Analysis Overview
SHA256
e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92
Threat Level: Known bad
The file e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92 was found to be: Known bad.
Malicious Activity Summary
RisePro
Amadey
Glupteba payload
Glupteba
Rhadamanthys
Stealc
Lumma Stealer
Suspicious use of NtCreateUserProcessOtherParentProcess
Modifies firewall policy service
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Blocklisted process makes network request
Modifies Windows Firewall
Downloads MZ/PE file
Themida packer
Reads local data of messenger clients
Checks computer location settings
Reads data files stored by FTP clients
Identifies Wine through registry keys
Reads user/profile data of web browsers
Checks BIOS information in registry
Executes dropped EXE
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads user/profile data of local email clients
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMonFS driver.
Checks whether UAC is enabled
Looks up external IP address via web service
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates connected drives
Suspicious use of SetThreadContext
Drops file in System32 directory
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Checks for VirtualBox DLLs, possible anti-VM trick
Launches sc.exe
Enumerates physical storage devices
Unsigned PE
Program crash
Runs ping.exe
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Uses Task Scheduler COM API
Modifies data under HKEY_USERS
Checks processor information in registry
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-03-29 14:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-29 14:05
Reported
2024-03-29 14:08
Platform
win10v2004-20240226-en
Max time kernel
95s
Max time network
160s
Command Line
Signatures
Amadey
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" | C:\Users\Admin\Pictures\9fVboIM3ZCRqZsLmD7gL5Rzj.exe | N/A |
Rhadamanthys
RisePro
Stealc
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 5676 created 2904 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | C:\Windows\system32\sihost.exe |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1000042001\7c4a4ee8ee.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Pictures\9fVboIM3ZCRqZsLmD7gL5Rzj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u4b8.1.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000042001\7c4a4ee8ee.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000042001\7c4a4ee8ee.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Pictures\9fVboIM3ZCRqZsLmD7gL5Rzj.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Pictures\9fVboIM3ZCRqZsLmD7gL5Rzj.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\u4b8.0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\u4b8.1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\FBGHIIJDGH.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Pictures\D4LJZ3VAaLXETttomDRfBuTO.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1000042001\7c4a4ee8ee.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7c4a4ee8ee.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000042001\\7c4a4ee8ee.exe" | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\go.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000044001\\go.exe" | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Pictures\9fVboIM3ZCRqZsLmD7gL5Rzj.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Users\Admin\Pictures\vNa5K8IYtQUfOrGgRnemh8MR.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\Pictures\vNa5K8IYtQUfOrGgRnemh8MR.exe | N/A |
| File opened (read-only) | \??\D: | C:\Users\Admin\Pictures\vNa5K8IYtQUfOrGgRnemh8MR.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\Pictures\vNa5K8IYtQUfOrGgRnemh8MR.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\Pictures\9fVboIM3ZCRqZsLmD7gL5Rzj.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\Pictures\9fVboIM3ZCRqZsLmD7gL5Rzj.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\Pictures\9fVboIM3ZCRqZsLmD7gL5Rzj.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Users\Admin\Pictures\9fVboIM3ZCRqZsLmD7gL5Rzj.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\9fVboIM3ZCRqZsLmD7gL5Rzj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3568 set thread context of 2592 | N/A | C:\Users\Admin\AppData\Local\Temp\1001058001\koooooo.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 1792 set thread context of 5532 | N/A | C:\Users\Admin\AppData\Local\Temp\1001060001\file300un.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe |
| PID 5340 set thread context of 5676 | N/A | C:\Users\Admin\Pictures\bPQhBej8fqHC81fIEvuHxnS1.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\explorgu.job | C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe | N/A |
| File created | C:\Windows\Tasks\explorha.job | C:\Users\Admin\AppData\Local\Temp\e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u4b8.1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u4b8.1.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u4b8.1.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\u4b8.0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\u4b8.0.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\Pictures\vNa5K8IYtQUfOrGgRnemh8MR.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 | C:\Users\Admin\Pictures\vNa5K8IYtQUfOrGgRnemh8MR.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\Pictures\vNa5K8IYtQUfOrGgRnemh8MR.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exe
"C:\Users\Admin\AppData\Local\Temp\e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exe"
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
C:\Users\Admin\AppData\Local\Temp\1000042001\7c4a4ee8ee.exe
"C:\Users\Admin\AppData\Local\Temp\1000042001\7c4a4ee8ee.exe"
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe
"C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe842346f8,0x7ffe84234708,0x7ffe84234718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe842346f8,0x7ffe84234708,0x7ffe84234718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe842346f8,0x7ffe84234708,0x7ffe84234718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,7848416739783786634,4820298468833434501,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,7848416739783786634,4820298468833434501,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,13912286642801099194,2159610756350644502,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,13912286642801099194,2159610756350644502,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,8868193477216254695,6865827200106353714,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2004,13912286642801099194,2159610756350644502,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,8868193477216254695,6865827200106353714,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,13912286642801099194,2159610756350644502,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,13912286642801099194,2159610756350644502,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,13912286642801099194,2159610756350644502,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3752 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,13912286642801099194,2159610756350644502,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,13912286642801099194,2159610756350644502,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,13912286642801099194,2159610756350644502,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe
"C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\098131212907_Desktop.zip' -CompressionLevel Optimal
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,13912286642801099194,2159610756350644502,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,13912286642801099194,2159610756350644502,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,13912286642801099194,2159610756350644502,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,13912286642801099194,2159610756350644502,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,13912286642801099194,2159610756350644502,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,13912286642801099194,2159610756350644502,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6284 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\1001058001\koooooo.exe
"C:\Users\Admin\AppData\Local\Temp\1001058001\koooooo.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
"C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3568 -ip 3568
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe" /F
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 824
C:\Users\Admin\AppData\Local\Temp\1001060001\file300un.exe
"C:\Users\Admin\AppData\Local\Temp\1001060001\file300un.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
C:\Users\Admin\Pictures\D4LJZ3VAaLXETttomDRfBuTO.exe
"C:\Users\Admin\Pictures\D4LJZ3VAaLXETttomDRfBuTO.exe"
C:\Users\Admin\Pictures\8t1IhaQkXjNoQWCtpebIqNSt.exe
"C:\Users\Admin\Pictures\8t1IhaQkXjNoQWCtpebIqNSt.exe"
C:\Users\Admin\Pictures\PZU5DJT3kfhwUERQlDi8SNXE.exe
"C:\Users\Admin\Pictures\PZU5DJT3kfhwUERQlDi8SNXE.exe"
C:\Users\Admin\Pictures\sQbKtnBWsoIZLrPPyRMb2Dza.exe
"C:\Users\Admin\Pictures\sQbKtnBWsoIZLrPPyRMb2Dza.exe"
C:\Users\Admin\Pictures\bPQhBej8fqHC81fIEvuHxnS1.exe
"C:\Users\Admin\Pictures\bPQhBej8fqHC81fIEvuHxnS1.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5340 -ip 5340
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 852
C:\Users\Admin\AppData\Local\Temp\u4b8.0.exe
"C:\Users\Admin\AppData\Local\Temp\u4b8.0.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Users\Admin\Pictures\vNa5K8IYtQUfOrGgRnemh8MR.exe
"C:\Users\Admin\Pictures\vNa5K8IYtQUfOrGgRnemh8MR.exe" --silent --allusers=0
C:\Users\Admin\AppData\Local\Temp\u4b8.1.exe
"C:\Users\Admin\AppData\Local\Temp\u4b8.1.exe"
C:\Users\Admin\Pictures\vNa5K8IYtQUfOrGgRnemh8MR.exe
C:\Users\Admin\Pictures\vNa5K8IYtQUfOrGgRnemh8MR.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x6e97e1d0,0x6e97e1dc,0x6e97e1e8
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5588 -ip 5588
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\vNa5K8IYtQUfOrGgRnemh8MR.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\vNa5K8IYtQUfOrGgRnemh8MR.exe" --version
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 1040
C:\Users\Admin\Pictures\vNa5K8IYtQUfOrGgRnemh8MR.exe
