA75A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_Files_\WriteUninstall.txt
| MD5 | 10eb90dbd53a7a1dd436e3b9383b1735 |
| SHA1 | 24d358c136b161fbb69d88814edc5db64932c18c |
| SHA256 | db6c1f4cde04ea6b438e9ffa3882ce95ea6d723f7bdd723e836061f20e83b074 |
| SHA512 | 0bd7c7bb45c5339afe238732758b28e169b42dcdda5006ffc25c5015fc81aee5386715704a73b671ed3ed4fa3707f404c47a05936f55b9757f263a35af5ddc54 |
memory/2580-362-0x00007FFE6B6F0000-0x00007FFE6C1B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\567984660271_Desktop.zip
| MD5 | 5f81e608051da6a40f979c02d22c4f82 |
| SHA1 | d8e54e70718eb2971d0f3e7ec7523579b343ac67 |
| SHA256 | fbede004ee49f50369646e772a336abbe646fb663c25102c594af7ac7c372485 |
| SHA512 | ffae5b3c6be707d7f4beadb805fa5cece90cf53cac0f9df0275381d4e7b1fdda963a432feb378037a396ad61bbfd56b177d62fff64307dc3cffd2a2b235e6a58 |
memory/232-364-0x00000000005E0000-0x00000000009AC000-memory.dmp
memory/232-365-0x00000000005E0000-0x00000000009AC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\2c35519b-81ac-482f-a424-3d1109b2e16c.tmp
| MD5 | e94ad5abcd5726b029556585b8b720e7 |
| SHA1 | 577c3547b01d4cf77a3df167a7af0d65978b91b5 |
| SHA256 | ba23441eed96f97fe93864194084b405afaec62c57b561f5dbfb87bdf9f47c81 |
| SHA512 | 054dfb6424d33034e7585caea3fb6eef6f740af008d6d0c81d3a6d8f0e5113b876b0d4f940b7cc4c6da5c4010410ff4b90cc59a327bdc281275e02cef64b1fd9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\974b3db7-771a-4026-93d6-bd8870ce2246.tmp
| MD5 | ca6335cdf4101904dd3489e1896d665c |
| SHA1 | 077748a07347108d14d28b53c07906c575b5295a |
| SHA256 | a05ad8fad245f2040497f5afce845902be939c3d73f6e979268cf08889337cc9 |
| SHA512 | 8601d37dba10fae7f83171195a02a8ce11ae6241fb1f2aafdf44f7b6bff4c6ce31da963ab79a5b73defcbfd6c4295b975151ade3d43a6f8dfec7f853146bd48a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 0ba15f72ffb0a37243558588d3e78221 |
| SHA1 | 814bdfffd723f7de9f8d6d6a0bc8d85a9f275cc0 |
| SHA256 | 3d0223e1f8bb35870db41872cfbbe467f65bf9a1208dcb4d4ad874e250ccc10a |
| SHA512 | 02b168ef9cc226a08955092173c3745a55b28faa438b8152acb90d3bc1d9f433de7d8341def8b452db1986392a59cabc7c69689ad00825c58371ca78021183be |
memory/652-392-0x0000000000980000-0x0000000000E40000-memory.dmp
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | 726cd06231883a159ec1ce28dd538699 |
| SHA1 | 404897e6a133d255ad5a9c26ac6414d7134285a2 |
| SHA256 | 12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46 |
| SHA512 | 9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e |
memory/232-403-0x00000000005E0000-0x00000000009AC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | ae611f6640d482f791295fb0d2ba585c |
| SHA1 | 665f0ea7c9893c52e42ffe94c86b409658a5536e |
| SHA256 | 392e766cede4ead76b1c5ab060345e49a21f6cf8a40771d314c477870514ad3a |
| SHA512 | b679d9ea6acccc298708970659f97f915f852d80c93c763e971225aab085a339317ff1fc4e070904e79bb8fea03d41a920b03f320a0147018d9408906c24decb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ec54.TMP
| MD5 | bbe0a2aecf77a1dfe16d1589c39a5350 |
| SHA1 | 7b12eb4a79751d08c52c4c395214f30f927ac38a |
| SHA256 | 419c35df5a638d50e5c488fe9a1bfe59c1d590e69bb7d3c8eee7efe491098c1c |