"C:\Users\Admin\Pictures\vNa5K8IYtQUfOrGgRnemh8MR.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=6080 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240329140619" --session-guid=6824d27e-49ca-41da-9968-7cd68d8b4ccd --server-tracking-blob=MTM4MWFmYzdhOTJmZjI5YTM3ZDIzMmYzODJiZTQzY2NlY2JhNmMxN2NlMmIwMDJiNWIwM2E2ZTI4OWJhYjNmOTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N180NTYiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMCIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTE3MjExNzIuODcyNSIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N180NTYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6ImRlNGI5ODBiLThkZWEtNGRmZS1iOGY2LTcwZmFmYzIzNzdiNyJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=4805000000000000
C:\Users\Admin\Pictures\vNa5K8IYtQUfOrGgRnemh8MR.exe
C:\Users\Admin\Pictures\vNa5K8IYtQUfOrGgRnemh8MR.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2a4,0x2a8,0x2ac,0x274,0x2b0,0x6df7e1d0,0x6df7e1dc,0x6df7e1e8
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5676 -ip 5676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5676 -s 624
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\098131212907_Desktop.zip' -CompressionLevel Optimal
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5676 -ip 5676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5676 -s 632
C:\Users\Admin\Pictures\9fVboIM3ZCRqZsLmD7gL5Rzj.exe
"C:\Users\Admin\Pictures\9fVboIM3ZCRqZsLmD7gL5Rzj.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FBGHIIJDGH.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4400 -ip 4400
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\FBGHIIJDGH.exe
"C:\Users\Admin\AppData\Local\Temp\FBGHIIJDGH.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 3372
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291406191\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291406191\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291406191\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291406191\assistant\assistant_installer.exe" --version
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291406191\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291406191\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x10f0040,0x10f004c,0x10f0058
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\FBGHIIJDGH.exe
C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
C:\Users\Admin\Pictures\PZU5DJT3kfhwUERQlDi8SNXE.exe
"C:\Users\Admin\Pictures\PZU5DJT3kfhwUERQlDi8SNXE.exe"
C:\Users\Admin\Pictures\sQbKtnBWsoIZLrPPyRMb2Dza.exe
"C:\Users\Admin\Pictures\sQbKtnBWsoIZLrPPyRMb2Dza.exe"
C:\Users\Admin\Pictures\8t1IhaQkXjNoQWCtpebIqNSt.exe
"C:\Users\Admin\Pictures\8t1IhaQkXjNoQWCtpebIqNSt.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,13912286642801099194,2159610756350644502,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2560 /prefetch:2
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| RU | 193.233.132.56:80 | 193.233.132.56 | tcp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| US | 8.8.8.8:53 | 56.132.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.132.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 157.240.221.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| DE | 216.58.212.174:443 | www.youtube.com | tcp |
| BE | 108.177.15.84:443 | accounts.google.com | tcp |
| BE | 108.177.15.84:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| DE | 142.250.184.206:443 | consent.youtube.com | tcp |
| US | 8.8.8.8:53 | 35.221.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.15.177.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.184.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | scontent.xx.fbcdn.net | udp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| US | 8.8.8.8:53 | video.xx.fbcdn.net | udp |
| GB | 157.240.221.16:443 | static.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | static.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | static.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | static.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | 67.185.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.184.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.221.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.185.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| DE | 142.250.186.68:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 68.186.250.142.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| RU | 193.233.132.56:80 | 193.233.132.56 | tcp |
| US | 8.8.8.8:53 | scontent-lhr8-1.xx.fbcdn.net | udp |
| DE | 142.250.186.68:443 | www.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | scontent-lhr6-1.xx.fbcdn.net | udp |
| GB | 163.70.147.23:443 | scontent-lhr6-1.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | 23.147.70.163.in-addr.arpa | udp |
| RU | 185.215.113.32:80 | 185.215.113.32 | tcp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| DE | 142.250.185.142:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | 32.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.185.250.142.in-addr.arpa | udp |
| DE | 142.250.185.142:443 | play.google.com | udp |
| RU | 193.233.132.56:80 | 193.233.132.56 | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| AT | 5.42.64.17:80 | 5.42.64.17 | tcp |
| US | 8.8.8.8:53 | enthusiasimtitleow.shop | udp |
| US | 104.21.18.233:443 | enthusiasimtitleow.shop | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | 17.64.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.18.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 104.21.18.233:443 | enthusiasimtitleow.shop | tcp |
| US | 104.21.18.233:443 | enthusiasimtitleow.shop | tcp |
| US | 104.21.18.233:443 | enthusiasimtitleow.shop | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 104.21.79.77:443 | yip.su | tcp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 104.21.18.233:443 | enthusiasimtitleow.shop | tcp |
| US | 8.8.8.8:53 | piramidglobaltobacco.id | udp |
| DE | 185.172.128.144:80 | 185.172.128.144 | tcp |
| US | 8.8.8.8:53 | shipofdestiny.com | udp |
| AT | 5.42.64.17:80 | 5.42.64.17 | tcp |
| US | 8.8.8.8:53 | sty.ink | udp |
| US | 8.8.8.8:53 | operandotwo.com | udp |
| SG | 217.21.73.190:443 | piramidglobaltobacco.id | tcp |
| US | 172.67.152.98:443 | shipofdestiny.com | tcp |
| US | 172.67.152.98:443 | shipofdestiny.com | tcp |
| US | 8.8.8.8:53 | namemail.org | udp |
| US | 8.8.8.8:53 | cu82342.tw1.ru | udp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| US | 104.21.13.170:443 | sty.ink | tcp |
| US | 104.21.13.170:443 | sty.ink | tcp |
| US | 104.21.15.5:443 | operandotwo.com | tcp |
| NL | 185.26.182.112:80 | net.geo.opera.com | tcp |
| NL | 185.26.182.112:443 | net.geo.opera.com | tcp |
| RU | 176.57.210.144:443 | cu82342.tw1.ru | tcp |
| US | 8.8.8.8:53 | lawyerbuyer.org | udp |
| US | 172.67.170.65:443 | lawyerbuyer.org | tcp |
| US | 172.67.170.65:443 | lawyerbuyer.org | tcp |
| US | 8.8.8.8:53 | guseman.org | udp |
| US | 172.67.173.167:443 | guseman.org | tcp |
| US | 8.8.8.8:53 | 77.79.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.152.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.13.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.15.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.182.26.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.170.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.210.57.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.73.21.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.34.67.172.in-addr.arpa | udp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| US | 8.8.8.8:53 | 65.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.144:80 | 185.172.128.144 | tcp |
| DE | 185.172.128.209:80 | 185.172.128.209 | tcp |
| US | 8.8.8.8:53 | 209.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | desktop-netinstaller-sub.osp.opera.software | udp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | autoupdate.geo.opera.com | udp |
| NL | 185.26.182.124:443 | autoupdate.geo.opera.com | tcp |
| NL | 185.26.182.124:443 | autoupdate.geo.opera.com | tcp |
| US | 8.8.8.8:53 | svc.iolo.com | udp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 8.8.8.8:53 | 121.217.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 124.182.26.185.in-addr.arpa | udp |
| RU | 185.215.113.32:80 | 185.215.113.32 | tcp |
| US | 8.8.8.8:53 | iplogger.com | udp |
| US | 172.67.188.178:443 | iplogger.com | tcp |
| US | 8.8.8.8:53 | 45.87.157.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.188.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | features.opera-api2.com | udp |
| NL | 82.145.216.15:443 | features.opera-api2.com | tcp |
| US | 8.8.8.8:53 | download.opera.com | udp |
| NL | 185.26.182.122:443 | download.opera.com | tcp |
| US | 8.8.8.8:53 | 15.216.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.182.26.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | download5.operacdn.com | udp |
| US | 104.18.10.89:443 | download5.operacdn.com | tcp |
| US | 8.8.8.8:53 | 89.10.18.104.in-addr.arpa | udp |
| DE | 142.250.185.142:443 | play.google.com | udp |
| US | 46.226.167.187:80 | 46.226.167.187 | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 104.26.8.59:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | 187.167.226.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.8.26.104.in-addr.arpa | udp |
| RU | 185.215.113.32:80 | 185.215.113.32 | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 192.186.117.34.in-addr.arpa | udp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | download.iolo.net | udp |
| FR | 143.244.56.49:443 | download.iolo.net | tcp |
| US | 8.8.8.8:53 | 49.56.244.143.in-addr.arpa | udp |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 52.111.227.13:443 | tcp | |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| BE | 108.177.15.84:443 | accounts.google.com | udp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | svc.iolo.com | udp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 8.8.8.8:53 | 219.135.221.88.in-addr.arpa | udp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | addons.opera.com | udp |
| NL | 185.26.182.112:443 | addons.opera.com | tcp |
| US | 8.8.8.8:53 | addons-extensions.operacdn.com | udp |
| GB | 2.18.63.10:443 | addons-extensions.operacdn.com | tcp |
| US | 8.8.8.8:53 | 10.63.18.2.in-addr.arpa | udp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | 3843591d-c94f-4444-bab9-2525a703f51a.uuid.filesdumpplace.org | udp |
| US | 8.8.8.8:53 | westus2-2.in.applicationinsights.azure.com | udp |
| US | 8.8.8.8:53 | 48.192.11.51.in-addr.arpa | udp |
Files
memory/1520-0-0x0000000000B30000-0x0000000000FCF000-memory.dmp