| SHA512 | f87c23ea629d3019d4f9292dab7d35276dee80bbdcc719a87c4b59a966eded1da2dd19715e3b72bcf5ea884062106191e6b955d8aebfefbc49036d6417ed071c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | b62078a421c7a02e22a29df55dddd948 |
| SHA1 | cdc8040f788f8e08f913a5a6865366942f7b18ad |
| SHA256 | 4eeb8c769e946230b84f940cfbe29b91abf4398a93833e4750a1f5e2a9aabdde |
| SHA512 | 5fdb2ea0dc5587bcb4a1a694b4236d9dcbc2844b0f93bbb99d35e187e28ccd37a90c9592737465510412ef05c3ace92f974733b992e300d4551ad1712611c7fa |
memory/652-418-0x0000000000980000-0x0000000000E40000-memory.dmp
memory/232-428-0x00000000005E0000-0x00000000009AC000-memory.dmp
memory/652-429-0x0000000000980000-0x0000000000E40000-memory.dmp
memory/232-430-0x00000000005E0000-0x00000000009AC000-memory.dmp
memory/652-431-0x0000000000980000-0x0000000000E40000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | de230f8fadb2a61f91c13b31935186b4 |
| SHA1 | 5ad23991be84a0ad8d39ffe1bd49891e3557f334 |
| SHA256 | 89b48db8c0ffaa0c6f006686532dc225e10a33b0351657e07db595f0fd986754 |
| SHA512 | 74d09181f9961261f381f9d4f8f18663c52843e677ca2c414480ce9dc3a556697df2eeb0f0da1b63b5c23c225d466d36603bea44f8bc8e75ba85e5fc82cba797 |
memory/5300-443-0x00000000005B0000-0x0000000000A5F000-memory.dmp
memory/5396-445-0x0000000000980000-0x0000000000E40000-memory.dmp
memory/5300-446-0x00000000005B0000-0x0000000000A5F000-memory.dmp
memory/5300-447-0x00000000054F0000-0x00000000054F1000-memory.dmp
memory/5300-448-0x0000000005500000-0x0000000005501000-memory.dmp
memory/5300-449-0x00000000054E0000-0x00000000054E1000-memory.dmp
memory/5300-450-0x0000000005520000-0x0000000005521000-memory.dmp
memory/5300-451-0x00000000054C0000-0x00000000054C1000-memory.dmp
memory/5300-452-0x00000000054D0000-0x00000000054D1000-memory.dmp
memory/5396-454-0x0000000005370000-0x0000000005371000-memory.dmp
memory/5396-453-0x0000000005360000-0x0000000005361000-memory.dmp
memory/5396-456-0x0000000005390000-0x0000000005391000-memory.dmp
memory/5396-455-0x0000000005350000-0x0000000005351000-memory.dmp
memory/5396-458-0x0000000005340000-0x0000000005341000-memory.dmp
memory/5396-457-0x0000000005330000-0x0000000005331000-memory.dmp
memory/5396-459-0x0000000000980000-0x0000000000E40000-memory.dmp
memory/5300-460-0x0000000005550000-0x0000000005551000-memory.dmp
memory/5300-461-0x0000000005540000-0x0000000005541000-memory.dmp
memory/5396-462-0x0000000000980000-0x0000000000E40000-memory.dmp
memory/4988-482-0x0000000000780000-0x0000000000B4C000-memory.dmp
memory/4988-483-0x0000000000780000-0x0000000000B4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe
| MD5 | 85a15f080b09acace350ab30460c8996 |
| SHA1 | 3fc515e60e4cfa5b3321f04a96c7fb463e4b9d02 |
| SHA256 | 3a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b |
| SHA512 | ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f |
memory/232-503-0x00000000005E0000-0x00000000009AC000-memory.dmp
memory/5828-504-0x0000000000E60000-0x000000000101C000-memory.dmp
memory/5940-518-0x0000000000400000-0x0000000000592000-memory.dmp
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
| MD5 | 1fc4b9014855e9238a361046cfbf6d66 |
| SHA1 | c17f18c8246026c9979ab595392a14fe65cc5e9f |
| SHA256 | f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50 |
| SHA512 | 2af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12 |
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
| MD5 | cc90e3326d7b20a33f8037b9aab238e4 |
| SHA1 | 236d173a6ac462d85de4e866439634db3b9eeba3 |
| SHA256 | bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7 |
| SHA512 | b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521 |
C:\Users\Admin\AppData\Local\Temp\Tmp5F03.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/652-596-0x0000000000980000-0x0000000000E40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe
| MD5 | 832eb4dc3ed8ceb9a1735bd0c7acaf1b |
| SHA1 | b622a406927fbb8f6cd5081bd4455fb831948fca |
| SHA256 | 2a82243697e2eec45bedc754adcdc1f6f41724a40c6d7d96fd41ad144899b6f7 |
| SHA512 | 3ab8b25732a7152608be101a3daf0d55833c554ab968be8b3b79a49e1831f3ee0eeeb9586a3334fa387b1f160fd15e98a80dcfece559c9c257b44ef962874894 |
memory/5300-626-0x00000000005B0000-0x0000000000A5F000-memory.dmp
memory/5140-628-0x0000000000B90000-0x0000000001050000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe
| MD5 | 83d0b41c7a3a0d29a268b49a313c5de5 |
| SHA1 | 46f3251c771b67b40b1f3268caef8046174909a5 |
| SHA256 | 09cc3364d5e1c15228822926bc65ce290c487dc3b7c0345bf265538110fa9cc9 |
| SHA512 | 705ecc7c421338e37ed0d58c2d9fad03fb3565db422a0c9d895e75a399bf5f2a70cfe3ffdc860ffe010d4d1a213e0a844aeadb89ea8e0c830a2fc8c03b7669b5 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 92fbdfccf6a63acef2743631d16652a7 |
| SHA1 | 971968b1378dd89d59d7f84bf92f16fc68664506 |
| SHA256 | b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72 |
| SHA512 | b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 20cff694a779f38820e5eb1d826673f0 |
| SHA1 | 2f8b897aa176e9cf38c405f343947aebf07623fc |
| SHA256 | acf6f00819e527d62d0b047fc555958b90abd1a2c2c80df923a9c37384bf8f70 |
| SHA512 | 36c765fd3f9758da90ce2be7a94f74e07b19ba7d9fc664ea00c14abd1b97b95873c9f90ca4908cdc3d6f116757d2d4109d84c0306300da909356d38c451039ec |
C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe
| MD5 | 0099a99f5ffb3c3ae78af0084136fab3 |
| SHA1 | 0205a065728a9ec1133e8a372b1e3864df776e8c |
| SHA256 | 919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226 |
| SHA512 | 5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6 |
memory/232-691-0x00000000005E0000-0x00000000009AC000-memory.dmp
memory/4988-692-0x0000000000780000-0x0000000000B4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp8412.tmp
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\Users\Admin\AppData\Local\Temp\tmp851F.tmp
| MD5 | 14ccc9293153deacbb9a20ee8f6ff1b7 |
| SHA1 | 46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3 |
| SHA256 | 3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511 |
| SHA512 | 916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765 |
C:\Users\Admin\AppData\Local\Temp\tmp8551.tmp
| MD5 | 87210e9e528a4ddb09c6b671937c79c6 |
| SHA1 | 3c75314714619f5b55e25769e0985d497f0062f2 |
| SHA256 | eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1 |
| SHA512 | f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0 |
C:\Users\Admin\AppData\Local\Temp\1001052001\Eljlre.exe
| MD5 | 1e1152424d7721a51a154a725fe2465e |
| SHA1 | 62bc3d11e915e1dbd3cc3ef5a11afec755c995d9 |
| SHA256 | 674cf1a8997ec6ac5b29b8d7eb6a5fb63ce5aaf4b19ff1ec7749b0225c49906c |
| SHA512 | 752e7912d30a2f006ef79600b7412db61644630471ec44bab1e5b2565ef62ccb490ea69159420bb7626248cc8113fe07c09fa51f5c630646b179d880e18b7c02 |