memory/1520-1-0x0000000077634000-0x0000000077636000-memory.dmp
memory/1520-2-0x0000000000B30000-0x0000000000FCF000-memory.dmp
memory/1520-3-0x0000000004D80000-0x0000000004D81000-memory.dmp
memory/1520-6-0x0000000004D40000-0x0000000004D41000-memory.dmp
memory/1520-7-0x0000000004D60000-0x0000000004D61000-memory.dmp
memory/1520-4-0x0000000004D70000-0x0000000004D71000-memory.dmp
memory/1520-5-0x0000000004DB0000-0x0000000004DB1000-memory.dmp
memory/1520-8-0x0000000004D50000-0x0000000004D51000-memory.dmp
memory/1520-9-0x0000000004DA0000-0x0000000004DA1000-memory.dmp
memory/1520-10-0x0000000004DD0000-0x0000000004DD1000-memory.dmp
memory/1520-11-0x0000000004DC0000-0x0000000004DC1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
| MD5 | 82a0e9df77991b4703d35b285fc54e02 |
| SHA1 | e5a417e3c955ef4ad266ee25d965beb1a73923f0 |
| SHA256 | e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92 |
| SHA512 | 94d019ddbb31885afa8babbcc6c3c0b10be3fce76ff4ae44e6a13394fc71388ccb641317ac913fefe8ac4ebff7be4c776f5c5b5ec2940afa06d6b52d0b78f0fa |
memory/1520-23-0x0000000000B30000-0x0000000000FCF000-memory.dmp
memory/2844-24-0x0000000000450000-0x00000000008EF000-memory.dmp
memory/2844-25-0x0000000000450000-0x00000000008EF000-memory.dmp
memory/2844-27-0x0000000004AA0000-0x0000000004AA1000-memory.dmp
memory/2844-26-0x0000000004A90000-0x0000000004A91000-memory.dmp
memory/2844-28-0x0000000004A80000-0x0000000004A81000-memory.dmp
memory/2844-29-0x0000000004AC0000-0x0000000004AC1000-memory.dmp
memory/2844-30-0x0000000004A60000-0x0000000004A61000-memory.dmp
memory/2844-31-0x0000000004A70000-0x0000000004A71000-memory.dmp
memory/2844-32-0x0000000004AF0000-0x0000000004AF1000-memory.dmp
memory/2844-33-0x0000000004AE0000-0x0000000004AE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000042001\7c4a4ee8ee.exe
| MD5 | 800229e81ac8622c7303cf08d8ba5336 |
| SHA1 | cd601151c5f3fcdfa0c213594e1aee78a7420879 |
| SHA256 | eead74d6e44ef88fc319d627fffc927a0c6594c6a7e7896f3cedd0f4ba08c861 |
| SHA512 | a6110fee0ee93e92571cc5ab7d6b096d66373252b52feb6967f5fb1019ea7e939e187a0b8f80d5867f5f4081a74f1d02b33b50210b42228aeee6e9f6f1e6f968 |
memory/1228-52-0x0000000000580000-0x000000000093C000-memory.dmp
memory/1228-54-0x0000000000580000-0x000000000093C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe
| MD5 | 2f8912af892c160c1c24c9f38a60c1ab |
| SHA1 | d2deae508e262444a8f15c29ebcc7ebbe08a3fdb |
| SHA256 | 59ff8e0aa665fbbf749c7548906a655cb1869bb58a3b7546efa5b416d19e6308 |
| SHA512 | 0395383bde98d358b0a7f2224f903dff026ce0c6d90feb49ac0e6993ef692143b0eb25da84d9cdc9e7b373a7b75a6dbaef14746eda1bff165d59f07ca51a16bb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 1e3dc6a82a2cb341f7c9feeaf53f466f |
| SHA1 | 915decb72e1f86e14114f14ac9bfd9ba198fdfce |
| SHA256 | a56135007f4dadf6606bc237cb75ff5ff77326ba093dff30d6881ce9a04a114c |
| SHA512 | 0a5223e8cecce77613b1c02535c79b3795e5ad89fc0a934e9795e488712e02b527413109ad1f94bbd4eb35dd07b86dd6e9f4b57d4d7c8a0a57ec3f7f76c7890a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 36bb45cb1262fcfcab1e3e7960784eaa |
| SHA1 | ab0e15841b027632c9e1b0a47d3dec42162fc637 |
| SHA256 | 7c6b0de6f9b4c3ca1f5d6af23c3380f849825af00b58420b76c72b62cfae44ae |
| SHA512 | 02c54c919f8cf3fc28f5f965fe1755955636d7d89b5f0504a02fcd9d94de8c50e046c7c2d6cf349fabde03b0fbbcc61df6e9968f2af237106bf7edd697e07456 |
\??\pipe\LOCAL\crashpad_1380_QXOCPWEWZPQLGDGC
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 87bb52e3f7932cc2d841e855659c01b3 |
| SHA1 | 728892ab83e95c6e8c2ea64b020d2fb04db05e1d |
| SHA256 | 3f4d75c9cfb86e2f47c2448bb5c12ddcf92a7a827a4b39e5f4728cc2cd73ce0e |
| SHA512 | 36d0567d88ee28cd2503167b832054d247e42d2105bfdcc7f6e50f34815cae94f697c3c387303b8b8c163ffd9a7de4a1af9e82845cd09f1a33ff286f5f3dafcc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | a658e7b6662f4f96695e049c215822fc |
| SHA1 | a3cd4c24e17e3ed077858ffa807bfbea8886a0b2 |
| SHA256 | a8428de4f62a5f08458dcb0f248677a950f773697783e83ae293c69f38340c66 |
| SHA512 | 195d78c1676e4c44fbacb39a81c1bffb535054641851b84cb0539dc83f95b59f909bd3d6e86c27b1b10efcfefed9b57b06adbad37f11753c129a622b9a7fc30d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 6dd71ebcfb2f2951e50c7df2f28c68b2 |
| SHA1 | 72291ca93b7eed08cb003d985dd542e0da47d70e |
| SHA256 | 869b258c0633551f34bb591184b759ca38f06b928887f48baafaa5a4d89faea7 |
| SHA512 | c6f0b5193b1a8433612cd614bcfe89dbfab99edf0193bd3eb7dc29395360396e13f4783caf001127ee156edcff351f39c58fbce6a4629de7989bb1c0fec1b80a |
memory/2844-200-0x0000000000450000-0x00000000008EF000-memory.dmp
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
| MD5 | 15a42d3e4579da615a384c717ab2109b |
| SHA1 | 22aeedeb2307b1370cdab70d6a6b6d2c13ad2301 |
| SHA256 | 3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103 |
| SHA512 | 1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444 |
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe
| MD5 | 6f1ca07821a548cc136ced5b2e6d5c48 |
| SHA1 | a149e288de958cd5f14ac5f58b1c330091e25a3c |
| SHA256 | c9a2b7b61eecdabdbcf5dd2ac65a8d54b12649b46382fbd55ed47d1dfcc5cd2f |
| SHA512 | 051816a11e02d6c4dc891f7a36c02131e77ae82113738078828943f0182a77ecd19925f892a06004a09677e57444ee74088259bd9f25cd9a57104514fa1041dd |
memory/6140-244-0x0000000000CC0000-0x0000000001177000-memory.dmp
memory/2844-246-0x0000000000450000-0x00000000008EF000-memory.dmp
memory/6140-247-0x0000000000CC0000-0x0000000001177000-memory.dmp
memory/6140-248-0x0000000005660000-0x0000000005661000-memory.dmp
memory/6140-249-0x0000000005650000-0x0000000005651000-memory.dmp
memory/6140-250-0x0000000005680000-0x0000000005681000-memory.dmp
memory/6140-251-0x0000000005620000-0x0000000005621000-memory.dmp
memory/6140-252-0x0000000005640000-0x0000000005641000-memory.dmp
memory/6140-253-0x0000000005630000-0x0000000005631000-memory.dmp
memory/1228-261-0x0000000000580000-0x000000000093C000-memory.dmp
memory/2844-263-0x0000000000450000-0x00000000008EF000-memory.dmp
memory/6140-264-0x00000000056B0000-0x00000000056B1000-memory.dmp
memory/6140-265-0x00000000056A0000-0x00000000056A1000-memory.dmp
memory/6140-269-0x0000000000CC0000-0x0000000001177000-memory.dmp
memory/5352-304-0x000001E141920000-0x000001E141942000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_po04jmdb.1tt.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5352-311-0x00007FFE80630000-0x00007FFE810F1000-memory.dmp
memory/5352-312-0x000001E141980000-0x000001E141990000-memory.dmp
memory/5352-313-0x000001E141980000-0x000001E141990000-memory.dmp
memory/1228-321-0x0000000000580000-0x000000000093C000-memory.dmp
memory/3524-324-0x0000000000450000-0x00000000008EF000-memory.dmp
memory/5044-325-0x0000000000BF0000-0x00000000010A7000-memory.dmp
memory/3524-327-0x0000000004E10000-0x0000000004E11000-memory.dmp
memory/3524-328-0x0000000004E30000-0x0000000004E31000-memory.dmp
memory/3524-326-0x0000000004E00000-0x0000000004E01000-memory.dmp
memory/3524-329-0x0000000004DD0000-0x0000000004DD1000-memory.dmp
memory/3524-330-0x0000000004DF0000-0x0000000004DF1000-memory.dmp
memory/5044-332-0x00000000055C0000-0x00000000055C1000-memory.dmp
memory/5044-333-0x00000000055D0000-0x00000000055D1000-memory.dmp
memory/3524-331-0x0000000004DE0000-0x0000000004DE1000-memory.dmp
memory/5352-334-0x000001E159D70000-0x000001E159D82000-memory.dmp
memory/5352-335-0x000001E141970000-0x000001E14197A000-memory.dmp
memory/5352-342-0x00007FFE80630000-0x00007FFE810F1000-memory.dmp
memory/5044-343-0x0000000005590000-0x0000000005591000-memory.dmp
memory/5044-341-0x00000000055F0000-0x00000000055F1000-memory.dmp
memory/5044-344-0x00000000055B0000-0x00000000055B1000-memory.dmp
memory/5044-347-0x00000000055A0000-0x00000000055A1000-memory.dmp
memory/5044-349-0x0000000000BF0000-0x00000000010A7000-memory.dmp
memory/3524-350-0x0000000000450000-0x00000000008EF000-memory.dmp
memory/3524-348-0x0000000000450000-0x00000000008EF000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | c94915d1375c5b8cf4d38cfb830413dd |
| SHA1 | 050560b2bef9c23a0ea0f505d75069857e2bf0d4 |
| SHA256 | 576c2820d0f5efcf45ccb548e5aef05fd8cf98d8148db3a080f12d542bc58342 |
| SHA512 | fa5ecb35516c3ac6418ae015c3651c2724f5d7d28dd5854e2d5acac48a7c40ddf9fef89be39bbf21361c78f6127578c4e40d5c673860315d55835da97d675c9e |
memory/2844-376-0x0000000000450000-0x00000000008EF000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b57811a1d313b5f51ee3f33f6dbda8c2 |
| SHA1 | d593f094a33eb66b3530181c7431b96b5d13d6e8 |
| SHA256 | 0aaf1b4dc781b2f31c1ccb8d15975c244ec8d06a805b3208d561cf85f4d3276d |
| SHA512 | 372c794232f46010689649c4d97132d376e90a9a434c5b27937635b55d85c68dd37bb4f7d2ea55c4d7182031b84bfde330ab321692d4fbbb501b5a38d93455f4 |
memory/5044-387-0x0000000005610000-0x0000000005611000-memory.dmp
memory/5044-383-0x0000000005620000-0x0000000005621000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Temp\1001058001\koooooo.exe
| MD5 | 90f41880d631e243cec086557cb74d63 |
| SHA1 | cb385e4172cc227ba72baf29ca1c4411fa99a26d |
| SHA256 | 23b62a27e3f5c424b16f31e5009af4f24c8bd13b1f035f87879e2a29236be7a0 |
| SHA512 | eeb85b34aa66a7e9a1b1807012999ee439433df23126a52ffa8d4b3cb2026be3bcf63ca25f143de58ba929c0d4feeaf2a603fd6ec6b5379fc48147c22f3783e3 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | 726cd06231883a159ec1ce28dd538699 |
| SHA1 | 404897e6a133d255ad5a9c26ac6414d7134285a2 |
| SHA256 | 12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46 |
| SHA512 | 9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e |
memory/3568-430-0x0000000000C10000-0x0000000000C76000-memory.dmp
memory/3568-431-0x0000000072FB0000-0x0000000073760000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
| MD5 | 0099a99f5ffb3c3ae78af0084136fab3 |
| SHA1 | 0205a065728a9ec1133e8a372b1e3864df776e8c |
| SHA256 | 919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226 |
| SHA512 | 5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6 |
memory/2592-447-0x0000000000400000-0x000000000044C000-memory.dmp
memory/2592-453-0x0000000000400000-0x000000000044C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1001060001\file300un.exe
| MD5 | 16f67f1a6e10f044bc15abe8c71b3bd6 |
| SHA1 | ce0101205b919899a2a2f577100377c2a6546171 |
| SHA256 | 41cca3fa0f500dc6c17d1f02fc906d2b0c769210af9c4286760b84ecf46cab89 |
| SHA512 | a11db01bf55e3497644918c7dcc6180e0911261f39f062e653f000e1365dc9668fe5bd1d0fee0ae5c740a6477bcea510ba8c5ff6831c3bdb0d7c0590d2487e3c |
memory/1228-480-0x0000000000580000-0x000000000093C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
| MD5 | 838a7b32aefb618130392bc7d006aa2e |
| SHA1 | 5159e0f18c9e68f0e75e2239875aa994847b8290 |
| SHA256 | ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa |
| SHA512 | 9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History
| MD5 | bc837550d56f4d15642eb70339c31eab |
| SHA1 | c99da125db374bf70cce3a0f4176f1f5e045647d |
| SHA256 | c0a447611a586fc7fc2cf94ba1c927d20f390fd63375a0688867b6454a8ef3f1 |
| SHA512 | c98322e3c374fb172fb64d232c526ca71f1f73ac749b428cdc02239b65a788c6c9069b888cea6c24ef6eb9904a3e42c997e066d83a29424ed608554b3268c434 |
memory/5044-491-0x0000000000BF0000-0x00000000010A7000-memory.dmp
memory/5532-494-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\Pictures\Kfwez67zgVNhyqAYYezEj7Ei.exe
| MD5 | 5b423612b36cde7f2745455c5dd82577 |
| SHA1 | 0187c7c80743b44e9e0c193e993294e3b969cc3d |
| SHA256 | e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09 |
| SHA512 | c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c |
C:\Users\Admin\Pictures\37PbePr4HXVK29raDcknTOBq.exe
| MD5 | 5a9d7e03fdef4c5bf9f4f673374039b9 |
| SHA1 | 27ac0af4cb2549b93a8c225343a04e432671df39 |
| SHA256 | 5708f387fee49aa31ef7d97765ff66785b7da3ca8d466e819f6d8e6f271b23c9 |
| SHA512 | c4a1541e731b01dfb6ca9f78c30570a248d6c003a43e1368090b5669e87f30d16350666d7860d697eee8a28ccf28e8dd0964bfdf0f2c36ebf40cd763d497a2ae |
C:\Users\Admin\Pictures\4wtvgtxuIZl08lWcRcSvuaWt.exe
| MD5 | 50ea0af1cda2af6b227e5ba70631fef3 |
| SHA1 | 486cae026eb692d7a43df4218ae9e204db894b20 |
| SHA256 | 13bab2f210c1baaf8c01a7aabfdeab5dee374bd51a813d045e6ac29a3901ba5d |
| SHA512 | 131cda4dca41c7b9a163baa0cc111792dcc2166a7d9e7f4e34806d394e833881e387fe4e3ad7491926abd42775bf9255cc70b491a3e45cc30a635b008ba27d02 |
C:\Users\Admin\Pictures\D4LJZ3VAaLXETttomDRfBuTO.exe
| MD5 | 6f17bbc203edea71880585d74262f262 |
| SHA1 | 6987d2e4d289921f84bab709bd74db970bd8056b |
| SHA256 | 5c3759c4051742b1366d7d2b7b4162c2a0035288970808a3ccbaedd19d6d18d1 |
| SHA512 | 11e3635a2ee674b3e9175b8fd89e5afd417efbf2a6e8a7368523e41f2efdd48a6c07533417ac98cce9dd1e1c77f5519796f768637d1114df77fc47fbc4fbd7a8 |
C:\Users\Admin\Pictures\8t1IhaQkXjNoQWCtpebIqNSt.exe
| MD5 | a7837001588691fb8bc8304f72ef19ee |
| SHA1 | eb7a63f9514900f4598b92e2fbec146e68b6726d |
| SHA256 | fe69939c74e1d2aa7966eb332c70dd24946050105d82706124d6687900044662 |
| SHA512 | fe2231ca4ab7dafea143b299e0ffc6bff75c6fc9e945e3e03cf70d2073c7bb6f7bb1d1145e18c933b6e9203c78c25cd3ee0994c876f6ac134e44148fbfb7760b |
C:\Users\Admin\Pictures\sQbKtnBWsoIZLrPPyRMb2Dza.exe
| MD5 | 60bcf281239531a5cc5910bd7afb51b6 |
| SHA1 | 87a7a117464fe016ee163cd294e646710321b3e7 |
| SHA256 | 425eabbe8a3d4829ca4c56e18a908e9d19704727d6e6af070073fa427b0ba34b |
| SHA512 | 8a30b984469d90b1a17337c58b756244795d9470bf2b274266ce9200d1d3dc0be5a87a4af1ddbee5e5ea1c8056ad01e9e3fcfba3f73c5c751184763cb97cc400 |
memory/2844-573-0x0000000000450000-0x00000000008EF000-memory.dmp
C:\Users\Admin\Pictures\bPQhBej8fqHC81fIEvuHxnS1.exe
| MD5 | 7960d8afbbac06f216cceeb1531093bb |
| SHA1 | 008221bf66a0749447cffcb86f2d1ec80e23fc76 |
| SHA256 | f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84 |
| SHA512 | 35d12e81eb892aeb2237049beca61a81469dea5b1c9b7a0b9f49fbf95a95c756509d9e76c732fb10b504f9f9692e1fbe83ea2fd09d791f793a928c01974b8147 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | bf6cf36aace3e1be1afa411d86adf6ed |
| SHA1 | cd76374af27d89a6ddc349e4386d7b543817997a |
| SHA256 | 906278bdd70b9cd58c716e7b11656824ac95e78c2a2e22e42dea72d5e7442e0e |
| SHA512 | 666500fa4c14a7541560e4ff96fb1f7578e1e275809c6e1e9ead5b71e42630f56af663d0dd491844f8f537026668d6210430b96680a5e1cbacedbfc37b270846 |
memory/5676-617-0x0000000000400000-0x000000000046D000-memory.dmp
memory/5676-622-0x0000000000400000-0x000000000046D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u4b8.0.exe
| MD5 | f655c987a74774fcc43beda4ef44477d |
| SHA1 | e263b1d33cf69561c5e02ff078df90dfb9b0700c |
| SHA256 | 4ddb70f6593a3b8989c814b1cf9bc6607ee72c316685f904bf1e7014f87e85a2 |
| SHA512 | 464d0059e7353dbed812c9bc4f0fd8c90e0accc8bf299014b5536d5ed0597950fc946b61a2618d7cef43c010f6f9c58194e224a4d47fa944ced44b961615d8d1 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 92fbdfccf6a63acef2743631d16652a7 |
| SHA1 | 971968b1378dd89d59d7f84bf92f16fc68664506 |
| SHA256 | b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72 |
| SHA512 | b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117 |
C:\Users\Admin\Pictures\vNa5K8IYtQUfOrGgRnemh8MR.exe
| MD5 | f175a1c598b156b4b13fa6395d8cc8d8 |
| SHA1 | 626848344fe101c29b3bbb9875ce441d6bc8de64 |
| SHA256 | ae53c9a47eae2e126c17855742cfab1d56e04622188530a369b9cc2a8f7c6010 |
| SHA512 | e99e8ef823e2a4accbddb637c0db5e62d4a6eb5e28c6e9ca685a92366bdd67e0c291f643ce25ebfc7da5c5ab0ec92c0d664d97a6354dcae2c15f4b97ec3d4f37 |
C:\Users\Admin\AppData\Local\Temp\u4b8.1.exe
| MD5 | 397926927bca55be4a77839b1c44de6e |
| SHA1 | e10f3434ef3021c399dbba047832f02b3c898dbd |
| SHA256 | 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7 |
| SHA512 | cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954 |
memory/1228-672-0x0000000000580000-0x000000000093C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403291406188763828.dll
| MD5 | 117176ddeaf70e57d1747704942549e4 |
| SHA1 | 75e3ab6b3469d93cce9ea2f7e22b71b987ccdf2b |
| SHA256 | 3c5b34de987116a4d3240e319c0da89a951c96b81e6705476a0fea27b22b20af |
| SHA512 | ca2a356929c92d314aab63d7f3b246d72783212dfa3a4507f28d41a51ca0eedc78e85b1cd453aa8e02c12509f847a0216bb702154f903291c804c8a98ec378b9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | f1cb62761ef4fa6aa60e77cf6db11502 |
| SHA1 | 24ffc0c1bf80154dfa6b1c9f1e56a5a27793f40a |
| SHA256 | d54c655a30927cbd9c406d68b74d72cc843678286a6353a694d843df13eac1d9 |
| SHA512 | 0f8799b86b2b2a0578d91b38d15a6e3f80df5b6fe7699cadf810bad8a2e25353ee6710bb46113b4bb963eb9d01d4f85885ca247043ab685f20c5776e6cad0d78 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580191.TMP
| MD5 | 951aecd2210a509d53c4355189e09dbf |
| SHA1 | f34d16f76b2185bc2bc2cc2d7a98c0e78af306f1 |
| SHA256 | b1c2396f3f590c216eb78d6bc99d643beb4c2ecdca0ba6fd597a8d6cc5857792 |
| SHA512 | 5fd6aa61dfa714668f0c2e4f4ef9a3c5523cc86f4a79d5d0e7b9fd5c53898c9fa6b6a5fc261252db95764c459ee92c86164c70c885ae4be92dca2a80d974a99e |
memory/5676-691-0x0000000003640000-0x0000000003A40000-memory.dmp
memory/5676-693-0x0000000003640000-0x0000000003A40000-memory.dmp
memory/5044-697-0x0000000000BF0000-0x00000000010A7000-memory.dmp
memory/5676-698-0x00007FFEA27F0000-0x00007FFEA29E5000-memory.dmp
memory/5676-701-0x0000000077180000-0x0000000077395000-memory.dmp
memory/6412-704-0x00000000005E0000-0x00000000005E9000-memory.dmp
memory/6412-709-0x00000000023D0000-0x00000000027D0000-memory.dmp
memory/6412-712-0x00007FFEA27F0000-0x00007FFEA29E5000-memory.dmp
memory/6412-715-0x0000000077180000-0x0000000077395000-memory.dmp
memory/4400-725-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | dd2c8ba57ab4d7a8487c136552de85b8 |
| SHA1 | 1c0a2d65f5b1838f16e9baaffc37a6ab45062447 |
| SHA256 | 85d7357009c511024e405703925edda0f12f491ff37ac05e4b534349c7e7dce0 |
| SHA512 | be9665c4d61560757e00286fe44cf85cb9a03e3e1646016f8084a7d511d70e3520fa818fb68dde5a41f5bbcea2c26e98419cd17c7ddc3c5b41334234e80fa2ee |
memory/2844-748-0x0000000000450000-0x00000000008EF000-memory.dmp
memory/5960-755-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/4332-758-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/5220-761-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\Pictures\9fVboIM3ZCRqZsLmD7gL5Rzj.exe
| MD5 | 858bb0a3b4fa6a54586402e3ee117076 |
| SHA1 | 997c31f043347883ea5ed2323a558b6cc5ea9c8e |
| SHA256 | d97a7fc44bf341b9b2b2e65b46dab4f7d329afe15b4308b5aa56d5bfd7b99d35 |
| SHA512 | e8374b115f056b5d345c9b5f9c42b3d49e0640d7fad869448f686add6e52b783ecc7fd35ee15a67b944843491a91becf5b7c0bd5603eda01042dd2904c1ad8fd |
memory/4400-814-0x0000000000400000-0x000000000063B000-memory.dmp
memory/4976-820-0x00007FF648650000-0x00007FF64915A000-memory.dmp
memory/4976-822-0x00007FF648650000-0x00007FF64915A000-memory.dmp
memory/4976-823-0x00007FF648650000-0x00007FF64915A000-memory.dmp
memory/4976-824-0x00007FF648650000-0x00007FF64915A000-memory.dmp
memory/4976-825-0x00007FF648650000-0x00007FF64915A000-memory.dmp
memory/4976-826-0x00007FF648650000-0x00007FF64915A000-memory.dmp
memory/4976-827-0x00007FF648650000-0x00007FF64915A000-memory.dmp
memory/1228-828-0x0000000000580000-0x000000000093C000-memory.dmp
memory/1804-829-0x0000000000400000-0x00000000008AD000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 2afdbe3b99a4736083066a13e4b5d11a |
| SHA1 | 4d4856cf02b3123ac16e63d4a448cdbcb1633546 |
| SHA256 | 8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee |
| SHA512 | d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f |
memory/2844-863-0x0000000000450000-0x00000000008EF000-memory.dmp
memory/1228-864-0x0000000000580000-0x000000000093C000-memory.dmp
memory/5044-865-0x0000000000BF0000-0x00000000010A7000-memory.dmp
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | 3e8655a33cff27c68d6536028c4f2423 |
| SHA1 | 0cd518ce41d31f1cc9f24192a3a1ba486f27c46e |
| SHA256 | 55793d4661262093677be6059c1ae4387b294db4655eb4c2ab5de0b201c4a37e |
| SHA512 | 2ff89adb1d8f9886e7eb419fe890ca9db457c4194f80c043378e35a711c70d434d9a884f4742370b65b9d3774872e4248755ec7b39e7e88abd6c7b36cb6a23c1 |
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291406191\opera_package
| MD5 | 401c352990789be2f40fe8f9c5c7a5ac |
| SHA1 | d7c1e902487511d3f4e1a57abdee8a94d5483ed4 |
| SHA256 | f62f4ebc7eca46d9cddfb02cc0305da5efdd6f3601fb0f53da555e19558869a3 |
| SHA512 | efc6d4224e3721e91efb2ea8f4b74685cba607260c69d08eac26866c52b8127080a42799d9f76ab1661b8ca63c946fcf35dddf0a63ab3cd258ea44a27dd769c8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | b3c68cd363ab4c9cb63b9feb5cd3d151 |
| SHA1 | fd8388511b332557520bd3b5679ee84ca507aa5c |
| SHA256 | bd3d8e67714106487d6979942a2a1dd7eb6ae104c3b648fe90a701c6c0b969f4 |
| SHA512 | 327829e999bc1c7a1beecb529f5ab0253b2bfbd5457da6d59de4c1a9ddd2f9bd5ffb7f80c7a058ef6d9112b856abc94b4dcf37048aac7940ac27b88660b985a3 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291406191\additional_file0.tmp
| MD5 | 20d293b9bf23403179ca48086ba88867 |
| SHA1 | dedf311108f607a387d486d812514a2defbd1b9e |
| SHA256 | fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348 |
| SHA512 | 5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 3fda9af645225440fd4dbfec9c26bd4f |
| SHA1 | f9c53f2faa52297797a54ec11b97c3d09b0b7f64 |
| SHA256 | 1f8646fc2d9b5ad009f08c1151884ba830b58ae35669450f5208795a931bc2ca |
| SHA512 | 23f96685d6797c0bdbe6cb06e6ef0c7165168ac56816baa0e987763f3e816eea2c6eca27012d0e9077122028e7f47f5fce3c0fce2b18af1889a9da28c5a04a87 |
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | 15e1d2b49d49a8b732553ea22db0ba52 |
| SHA1 | fa9ca12aa8b7ce3bf4c17c5cfcb508047886b198 |
| SHA256 | 5eac76f43e899f053adbb8e73fd3827201c326ac880ce675503a5175bd2aa66e |
| SHA512 | 95ff8e5e4e9c3fc75f96a0fb0a9df175760bef2535adc63f16dd9b1ebe714bfae99e0acb039d49e669377345a83f8af4baaaf6a75359d9023a72a67a45445e5e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 82e4d93f3ad4eb22241ebb716d7eabdf |
| SHA1 | 4cfdd458793cb8859a8489968eb376b077ff47ce |
| SHA256 | f59850161d897a6c5a3405a758a51df935d013197f0f319a13360b8ce25e0168 |
| SHA512 | 6ff0030426efe51aff12c114d106dda778bde4fe078051c84859c22ceed07c8a3f48d00b583364efe285fd8ee28ded48919d2fdca25b39b51cc6a96218d6b934 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291406191\installer_prefs_include.json.backup
| MD5 | 1dfea2f25a19565f470b972abc641812 |
| SHA1 | cda808cdd109fc8c4d58e35431310c9294206eb5 |
| SHA256 | 33c4e288a3dd87a164847de8ae36e742e7c22da0d8b4fbd6b78ff74b1f208478 |
| SHA512 | d23d05799d824266550ecd56f1d95c9f8ac028c645d6cc371773b140316f5edb996ad9b89b4af7f3856a95f074f36286dde70dcdbd19a2616dd1d01d135d5d3b |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291406191\installer_prefs_include.json
| MD5 | 82ca55d161189b1e7021f35a1f3e3918 |
| SHA1 | 0301a745de202a7c5df9b22da57c5a200303f76e |
| SHA256 | b9c00ce7544e192578af26f27797fb681d000ac82b608f8fdaeb8b2cc36aa256 |
| SHA512 | cb862a7800cbb3bb5cef5a37f0dc767c0cf9ace4c202c8a6601336104e841b8a447fd0f822ef53718dbffefd3d042a1baf3ed404811eeec5414d9d3ea6b843fa |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291406191\installer_prefs_include.json
| MD5 | 40651f287feea6ec45b72687d2c1da5c |
| SHA1 | 4bb16084e2786c9b6265f2eeec7711632a1754b3 |
| SHA256 | f52a9191ca9ef63288fc1d0314df3974cdd47eff517d03c1975c520848f93313 |
| SHA512 | 2150d6220cbb602faf1b95353981adeadf3a6a0d2454dd56881c7baaf743e56ee7a9d671f5df91df2c070a5d3664793dc02e0af0afb7175c961ae0413819ef7b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-29 14:05
Reported
2024-03-29 14:08
Platform
win11-20240221-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Amadey
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" | C:\Users\Admin\Pictures\GVB4WVbt6lub5QXa6WvoEyUW.exe | N/A |
Rhadamanthys
RisePro
Stealc
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3040 created 2852 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | C:\Windows\system32\sihost.exe |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1000042001\845765797d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Pictures\GVB4WVbt6lub5QXa6WvoEyUW.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Pictures\GVB4WVbt6lub5QXa6WvoEyUW.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000042001\845765797d.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000042001\845765797d.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Pictures\GVB4WVbt6lub5QXa6WvoEyUW.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1000042001\845765797d.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\ujoASDvSG0oFc7iaVfomXa4f.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\3tAUUAFnOsGnIZlZOiWwaT0A.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\845765797d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000042001\\845765797d.exe" | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\go.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000044001\\go.exe" | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\nsEk8tLapmXJUwPLNptpRYaf.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Pictures\GVB4WVbt6lub5QXa6WvoEyUW.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Users\Admin\Pictures\q6uCvgSm9hhrjhUiHod1QGuX.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\Pictures\q6uCvgSm9hhrjhUiHod1QGuX.exe | N/A |
| File opened (read-only) | \??\D: | C:\Users\Admin\Pictures\q6uCvgSm9hhrjhUiHod1QGuX.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\Pictures\q6uCvgSm9hhrjhUiHod1QGuX.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Users\Admin\Pictures\GVB4WVbt6lub5QXa6WvoEyUW.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\Pictures\GVB4WVbt6lub5QXa6WvoEyUW.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\Pictures\GVB4WVbt6lub5QXa6WvoEyUW.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\Pictures\GVB4WVbt6lub5QXa6WvoEyUW.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\GVB4WVbt6lub5QXa6WvoEyUW.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5492 set thread context of 4516 | N/A | C:\Users\Admin\AppData\Local\Temp\1001058001\koooooo.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 6132 set thread context of 1392 | N/A | C:\Users\Admin\AppData\Local\Temp\1001060001\file300un.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe |
| PID 4768 set thread context of 3040 | N/A | C:\Users\Admin\Pictures\EaA7jWUT5Mk5zv8oV8rBf6pX.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\ujoASDvSG0oFc7iaVfomXa4f.exe | N/A |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\nsEk8tLapmXJUwPLNptpRYaf.exe | N/A |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\3tAUUAFnOsGnIZlZOiWwaT0A.exe | N/A |
Drops file in Windows directory
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u4e0.1.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u4e0.1.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u4e0.1.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\u4e0.0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\u4e0.0.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" | C:\Users\Admin\Pictures\ujoASDvSG0oFc7iaVfomXa4f.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" | C:\Users\Admin\Pictures\3tAUUAFnOsGnIZlZOiWwaT0A.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" | C:\Users\Admin\Pictures\3tAUUAFnOsGnIZlZOiWwaT0A.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" | C:\Users\Admin\Pictures\nsEk8tLapmXJUwPLNptpRYaf.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" | C:\Users\Admin\Pictures\3tAUUAFnOsGnIZlZOiWwaT0A.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" | C:\Users\Admin\Pictures\ujoASDvSG0oFc7iaVfomXa4f.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" | C:\Users\Admin\Pictures\nsEk8tLapmXJUwPLNptpRYaf.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" | C:\Users\Admin\Pictures\nsEk8tLapmXJUwPLNptpRYaf.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" | C:\Users\Admin\Pictures\3tAUUAFnOsGnIZlZOiWwaT0A.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" | C:\Users\Admin\Pictures\nsEk8tLapmXJUwPLNptpRYaf.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" | C:\Users\Admin\Pictures\ujoASDvSG0oFc7iaVfomXa4f.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" | C:\Users\Admin\Pictures\ujoASDvSG0oFc7iaVfomXa4f.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" | C:\Users\Admin\Pictures\3tAUUAFnOsGnIZlZOiWwaT0A.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" | C:\Users\Admin\Pictures\3tAUUAFnOsGnIZlZOiWwaT0A.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" | C:\Users\Admin\Pictures\ujoASDvSG0oFc7iaVfomXa4f.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" | C:\Users\Admin\Pictures\nsEk8tLapmXJUwPLNptpRYaf.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" | C:\Users\Admin\Pictures\nsEk8tLapmXJUwPLNptpRYaf.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" | C:\Users\Admin\Pictures\ujoASDvSG0oFc7iaVfomXa4f.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" | C:\Users\Admin\Pictures\3tAUUAFnOsGnIZlZOiWwaT0A.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" | C:\Users\Admin\Pictures\ujoASDvSG0oFc7iaVfomXa4f.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" | C:\Users\Admin\Pictures\ujoASDvSG0oFc7iaVfomXa4f.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 | C:\Users\Admin\Pictures\q6uCvgSm9hhrjhUiHod1QGuX.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\Pictures\q6uCvgSm9hhrjhUiHod1QGuX.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\Pictures\q6uCvgSm9hhrjhUiHod1QGuX.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exe
"C:\Users\Admin\AppData\Local\Temp\e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exe"
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
C:\Users\Admin\AppData\Local\Temp\1000042001\845765797d.exe
"C:\Users\Admin\AppData\Local\Temp\1000042001\845765797d.exe"
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe
"C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffee1353cb8,0x7ffee1353cc8,0x7ffee1353cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffee1353cb8,0x7ffee1353cc8,0x7ffee1353cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffee1353cb8,0x7ffee1353cc8,0x7ffee1353cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,11730444883340221998,15796735358467417627,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,11730444883340221998,15796735358467417627,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,608283380746736222,8905572082569204458,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 /prefetch:3
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe
"C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\930051783255_Desktop.zip' -CompressionLevel Optimal
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6240 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\1001058001\koooooo.exe
"C:\Users\Admin\AppData\Local\Temp\1001058001\koooooo.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5492 -ip 5492
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5492 -s 460
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
"C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe" /F
C:\Users\Admin\AppData\Local\Temp\1001060001\file300un.exe
"C:\Users\Admin\AppData\Local\Temp\1001060001\file300un.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
C:\Users\Admin\Pictures\nsEk8tLapmXJUwPLNptpRYaf.exe
"C:\Users\Admin\Pictures\nsEk8tLapmXJUwPLNptpRYaf.exe"
C:\Users\Admin\Pictures\3tAUUAFnOsGnIZlZOiWwaT0A.exe
"C:\Users\Admin\Pictures\3tAUUAFnOsGnIZlZOiWwaT0A.exe"
C:\Users\Admin\Pictures\pDTVFZcmrgmUEckZDi5iM2jk.exe
"C:\Users\Admin\Pictures\pDTVFZcmrgmUEckZDi5iM2jk.exe"
C:\Users\Admin\Pictures\EaA7jWUT5Mk5zv8oV8rBf6pX.exe
"C:\Users\Admin\Pictures\EaA7jWUT5Mk5zv8oV8rBf6pX.exe"
C:\Users\Admin\Pictures\ujoASDvSG0oFc7iaVfomXa4f.exe
"C:\Users\Admin\Pictures\ujoASDvSG0oFc7iaVfomXa4f.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4768 -ip 4768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 884
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3040 -ip 3040
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 532
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
C:\Users\Admin\AppData\Local\Temp\u4e0.0.exe
"C:\Users\Admin\AppData\Local\Temp\u4e0.0.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3040 -ip 3040
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 552
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\930051783255_Desktop.zip' -CompressionLevel Optimal
C:\Users\Admin\AppData\Local\Temp\u4e0.1.exe
"C:\Users\Admin\AppData\Local\Temp\u4e0.1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5688 -ip 5688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 1160
C:\Users\Admin\Pictures\3tAUUAFnOsGnIZlZOiWwaT0A.exe
"C:\Users\Admin\Pictures\3tAUUAFnOsGnIZlZOiWwaT0A.exe"
C:\Users\Admin\Pictures\ujoASDvSG0oFc7iaVfomXa4f.exe
"C:\Users\Admin\Pictures\ujoASDvSG0oFc7iaVfomXa4f.exe"
C:\Users\Admin\Pictures\nsEk8tLapmXJUwPLNptpRYaf.exe
"C:\Users\Admin\Pictures\nsEk8tLapmXJUwPLNptpRYaf.exe"
C:\Users\Admin\Pictures\q6uCvgSm9hhrjhUiHod1QGuX.exe
"C:\Users\Admin\Pictures\q6uCvgSm9hhrjhUiHod1QGuX.exe" --silent --allusers=0
C:\Users\Admin\Pictures\q6uCvgSm9hhrjhUiHod1QGuX.exe
C:\Users\Admin\Pictures\q6uCvgSm9hhrjhUiHod1QGuX.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x298,0x6e70e1d0,0x6e70e1dc,0x6e70e1e8
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\q6uCvgSm9hhrjhUiHod1QGuX.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\q6uCvgSm9hhrjhUiHod1QGuX.exe" --version
C:\Users\Admin\Pictures\q6uCvgSm9hhrjhUiHod1QGuX.exe
"C:\Users\Admin\Pictures\q6uCvgSm9hhrjhUiHod1QGuX.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=6880 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240329140620" --session-guid=e69f7e68-1247-4e2f-9070-8055d54aa567 --server-tracking-blob=NzhhMjMyOGUzNzMxMDZmYjE4MTkyYWUxODdkM2I1MzkwODU1M2U3N2RlNGU5OWU0OTlmOTNlMTgxYTRmYTMwMjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N180NTYiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMSIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTE3MjExNjkuNjI3NCIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N180NTYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6IjhkZmNkNTc2LWEyZDQtNGE1Yy04ODRmLTlkNDMwMzRkNTE0NyJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=4805000000000000
C:\Users\Admin\Pictures\q6uCvgSm9hhrjhUiHod1QGuX.exe
C:\Users\Admin\Pictures\q6uCvgSm9hhrjhUiHod1QGuX.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x6dd8e1d0,0x6dd8e1dc,0x6dd8e1e8
C:\Users\Admin\Pictures\GVB4WVbt6lub5QXa6WvoEyUW.exe
"C:\Users\Admin\Pictures\GVB4WVbt6lub5QXa6WvoEyUW.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291406201\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291406201\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291406201\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291406201\assistant\assistant_installer.exe" --version
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291406201\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291406201\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x1190040,0x119004c,0x1190058
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HCAAEGIJKE.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4616 -ip 4616
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 2848
C:\Users\Admin\AppData\Local\Temp\HCAAEGIJKE.exe
"C:\Users\Admin\AppData\Local\Temp\HCAAEGIJKE.exe"
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\HCAAEGIJKE.exe
C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5732 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 193.233.132.56:80 | 193.233.132.56 | tcp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| DE | 216.58.212.174:443 | www.youtube.com | tcp |
| GB | 157.240.221.35:443 | www.facebook.com | tcp |
| BE | 108.177.15.84:443 | accounts.google.com | tcp |
| DE | 142.250.184.206:443 | www.youtube.com | tcp |
| BE | 108.177.15.84:443 | accounts.google.com | udp |
| GB | 157.240.221.16:443 | static.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | static.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | static.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | static.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | 174.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.184.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.221.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.221.240.157.in-addr.arpa | udp |
| DE | 142.250.186.68:443 | www.google.com | tcp |
| RU | 193.233.132.56:80 | 193.233.132.56 | tcp |
| DE | 142.250.186.68:443 | www.google.com | udp |
| GB | 163.70.147.23:443 | scontent-lhr6-1.xx.fbcdn.net | tcp |
| RU | 193.233.132.56:80 | 193.233.132.56 | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| DE | 142.250.185.142:443 | www.youtube.com | tcp |
| DE | 142.250.185.142:443 | www.youtube.com | udp |
| RU | 193.233.132.56:80 | 193.233.132.56 | tcp |
| RU | 185.215.113.32:80 | 185.215.113.32 | tcp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| US | 104.21.18.233:443 | enthusiasimtitleow.shop | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 104.21.18.233:443 | enthusiasimtitleow.shop | tcp |
| US | 104.21.18.233:443 | enthusiasimtitleow.shop | tcp |
| AT | 5.42.64.17:80 | 5.42.64.17 | tcp |
| US | 104.21.18.233:443 | enthusiasimtitleow.shop | tcp |
| US | 104.21.18.233:443 | enthusiasimtitleow.shop | tcp |
| US | 104.21.18.233:443 | enthusiasimtitleow.shop | tcp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| US | 172.67.169.89:443 | yip.su | tcp |
| DE | 185.172.128.144:80 | 185.172.128.144 | tcp |
| AT | 5.42.64.17:80 | 5.42.64.17 | tcp |
| SG | 217.21.73.190:443 | piramidglobaltobacco.id | tcp |
| US | 188.114.96.2:443 | shipofdestiny.com | tcp |
| US | 104.21.13.170:443 | sty.ink | tcp |
| US | 188.114.96.2:443 | shipofdestiny.com | tcp |
| US | 104.21.13.170:443 | sty.ink | tcp |
| US | 104.21.15.5:443 | operandotwo.com | tcp |
| NL | 185.26.182.111:80 | features.opera-api2.com | tcp |
| RU | 176.57.210.144:443 | cu82342.tw1.ru | tcp |
| NL | 185.26.182.111:443 | features.opera-api2.com | tcp |
| US | 172.67.170.65:443 | lawyerbuyer.org | tcp |
| US | 172.67.170.65:443 | lawyerbuyer.org | tcp |
| US | 104.21.80.30:443 | guseman.org | tcp |
| US | 8.8.8.8:53 | 65.170.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.80.21.104.in-addr.arpa | udp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| DE | 185.172.128.144:80 | 185.172.128.144 | tcp |
| DE | 185.172.128.209:80 | 185.172.128.209 | tcp |
| RU | 185.215.113.32:80 | 185.215.113.32 | tcp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 8.8.8.8:53 | desktop-netinstaller-sub.osp.opera.software | udp |
| NL | 185.26.182.124:443 | autoupdate.geo.opera.com | tcp |
| NL | 185.26.182.124:443 | autoupdate.geo.opera.com | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| NL | 185.26.182.117:443 | download.opera.com | tcp |
| NL | 185.26.182.118:443 | features.opera-api2.com | tcp |
| NL | 195.20.16.45:80 | 195.20.16.45 | tcp |
| US | 104.26.9.59:443 | api.myip.com | tcp |
| GB | 95.101.143.176:443 | download3.operacdn.com | tcp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| DE | 142.250.185.142:443 | www.youtube.com | udp |
| US | 8.8.8.8:53 | 176.143.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.186.117.34.in-addr.arpa | udp |
| RU | 185.215.113.32:80 | 185.215.113.32 | tcp |
| FR | 185.93.2.245:443 | download.iolo.net | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 104.18.10.89:443 | download5.operacdn.com | tcp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| BE | 108.177.15.84:443 | accounts.google.com | udp |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| US | 20.9.155.148:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| DE | 81.3.27.44:3478 | stun.ipfire.org | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| BG | 185.82.216.104:443 | server5.datadumpcloud.org | tcp |
| US | 8.8.8.8:53 | carsalessystem.com | udp |
| US | 104.21.94.82:443 | carsalessystem.com | tcp |
| US | 8.8.8.8:53 | 104.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.135.159.162.in-addr.arpa | udp |
| BG | 185.82.216.104:443 | server5.datadumpcloud.org | tcp |
| BG | 185.82.216.104:443 | server5.datadumpcloud.org | tcp |
| DE | 142.250.184.206:443 | consent.youtube.com | udp |
Files
memory/1532-0-0x0000000000ED0000-0x000000000136F000-memory.dmp
memory/1532-1-0x0000000077B26000-0x0000000077B28000-memory.dmp
memory/1532-2-0x0000000000ED0000-0x000000000136F000-memory.dmp
memory/1532-3-0x00000000053B0000-0x00000000053B1000-memory.dmp
memory/1532-4-0x00000000053C0000-0x00000000053C1000-memory.dmp
memory/1532-6-0x00000000053E0000-0x00000000053E1000-memory.dmp
memory/1532-5-0x00000000053A0000-0x00000000053A1000-memory.dmp
memory/1532-7-0x0000000005380000-0x0000000005381000-memory.dmp
memory/1532-8-0x0000000005390000-0x0000000005391000-memory.dmp
memory/1532-9-0x0000000005410000-0x0000000005411000-memory.dmp
memory/1532-10-0x0000000005400000-0x0000000005401000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
| MD5 | 82a0e9df77991b4703d35b285fc54e02 |
| SHA1 | e5a417e3c955ef4ad266ee25d965beb1a73923f0 |
| SHA256 | e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92 |
| SHA512 | 94d019ddbb31885afa8babbcc6c3c0b10be3fce76ff4ae44e6a13394fc71388ccb641317ac913fefe8ac4ebff7be4c776f5c5b5ec2940afa06d6b52d0b78f0fa |
memory/1532-21-0x0000000000ED0000-0x000000000136F000-memory.dmp
memory/2452-23-0x0000000000290000-0x000000000072F000-memory.dmp
memory/2452-24-0x0000000000290000-0x000000000072F000-memory.dmp
memory/2452-25-0x0000000004D00000-0x0000000004D01000-memory.dmp
memory/2452-26-0x0000000004CF0000-0x0000000004CF1000-memory.dmp
memory/2452-27-0x0000000004D30000-0x0000000004D31000-memory.dmp
memory/2452-29-0x0000000004CE0000-0x0000000004CE1000-memory.dmp
memory/2452-28-0x0000000004CD0000-0x0000000004CD1000-memory.dmp
memory/2452-30-0x0000000004D20000-0x0000000004D21000-memory.dmp
memory/2452-31-0x0000000004D50000-0x0000000004D51000-memory.dmp
memory/2452-32-0x0000000004D40000-0x0000000004D41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000042001\845765797d.exe
| MD5 | 800229e81ac8622c7303cf08d8ba5336 |
| SHA1 | cd601151c5f3fcdfa0c213594e1aee78a7420879 |
| SHA256 | eead74d6e44ef88fc319d627fffc927a0c6594c6a7e7896f3cedd0f4ba08c861 |
| SHA512 | a6110fee0ee93e92571cc5ab7d6b096d66373252b52feb6967f5fb1019ea7e939e187a0b8f80d5867f5f4081a74f1d02b33b50210b42228aeee6e9f6f1e6f968 |
memory/4596-51-0x0000000000210000-0x00000000005CC000-memory.dmp
memory/4596-52-0x0000000000210000-0x00000000005CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe
| MD5 | 2f8912af892c160c1c24c9f38a60c1ab |
| SHA1 | d2deae508e262444a8f15c29ebcc7ebbe08a3fdb |
| SHA256 | 59ff8e0aa665fbbf749c7548906a655cb1869bb58a3b7546efa5b416d19e6308 |
| SHA512 | 0395383bde98d358b0a7f2224f903dff026ce0c6d90feb49ac0e6993ef692143b0eb25da84d9cdc9e7b373a7b75a6dbaef14746eda1bff165d59f07ca51a16bb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 19a8bcb40a17253313345edd2a0da1e7 |
| SHA1 | 86fac74b5bbc59e910248caebd1176a48a46d72e |
| SHA256 | b8024fbed11683ef4b53f5afac0ff691025b7eecca0f6a95737da1585558227e |
| SHA512 | 9f8780f49d30aad01b28189804329aeca6ad2b7ffb6be505d40bb1af7802bb62622f518cb1c43a5815bbbb46638f6c52aead3d68f14fa957d18157edb42e95c0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 96899614360333c9904499393c6e3d75 |
| SHA1 | bbfa17cf8df01c266323965735f00f0e9e04cd34 |
| SHA256 | 486e4b4bb11f664c91c675e73cfeabe53b5009ae719459813be17814cd97e43c |
| SHA512 | 974735b40a9f92b40a37a698f7f333590f32ff45633c6e619500e74ec274bc20bf7dbc830b1685777b714d37a3ca103d741ee056f4ff45ef08c07b38a7895df7 |
\??\pipe\LOCAL\crashpad_4828_PUCPJKOASXXFHSAN
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | a350f7025b6ec2ca72d9b3059b59c05e |
| SHA1 | 11c3d56c8c82858be1f8c7b0b8f40dea3aaff9f4 |
| SHA256 | ffefbefdf7622cc57dcf66ed161faa4bb884f4ab9d84169a11295cb17bc997a3 |
| SHA512 | 2d55971ac93065c1f5d2d4f0f8b1227fce971c3eab01885822943bc853da57e7b7576fd7e0877b3a7e37e636d14509c367d63c33b9ebb3419f09618f1a0ec942 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 168f0454e9abbea7887f7b88bc07e534 |
| SHA1 | 9ebdef9db6f81d589816242b93f42461afc95069 |
| SHA256 | 572c76633388f5cb4ad3b3c429d2e401b40fed93e49423c4a3030ff94e637753 |
| SHA512 | dfc8c7c6bfa2b98373d02015533d7f8a798bbe43221bf1fbd042895a7b7c2cbfd33b1088f0dffc24ad4488b5301d1427f9fe0cb4cc3598f0e92be08dc50bcd39 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | f424d3df754036b00256f58459e8f03c |
| SHA1 | 4726fff03a2780f9ed0ad72ec2702412ffe2d27c |
| SHA256 | 55144e0bd6c2d4fc0c7597eb20ca5e0496dd4e78ecb32f50b8f571b8bf9b3070 |
| SHA512 | b8807b69e0d5e1c3fbd050743bdd1a4ef6feb41c59eebeed196338e24d88e74042322ede9507567998cab9a5922a84c39b2e35d81baa507045a3298524752b9f |
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe
| MD5 | 6f1ca07821a548cc136ced5b2e6d5c48 |
| SHA1 | a149e288de958cd5f14ac5f58b1c330091e25a3c |
| SHA256 | c9a2b7b61eecdabdbcf5dd2ac65a8d54b12649b46382fbd55ed47d1dfcc5cd2f |
| SHA512 | 051816a11e02d6c4dc891f7a36c02131e77ae82113738078828943f0182a77ecd19925f892a06004a09677e57444ee74088259bd9f25cd9a57104514fa1041dd |
memory/2452-246-0x0000000000290000-0x000000000072F000-memory.dmp
memory/5776-247-0x00000000004A0000-0x0000000000957000-memory.dmp
memory/5776-252-0x00000000004A0000-0x0000000000957000-memory.dmp
memory/5776-253-0x0000000004AA0000-0x0000000004AA1000-memory.dmp
memory/5776-266-0x0000000004AD0000-0x0000000004AD1000-memory.dmp
memory/5776-265-0x0000000004A90000-0x0000000004A91000-memory.dmp
memory/5776-273-0x0000000004A70000-0x0000000004A71000-memory.dmp
memory/5776-254-0x0000000004AB0000-0x0000000004AB1000-memory.dmp
memory/5776-275-0x0000000004A80000-0x0000000004A81000-memory.dmp
memory/5776-304-0x0000000004B10000-0x0000000004B11000-memory.dmp
memory/5776-309-0x00000000004A0000-0x0000000000957000-memory.dmp
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
| MD5 | 15a42d3e4579da615a384c717ab2109b |
| SHA1 | 22aeedeb2307b1370cdab70d6a6b6d2c13ad2301 |
| SHA256 | 3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103 |
| SHA512 | 1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444 |
memory/2452-322-0x0000000000290000-0x000000000072F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cw1x45a1.h2c.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5460-332-0x00007FFEDE9E0000-0x00007FFEDF4A2000-memory.dmp
memory/5460-331-0x00000263D8A20000-0x00000263D8A42000-memory.dmp
memory/5460-333-0x00000263D8BE0000-0x00000263D8BF0000-memory.dmp
memory/5460-334-0x00000263D8BE0000-0x00000263D8BF0000-memory.dmp
memory/5460-335-0x00000263D8BE0000-0x00000263D8BF0000-memory.dmp
memory/5460-336-0x00000263D8BB0000-0x00000263D8BC2000-memory.dmp
memory/5460-337-0x00000263D8A10000-0x00000263D8A1A000-memory.dmp
memory/5460-343-0x00007FFEDE9E0000-0x00007FFEDF4A2000-memory.dmp
memory/4596-344-0x0000000000210000-0x00000000005CC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | d08c499009b59a2186104515a9d4ba8d |
| SHA1 | 428bebee89ea29cf6200a6aa47dfe704d329e358 |
| SHA256 | 3cac08427b32b840c5b994511c4b320bdcb09b710aa503af2e6d7b231cb693bc |
| SHA512 | 1cfe6d7472922e29818b1632c3fc3fcf37ab103119fafbe772c7307f352f46c0a564929ad961e6a97ccd8f9e6a31d9f33852f4cbc56a78879caa81b71b023a7c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | cb02ffd446115f374a57f36078f11d47 |
| SHA1 | 1577d565146aef62149a55b66ec99822b4b54494 |
| SHA256 | 6a3594d2bc5834afb8e770d29fb2535d3a79822648bcc158d6fedb8039ed37d8 |
| SHA512 | 1f1e8eb9fa3b21993555fb09c3470136a205c779b28c8322c6888e0c45933fd5ffcf8b7af8fe8a40abd21cc01094f0e1910e4714b00d5ac7df30409de11fd040 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
memory/2452-381-0x0000000000290000-0x000000000072F000-memory.dmp
memory/4596-384-0x0000000000210000-0x00000000005CC000-memory.dmp
memory/1948-386-0x0000000000290000-0x000000000072F000-memory.dmp
memory/4028-388-0x0000000000790000-0x0000000000C47000-memory.dmp
memory/1948-390-0x0000000000290000-0x000000000072F000-memory.dmp
memory/1948-391-0x0000000004D40000-0x0000000004D41000-memory.dmp
memory/4028-402-0x0000000005200000-0x0000000005201000-memory.dmp
memory/4028-401-0x00000000051F0000-0x00000000051F1000-memory.dmp
memory/4028-400-0x0000000005250000-0x0000000005251000-memory.dmp
memory/4028-399-0x0000000005210000-0x0000000005211000-memory.dmp
memory/4028-398-0x0000000005230000-0x0000000005231000-memory.dmp
memory/4028-397-0x0000000005220000-0x0000000005221000-memory.dmp
memory/1948-396-0x0000000004D20000-0x0000000004D21000-memory.dmp
memory/1948-395-0x0000000004D10000-0x0000000004D11000-memory.dmp
memory/1948-394-0x0000000004D70000-0x0000000004D71000-memory.dmp
memory/1948-393-0x0000000004D30000-0x0000000004D31000-memory.dmp
memory/1948-392-0x0000000004D50000-0x0000000004D51000-memory.dmp
memory/4028-403-0x0000000000790000-0x0000000000C47000-memory.dmp
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | 726cd06231883a159ec1ce28dd538699 |
| SHA1 | 404897e6a133d255ad5a9c26ac6414d7134285a2 |
| SHA256 | 12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46 |
| SHA512 | 9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e |
memory/1948-418-0x0000000000290000-0x000000000072F000-memory.dmp
memory/4028-420-0x0000000005270000-0x0000000005271000-memory.dmp
memory/4028-419-0x0000000005280000-0x0000000005281000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1001058001\koooooo.exe
| MD5 | 90f41880d631e243cec086557cb74d63 |
| SHA1 | cb385e4172cc227ba72baf29ca1c4411fa99a26d |
| SHA256 | 23b62a27e3f5c424b16f31e5009af4f24c8bd13b1f035f87879e2a29236be7a0 |
| SHA512 | eeb85b34aa66a7e9a1b1807012999ee439433df23126a52ffa8d4b3cb2026be3bcf63ca25f143de58ba929c0d4feeaf2a603fd6ec6b5379fc48147c22f3783e3 |
memory/4596-440-0x0000000000210000-0x00000000005CC000-memory.dmp
memory/5492-441-0x00000000003F0000-0x0000000000456000-memory.dmp
memory/5492-443-0x0000000072F70000-0x0000000073721000-memory.dmp
memory/4516-445-0x0000000000400000-0x000000000044C000-memory.dmp
memory/4516-448-0x0000000000400000-0x000000000044C000-memory.dmp
memory/5492-449-0x0000000002990000-0x0000000004990000-memory.dmp
memory/4516-450-0x0000000001670000-0x00000000016B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
| MD5 | 0099a99f5ffb3c3ae78af0084136fab3 |
| SHA1 | 0205a065728a9ec1133e8a372b1e3864df776e8c |
| SHA256 | 919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226 |
| SHA512 | 5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History
| MD5 | 4fb9df4eb079c2bffb0227ea64d63399 |
| SHA1 | a1ccbdcb713e549fd1a3b83a17a0ec9d90691937 |
| SHA256 | ab18e530d11cd5d425770dbe80f32e167740bba0e287653b8adc4f9c3e894352 |
| SHA512 | 6a26185b5e330dbfced80a8f22e4d38640738153c24386ac55dbf9c0c895cf23bcad5d3a10a379e1d1ba364436505865d4a80331192733b1a0f4359ed2b663eb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
| MD5 | b29bcf9cd0e55f93000b4bb265a9810b |
| SHA1 | e662b8c98bd5eced29495dbe2a8f1930e3f714b8 |
| SHA256 | f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4 |
| SHA512 | e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011 |
C:\Users\Admin\AppData\Local\Temp\1001060001\file300un.exe
| MD5 | 16f67f1a6e10f044bc15abe8c71b3bd6 |
| SHA1 | ce0101205b919899a2a2f577100377c2a6546171 |
| SHA256 | 41cca3fa0f500dc6c17d1f02fc906d2b0c769210af9c4286760b84ecf46cab89 |
| SHA512 | a11db01bf55e3497644918c7dcc6180e0911261f39f062e653f000e1365dc9668fe5bd1d0fee0ae5c740a6477bcea510ba8c5ff6831c3bdb0d7c0590d2487e3c |
memory/2452-677-0x0000000000290000-0x000000000072F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 8b2c84cfdc6a5a8fcb8f1ee907dc5682 |
| SHA1 | f5118d6fdc6ac7255c325d5155a005dfecf4e927 |
| SHA256 | 1ee6a2de6af93f07a4023654c72754d1af4ec9e2a392c9f12f4ecf15140af0ff |
| SHA512 | c58434ded15435cda5fb0cf98aaa9eb5e6ad23def4b069440fe08af165bfd61d837ef2c0da6336a8971c11d4d2af292293cdf4a4e4887f35aa0cd6df89213c28 |
memory/1392-688-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\Pictures\5jvb0sJCvsSuoNy7dGWsjjRz.exe
| MD5 | 5b423612b36cde7f2745455c5dd82577 |
| SHA1 | 0187c7c80743b44e9e0c193e993294e3b969cc3d |
| SHA256 | e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09 |
| SHA512 | c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c |
C:\Users\Admin\Pictures\TXsS3RBBZvJj2YFIcSqIk0Cu.exe
| MD5 | 793df98bdc2ec5cf6cf01135ef610816 |
| SHA1 | 5eb739268e4c0dc91ae2f457db30c118fad791f6 |
| SHA256 | 72a6cc136fa08cd8468b9f168dcb8122cc2c91b40b986986ee50e839456eb21d |
| SHA512 | b47e4360419b81d877dc64725613610758d5776879c610d1c66e29ef5065a1d29ae99114f33f462a6f3b3b21e58423d58b5397fc66aba5e1b86a822846e086d6 |
C:\Users\Admin\Pictures\0qOOU1oxPzTF8JvwVvLX0F7Y.exe
| MD5 | e5a2e32b8a6a1e79db6ff6189655dd95 |
| SHA1 | 8c003d7197ec2e5196d4d737832c5319d247a736 |
| SHA256 | eeb993b173620cd2a3617f06d684a90eb25faa4da5cda5a8e9a805a0e1810b42 |
| SHA512 | d5ac0eef38b456f699c0ab86f392575d102b5bdf9a91df61e37d4f85f220bb9715bc2c2970b28503b113dea06ac5250aa1bea0356a4e16ff0c09068de6e766d5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | c0510196b184f4b015b976c689f0094d |
| SHA1 | db7bd93ae2aac5a603c6148815f6e13565bc7041 |
| SHA256 | cbcf1fc079308b59d768fc0bbec8481ab9cfad5195f091e4a7d6ebde891c0180 |
| SHA512 | 5710a3fec1c2782a4701a5840de0032e4add480aa40044c0b91b09b9aea1e5dd3a1b84bcc38fab11159d9deb51a70f64175257999d901adf57ffc4c56aff31c1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c062.TMP
| MD5 | 706ddeec3081d0882fdc567078004004 |
| SHA1 | ddea3ba0ecf25ebcfa30704a9cc117dad6525b51 |
| SHA256 | 6f9946d79ee043c61173678d7c1add769c40ebd5327383ce5063bb4f9cd8730a |
| SHA512 | c2b363d5cec0894209907e689cb613c69308d529b66a5b94aa2667214ddd7b019625cef86b1867fbf8775c50829d23b1a3d6a8f2cdff2b7374301718f254ed72 |
C:\Users\Admin\Pictures\nsEk8tLapmXJUwPLNptpRYaf.exe
| MD5 | a7837001588691fb8bc8304f72ef19ee |
| SHA1 | eb7a63f9514900f4598b92e2fbec146e68b6726d |
| SHA256 | fe69939c74e1d2aa7966eb332c70dd24946050105d82706124d6687900044662 |
| SHA512 | fe2231ca4ab7dafea143b299e0ffc6bff75c6fc9e945e3e03cf70d2073c7bb6f7bb1d1145e18c933b6e9203c78c25cd3ee0994c876f6ac134e44148fbfb7760b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | bf7a23099f3d75460595ecf903194065 |
| SHA1 | 545e5b251c4474c01a8b33a88f401c1e4c2441d3 |
| SHA256 | 7cb7e339b1200fd5d9d289fb3f75e978c52c01caf676f2d9faeb43e72de068ef |
| SHA512 | 1e0901ff032f899bc2d3b0fc53444f45f9e3b1e448ec4efd1b2c1b7dc0a17b5166cf231f130dab10ec666d92bc3246cd5123eb2071ab0842d74a6a5db02faa38 |
C:\Users\Admin\Pictures\pDTVFZcmrgmUEckZDi5iM2jk.exe
| MD5 | 6f17bbc203edea71880585d74262f262 |
| SHA1 | 6987d2e4d289921f84bab709bd74db970bd8056b |
| SHA256 | 5c3759c4051742b1366d7d2b7b4162c2a0035288970808a3ccbaedd19d6d18d1 |
| SHA512 | 11e3635a2ee674b3e9175b8fd89e5afd417efbf2a6e8a7368523e41f2efdd48a6c07533417ac98cce9dd1e1c77f5519796f768637d1114df77fc47fbc4fbd7a8 |
C:\Users\Admin\Pictures\EaA7jWUT5Mk5zv8oV8rBf6pX.exe
| MD5 | 7960d8afbbac06f216cceeb1531093bb |
| SHA1 | 008221bf66a0749447cffcb86f2d1ec80e23fc76 |
| SHA256 | f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84 |
| SHA512 | 35d12e81eb892aeb2237049beca61a81469dea5b1c9b7a0b9f49fbf95a95c756509d9e76c732fb10b504f9f9692e1fbe83ea2fd09d791f793a928c01974b8147 |
C:\Users\Admin\Pictures\ujoASDvSG0oFc7iaVfomXa4f.exe
| MD5 | 60bcf281239531a5cc5910bd7afb51b6 |
| SHA1 | 87a7a117464fe016ee163cd294e646710321b3e7 |
| SHA256 | 425eabbe8a3d4829ca4c56e18a908e9d19704727d6e6af070073fa427b0ba34b |
| SHA512 | 8a30b984469d90b1a17337c58b756244795d9470bf2b274266ce9200d1d3dc0be5a87a4af1ddbee5e5ea1c8056ad01e9e3fcfba3f73c5c751184763cb97cc400 |
memory/4028-893-0x0000000000790000-0x0000000000C47000-memory.dmp
memory/3040-895-0x0000000000400000-0x000000000046D000-memory.dmp
memory/3040-899-0x0000000000400000-0x000000000046D000-memory.dmp
memory/3040-943-0x0000000003A80000-0x0000000003E80000-memory.dmp
memory/3040-944-0x0000000003A80000-0x0000000003E80000-memory.dmp
memory/3040-947-0x00007FFF01880000-0x00007FFF01A89000-memory.dmp
memory/3040-950-0x0000000076630000-0x0000000076882000-memory.dmp
memory/2088-952-0x0000000000CD0000-0x0000000000CD9000-memory.dmp
memory/4596-954-0x0000000000210000-0x00000000005CC000-memory.dmp
memory/2088-956-0x0000000002870000-0x0000000002C70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u4e0.0.exe
| MD5 | f655c987a74774fcc43beda4ef44477d |
| SHA1 | e263b1d33cf69561c5e02ff078df90dfb9b0700c |
| SHA256 | 4ddb70f6593a3b8989c814b1cf9bc6607ee72c316685f904bf1e7014f87e85a2 |
| SHA512 | 464d0059e7353dbed812c9bc4f0fd8c90e0accc8bf299014b5536d5ed0597950fc946b61a2618d7cef43c010f6f9c58194e224a4d47fa944ced44b961615d8d1 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 92fbdfccf6a63acef2743631d16652a7 |
| SHA1 | 971968b1378dd89d59d7f84bf92f16fc68664506 |
| SHA256 | b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72 |
| SHA512 | b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117 |
memory/2088-966-0x0000000076630000-0x0000000076882000-memory.dmp
memory/4616-1049-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/2452-1057-0x0000000000290000-0x000000000072F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u4e0.1.exe
| MD5 | 397926927bca55be4a77839b1c44de6e |
| SHA1 | e10f3434ef3021c399dbba047832f02b3c898dbd |
| SHA256 | 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7 |
| SHA512 | cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954 |
memory/5688-1103-0x0000000000400000-0x0000000000563000-memory.dmp
memory/5444-1123-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/588-1124-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\Pictures\q6uCvgSm9hhrjhUiHod1QGuX.exe
| MD5 | 0c80996832279a0be6c01d3249c08187 |
| SHA1 | 0432ebcdb62229959ffc8ae8e4427cb98266d751 |
| SHA256 | 0e6ec0f79198e5f602aa6fc6f760991e5f60f10108a3d1805357c9792e823305 |
| SHA512 | 510316c18966cb69c9fbe4f5cee00afdf0aabac01d32fd27951f61eef48910f35e902ea6535e3855a83f8acab48b025ac8c078372aea6522195a684077d168f8 |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403291406200977112.dll
| MD5 | 117176ddeaf70e57d1747704942549e4 |
| SHA1 | 75e3ab6b3469d93cce9ea2f7e22b71b987ccdf2b |
| SHA256 | 3c5b34de987116a4d3240e319c0da89a951c96b81e6705476a0fea27b22b20af |
| SHA512 | ca2a356929c92d314aab63d7f3b246d72783212dfa3a4507f28d41a51ca0eedc78e85b1cd453aa8e02c12509f847a0216bb702154f903291c804c8a98ec378b9 |
memory/5960-1190-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\Pictures\GVB4WVbt6lub5QXa6WvoEyUW.exe
| MD5 | 858bb0a3b4fa6a54586402e3ee117076 |
| SHA1 | 997c31f043347883ea5ed2323a558b6cc5ea9c8e |
| SHA256 | d97a7fc44bf341b9b2b2e65b46dab4f7d329afe15b4308b5aa56d5bfd7b99d35 |
| SHA512 | e8374b115f056b5d345c9b5f9c42b3d49e0640d7fad869448f686add6e52b783ecc7fd35ee15a67b944843491a91becf5b7c0bd5603eda01042dd2904c1ad8fd |
memory/4028-1213-0x0000000000790000-0x0000000000C47000-memory.dmp
memory/5460-1214-0x00007FF7E9F00000-0x00007FF7EAA0A000-memory.dmp
memory/5460-1218-0x00007FF7E9F00000-0x00007FF7EAA0A000-memory.dmp
memory/5460-1221-0x00007FF7E9F00000-0x00007FF7EAA0A000-memory.dmp
memory/5460-1226-0x00007FF7E9F00000-0x00007FF7EAA0A000-memory.dmp
memory/5460-1228-0x00007FF7E9F00000-0x00007FF7EAA0A000-memory.dmp
memory/5460-1230-0x00007FF7E9F00000-0x00007FF7EAA0A000-memory.dmp
memory/5460-1231-0x00007FF7E9F00000-0x00007FF7EAA0A000-memory.dmp
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 8ef9853d1881c5fe4d681bfb31282a01 |
| SHA1 | a05609065520e4b4e553784c566430ad9736f19f |
| SHA256 | 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2 |
| SHA512 | 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005 |
memory/4596-1256-0x0000000000210000-0x00000000005CC000-memory.dmp
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/4616-1301-0x0000000000400000-0x000000000063B000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 2afdbe3b99a4736083066a13e4b5d11a |
| SHA1 | 4d4856cf02b3123ac16e63d4a448cdbcb1633546 |
| SHA256 | 8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee |
| SHA512 | d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f |
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | a808ec080c3edcba7d767a15c2fc3dbe |
| SHA1 | b08c571f4fffab4961562cf5ac7667ac0726b05b |
| SHA256 | 91f39883331ea6336ea9a91be3ce65461b0b2e7835cb4f80de8ea6a63bb1dcce |
| SHA512 | 3dfa0c251ffc7cec410999ff89cb9c562f79425b682336b5f49fce3994ef0cadc10a86a982d7a51a09f5bf40e7d8e4c129fa9885468593d51fb330b025f3e46e |
memory/2452-1339-0x0000000000290000-0x000000000072F000-memory.dmp
memory/6196-1340-0x0000000000400000-0x00000000008AD000-memory.dmp
memory/6516-1341-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/6532-1342-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/6540-1343-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291406201\opera_package
| MD5 | 401c352990789be2f40fe8f9c5c7a5ac |
| SHA1 | d7c1e902487511d3f4e1a57abdee8a94d5483ed4 |
| SHA256 | f62f4ebc7eca46d9cddfb02cc0305da5efdd6f3601fb0f53da555e19558869a3 |
| SHA512 | efc6d4224e3721e91efb2ea8f4b74685cba607260c69d08eac26866c52b8127080a42799d9f76ab1661b8ca63c946fcf35dddf0a63ab3cd258ea44a27dd769c8 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291406201\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
| MD5 | 20d293b9bf23403179ca48086ba88867 |
| SHA1 | dedf311108f607a387d486d812514a2defbd1b9e |
| SHA256 | fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348 |
| SHA512 | 5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 44ce53d002b78721df702ed382646b17 |
| SHA1 | 46d0dace10c41107dcb260d5a7e050047bddd729 |
| SHA256 | 811d2fdc6b2c55e2f10a6925f627706f228eb213eae2c936a001a6d446c0d2ee |
| SHA512 | 4a5656af5005b17d5e9c3d2c0a08911a89b92f4b0679959e7d7cb058176687aaf5857a86005b1e79f615554e89f489cc152d10f3a214c96badf423c1a0e7f036 |
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | 4dc4986d725923f2a75d912863644e07 |
| SHA1 | afdae11b17a8cba266c6f4472ff2bcd121a432ce |
| SHA256 | 35611e6095c5ea0280881d7c8c589c36d5d212730181a9df4ec50b62d6ad0481 |
| SHA512 | cf51d08962f3f1420b9bfef7c74774813b32af366de644a92dd5e643ec035c5187d9a36a03c2d0c893c23b141049ad640873082a8ce447142ee948157a8d24b7 |
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 489b1ea99adc34f28b90fe48663c5d53 |
| SHA1 | e317bce2f262819f97166eafadddac76d8c431c1 |
| SHA256 | 0397585b0fa64fa8eb4a200ea4c22f23069e951d46b6c035819bdca03baab96f |
| SHA512 | 42efd5ff92cb341b1fb2951dddd2cc82b570d3381b32efa47dd491de98a2d79785bc9c26d402ea05126912daec61534f559a89c843ce4ad3f159b81b1746fc49 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 3fbbd3d9cf04e842f3dd24382abeed91 |
| SHA1 | be67923828eeecb8abbdfdc1def1d5bf83a5deff |
| SHA256 | 54e3a39d9e3dfd9bdaab2e086d24131b1f0a868936d0294edc6dfc7f58b682b9 |
| SHA512 | 6471613d22b7c29b7a90d5a872efdddba54158ea61723d85fa93f0f6d80365f0844f5b329b18f451f11eba4667c6a69bfbb8889d72652ee82f85df60db3ce92b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 668f9d617501cdc12ebfd5d322578e27 |
| SHA1 | 4fc2c88d2008b3c2a0a61a6c5adf3405e42d31e8 |
| SHA256 | bcda0781c81001752b3378cf654a1696439564310a1155e29771f2e5bcb0d72d |
| SHA512 | 0cdfcd4fa98d92b7ce5754b0f53ab91bfe1e747606c38527eeabe08a877d1c89e1d08bcc2eb6b15d215868e9060b5c021fea5bf1eba92c1ef60b6a7389f93f8e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | ea57a81bf9d6ca2a64f9765c6b9eedfe |
| SHA1 | 703994a287038daa3d97c866edcaa2ac37f586c5 |
| SHA256 | a93c655a666d9ad4f274b6e5e060c6fe0c2f04b76c19b6cb0b1ca6fda3506fb5 |
| SHA512 | e3bd0e897fb75b931d64eb258cb663d4924591badc17f674b1124dc2785c1021c06dc90cb25215e5bbc07ebb6c12b8d63c4c6344b18cfef32f82a8a687770379 |