memory/652-811-0x0000000000980000-0x0000000000E40000-memory.dmp
memory/5628-813-0x0000000005790000-0x00000000059A6000-memory.dmp
memory/5628-814-0x0000000005790000-0x00000000059A6000-memory.dmp
memory/5628-816-0x0000000005790000-0x00000000059A6000-memory.dmp
memory/5628-818-0x0000000005790000-0x00000000059A6000-memory.dmp
memory/5628-820-0x0000000005790000-0x00000000059A6000-memory.dmp
memory/5628-822-0x0000000005790000-0x00000000059A6000-memory.dmp
memory/5628-825-0x0000000005790000-0x00000000059A6000-memory.dmp
memory/5628-828-0x0000000005790000-0x00000000059A6000-memory.dmp
memory/5628-830-0x0000000005790000-0x00000000059A6000-memory.dmp
memory/5628-834-0x0000000005790000-0x00000000059A6000-memory.dmp
memory/5628-836-0x0000000005790000-0x00000000059A6000-memory.dmp
memory/5628-838-0x0000000005790000-0x00000000059A6000-memory.dmp
memory/5628-840-0x0000000005790000-0x00000000059A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe
| MD5 | c084d6f6ba40534fbfc5a64b21ef99ab |
| SHA1 | 0b4a17da83c0a8abbc8fab321931d5447b32b720 |
| SHA256 | afd83290a2adb219c3f1b8fbf23c27b0994fe76dfbb7dc0b416530dc0e21f624 |
| SHA512 | a5384a2f7029cf946fde44e1ff30775754ce525ca5a6fdac14184872b6e684cb6e585053cb86d32f82cbd3db48eb195ba3a642d8ee3774be579fccd993938ca1 |
memory/5628-851-0x0000000005790000-0x00000000059A6000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 58f9daf761254e0e3203a7bc3e83c11c |
| SHA1 | b9a76e65d8e5befc3a02c1f72f9cd3a8c6b913d6 |
| SHA256 | 04fca90098f849dec9a1827b644a12f02414aa592241cdf37ee98d73cc722bf9 |
| SHA512 | 8a3a1584f029d79507798923c96621be1dd475b802432d378b0d9af8ca47e5151e738a21129ad700430c79310d02b2805e11a08ae3ff1476d0729d5bd189428f |
memory/5628-861-0x0000000005790000-0x00000000059A6000-memory.dmp
memory/5628-869-0x0000000005790000-0x00000000059A6000-memory.dmp
memory/5628-872-0x0000000005790000-0x00000000059A6000-memory.dmp
memory/5628-874-0x0000000005790000-0x00000000059A6000-memory.dmp
memory/5628-876-0x0000000005790000-0x00000000059A6000-memory.dmp
memory/5628-878-0x0000000005790000-0x00000000059A6000-memory.dmp
memory/5628-880-0x0000000005790000-0x00000000059A6000-memory.dmp
memory/5628-882-0x0000000005790000-0x00000000059A6000-memory.dmp
memory/5628-884-0x0000000005790000-0x00000000059A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exe
| MD5 | 16f67f1a6e10f044bc15abe8c71b3bd6 |
| SHA1 | ce0101205b919899a2a2f577100377c2a6546171 |
| SHA256 | 41cca3fa0f500dc6c17d1f02fc906d2b0c769210af9c4286760b84ecf46cab89 |
| SHA512 | a11db01bf55e3497644918c7dcc6180e0911261f39f062e653f000e1365dc9668fe5bd1d0fee0ae5c740a6477bcea510ba8c5ff6831c3bdb0d7c0590d2487e3c |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 2afdbe3b99a4736083066a13e4b5d11a |
| SHA1 | 4d4856cf02b3123ac16e63d4a448cdbcb1633546 |
| SHA256 | 8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee |
| SHA512 | d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f |
C:\Users\Admin\Pictures\7XOdWfBvqYD2zr7D32WZ5nBW.exe
| MD5 | a05eb8eeeb2ec539e4f54ac435ba86bc |
| SHA1 | 72ed93362d4c17434981cf5fd0e3888c44587dfb |
| SHA256 | e57e37490a710106cb78deba4b189fc867b994d4ade9f040dc5486665f549708 |
| SHA512 | 69456e5c0f237820642c8790746866979db14c40099287b6b3409b305a314cafccbe2a443812824096cd5a9dac9a1e6710a8154479cb050a6aa17d3054143201 |
C:\Users\Admin\Pictures\HG3hwFlFgpo4DcpBtpS2sIws.exe
| MD5 | 5b423612b36cde7f2745455c5dd82577 |
| SHA1 | 0187c7c80743b44e9e0c193e993294e3b969cc3d |
| SHA256 | e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09 |
| SHA512 | c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c |
C:\Users\Admin\Pictures\zb1MI8XA7oVtC7SdlSRkuPkB.exe
| MD5 | 4ec1e99d3e9e4e5fcc0a346be8589f80 |
| SHA1 | aaca4178e744116de5e5c3b989f54851d1acd8ba |
| SHA256 | 5ee377ba52e67430f0d0f486869d76e0b12a68831c598b502b720c1bfb09965c |
| SHA512 | 8041896b4a2531e7db0714a3477f61bc9383b5595b01183c0cf478d3f75a85f818c9ec6f2dc0e303cec034ce5096af4cba9c64247f439c16c7a4f3b4cabeb749 |
C:\Users\Admin\Pictures\GRXoECQKxJbxNqKOr4vjCjCK.exe
| MD5 | b508ece0341fdcfe871f46c320f0e568 |
| SHA1 | bd9b34e65c6c1c8ccf53c43c3612940b85ae324b |
| SHA256 | 4dc81a270c853848f4de827007cf5f0d4d2858bb78400b0c25d2a20db4c42651 |
| SHA512 | ae491faa60f3a51500e278da3f812a4ba71245b73974205e71473d7c7e6fff8f9890fe4bcefdd79a1cf1bf48c22735ace824864af518daa81ccb0b74c8e837dc |
C:\Users\Admin\Pictures\QczTYBqaeUMB72OyxPvWtk3N.exe
| MD5 | 98273a3121a2516cda6f31e67ec2d52f |
| SHA1 | 01c6990adecce2b1e4794429f478fc3f63baaf83 |
| SHA256 | 1c65e140170310153ba3929cdedecf221ae57e55c79b97fa1a4601f4d97ee988 |
| SHA512 | c633c87af70740d7d147a62ea91cd7fe8764b816fe7b2a076955d6a35474dd745a2c5d05f39efd32b204e59845914d2e4d571d2440f78bbc6d2ab71491343118 |
C:\Users\Admin\Pictures\sBQBvSsSDy0nlGEPLWZcnRx8.exe
| MD5 | 7960d8afbbac06f216cceeb1531093bb |
| SHA1 | 008221bf66a0749447cffcb86f2d1ec80e23fc76 |
| SHA256 | f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84 |
| SHA512 | 35d12e81eb892aeb2237049beca61a81469dea5b1c9b7a0b9f49fbf95a95c756509d9e76c732fb10b504f9f9692e1fbe83ea2fd09d791f793a928c01974b8147 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 8c26a95fca7aef0b5bc1cdf6a935afe1 |
| SHA1 | 17233ceb6c08c616aebe42a0b8e3a336b5024c91 |
| SHA256 | 2ba4aa18c4d904decb833f5851e12bf41f14e87520eefae419e82e61630f6eef |
| SHA512 | acfba72702e05b1b93ffac9a0e43773192599dc9130420c80afa224b55561af651ee325a48461ab935fccffd4778e63d12c16c60d50069f2a95a1dcfbce80e06 |
C:\Users\Admin\AppData\Local\Temp\u4d8.0.exe
| MD5 | 87188a05666ced303bb17f04ec29042f |
| SHA1 | 651ae4e7b98655fd4dd2de62b0111dacac47cd9e |
| SHA256 | 97332596f72bc538f176fddac06e1c2ba40922ee87329d8be32d7ac80127de97 |
| SHA512 | 14301c8b8641e5e19203abfcc17755ccefe2b551c3e6ff235b21ccb17e4ee977a060ed7ee7268c446d86191f271bddcb8a59d22e61e1cf9ff7a46d0ee09dbb99 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 8a57c865ac8303bebcd98e17bbb97b05 |
| SHA1 | 3008643b1a1af5124ebcaea0121b9c368d20664c |
| SHA256 | 1d2213848f133e6257cd58a491fa3cd0d945032f649eea3218a9e39dc6742d61 |
| SHA512 | 9806ba0ed6eef6e8f111f0a1e428044066aefd56b7b0f10ebe93dd91cb1dd93897732affa317df5e4a5a2cbd874dde7ec749fbe24cd73f3d7fe588488fd2102b |
C:\Users\Admin\Pictures\kwYlaP9uD9LrQoim5vqU1u4e.exe
| MD5 | 858bb0a3b4fa6a54586402e3ee117076 |
| SHA1 | 997c31f043347883ea5ed2323a558b6cc5ea9c8e |
| SHA256 | d97a7fc44bf341b9b2b2e65b46dab4f7d329afe15b4308b5aa56d5bfd7b99d35 |
| SHA512 | e8374b115f056b5d345c9b5f9c42b3d49e0640d7fad869448f686add6e52b783ecc7fd35ee15a67b944843491a91becf5b7c0bd5603eda01042dd2904c1ad8fd |
C:\Users\Admin\Pictures\GJtEpu5Q82iE8KmlETcVsp6w.exe
| MD5 | cc0a37140d9f3fbbe28272c2cfb336af |
| SHA1 | 5a9e7251e38a5bd5f1c2cbf6a2c75b24f76254fa |
| SHA256 | 3aab7652a97a91a0a606567afc9e093c48fd636dfd4e1e36442c6d82ef1e704b |
| SHA512 | 9e0cdcc05a47bc37417a9b62219b962b61be818848c5cf71b4549905d0a5996532cd14db147c998bc0e56e727e03ac65e0d4535659b927ca2aeb0efa6b7d7d1c |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403291204366723176.dll
| MD5 | 117176ddeaf70e57d1747704942549e4 |
| SHA1 | 75e3ab6b3469d93cce9ea2f7e22b71b987ccdf2b |
| SHA256 | 3c5b34de987116a4d3240e319c0da89a951c96b81e6705476a0fea27b22b20af |
| SHA512 | ca2a356929c92d314aab63d7f3b246d72783212dfa3a4507f28d41a51ca0eedc78e85b1cd453aa8e02c12509f847a0216bb702154f903291c804c8a98ec378b9 |
C:\Users\Admin\AppData\Local\Temp\u4d8.1.exe
| MD5 | 397926927bca55be4a77839b1c44de6e |
| SHA1 | e10f3434ef3021c399dbba047832f02b3c898dbd |
| SHA256 | 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7 |
| SHA512 | cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954 |
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 8ef9853d1881c5fe4d681bfb31282a01 |
| SHA1 | a05609065520e4b4e553784c566430ad9736f19f |
| SHA256 | 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2 |
| SHA512 | 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005 |
C:\ProgramData\EHJDGCBGDBKJKFHIECBAEHIDHJ
| MD5 | 1bd071fa20b30ee9fcf5969ec0be08d5 |
| SHA1 | aac9930201b9d93cba56f07457a8d4c0e1a18bbb |
| SHA256 | 7ae90e60e93153baa01ba343dfc0316a39737ba7e45e90006d7b77065a171793 |
| SHA512 | 1e20c45822ed054db8a8f0151d755aa2dae9d7b25c733d5dbb96bb515166a4e4b3ec47a2866515c0f727f7f5857366c9d9c32d224cab25715ba0bd4c65297b56 |
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | 3c1175890ac76f1cefcf369ce5e6897f |
| SHA1 | a1ea4db1592478f2366212c3e4be47f4daa316fe |
| SHA256 | 6fd05799fb1818ffaab897655db73a38256b4f1255d3e2d343fe150ee19d39a8 |
| SHA512 | 3e0d4974b969c21b525cbc679d495ffb2b07fc177dd8c21a08554a13aa7dad5a87b491c29aff40e9b85200b6fa597100410fee4e5efe82a8331a470dbfb17632 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291204361\opera_package
| MD5 | 401c352990789be2f40fe8f9c5c7a5ac |
| SHA1 | d7c1e902487511d3f4e1a57abdee8a94d5483ed4 |
| SHA256 | f62f4ebc7eca46d9cddfb02cc0305da5efdd6f3601fb0f53da555e19558869a3 |
| SHA512 | efc6d4224e3721e91efb2ea8f4b74685cba607260c69d08eac26866c52b8127080a42799d9f76ab1661b8ca63c946fcf35dddf0a63ab3cd258ea44a27dd769c8 |
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | f2ead1d88de02796782a32da68ef5005 |
| SHA1 | 3536a03ce0e44271f2546c1a3594270a2b9a9218 |
| SHA256 | 7446a71b75d7d672c080fd1f6e684111f7bb9922c88541a8f6811da6d9e20ce0 |
| SHA512 | aa93307b130af349d6713f79502427b25b70b26d490fc797dff7182a8cc49ed9526c4728fc7533cfc64a1b282a07f8945c0dee5df0778ee4125b19134bc2d079 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291204361\additional_file0.tmp
| MD5 | 20d293b9bf23403179ca48086ba88867 |
| SHA1 | dedf311108f607a387d486d812514a2defbd1b9e |
| SHA256 | fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348 |
| SHA512 | 5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6 |
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |