Analysis Overview
SHA256
8d9a07546be4fba37841af23d5fac678bf812e3cdd561033a505409f05a1354f
Threat Level: Known bad
The file 8d9a07546be4fba37841af23d5fac678bf812e3cdd561033a505409f05a1354f was found to be: Known bad.
Malicious Activity Summary
Amadey
ZGRat
RedLine payload
Glupteba
RedLine
Lumma Stealer
Detect ZGRat V1
UAC bypass
Windows security bypass
Stealc
Glupteba payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Blocklisted process makes network request
Downloads MZ/PE file
Stops running service(s)
Checks BIOS information in registry
Identifies Wine through registry keys
Windows security modification
Reads WinSCP keys stored on the system
Themida packer
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Reads user/profile data of web browsers
Reads local data of messenger clients
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks whether UAC is enabled
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Launches sc.exe
Drops file in Windows directory
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
System policy modification
Checks processor information in registry
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-04-26 04:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-26 04:26
Reported
2024-04-26 04:29
Platform
win10v2004-20240412-en
Max time kernel
65s
Max time network
152s
Command Line
Signatures
Amadey
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
ZGRat
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\8d9a07546be4fba37841af23d5fac678bf812e3cdd561033a505409f05a1354f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
Downloads MZ/PE file
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\8d9a07546be4fba37841af23d5fac678bf812e3cdd561033a505409f05a1354f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\8d9a07546be4fba37841af23d5fac678bf812e3cdd561033a505409f05a1354f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\8d9a07546be4fba37841af23d5fac678bf812e3cdd561033a505409f05a1354f.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8d9a07546be4fba37841af23d5fac678bf812e3cdd561033a505409f05a1354f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2812 set thread context of 2508 | N/A | C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe | C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\chrosha.job | C:\Users\Admin\AppData\Local\Temp\8d9a07546be4fba37841af23d5fac678bf812e3cdd561033a505409f05a1354f.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8d9a07546be4fba37841af23d5fac678bf812e3cdd561033a505409f05a1354f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8d9a07546be4fba37841af23d5fac678bf812e3cdd561033a505409f05a1354f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8d9a07546be4fba37841af23d5fac678bf812e3cdd561033a505409f05a1354f.exe
"C:\Users\Admin\AppData\Local\Temp\8d9a07546be4fba37841af23d5fac678bf812e3cdd561033a505409f05a1354f.exe"
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
"C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2812 -ip 2812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 892
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
"C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1472 -ip 1472
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 360
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5068 -ip 5068
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 356
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
"C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe" /F
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
"C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"
C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe
"C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe"
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
"C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe
"C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe"
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe" -Force
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe
"C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe"
C:\Users\Admin\Pictures\Ea28xyXmV42Fcfsy31slRxC4.exe
"C:\Users\Admin\Pictures\Ea28xyXmV42Fcfsy31slRxC4.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe" -Force
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\288054676187_Desktop.zip' -CompressionLevel Optimal
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameServerClient\installg.bat" "
C:\Users\Admin\Pictures\aMw0v9zgrDzABSWfpuCbiX93.exe
"C:\Users\Admin\Pictures\aMw0v9zgrDzABSWfpuCbiX93.exe"
C:\Users\Admin\Pictures\OnT4BgxaNtgZwDEPIzJNjXJa.exe
"C:\Users\Admin\Pictures\OnT4BgxaNtgZwDEPIzJNjXJa.exe"
C:\Users\Admin\Pictures\LFtQDZMHYmtoeGfbXSFEGOCp.exe
"C:\Users\Admin\Pictures\LFtQDZMHYmtoeGfbXSFEGOCp.exe"
C:\Windows\SysWOW64\sc.exe
Sc delete GameServerClient
C:\Users\Admin\Pictures\reGFIfdvbHsXdtT53reuGrj5.exe
"C:\Users\Admin\Pictures\reGFIfdvbHsXdtT53reuGrj5.exe"
C:\Users\Admin\Pictures\Oux3HN1pXYBrlBSyUhURwZtW.exe
"C:\Users\Admin\Pictures\Oux3HN1pXYBrlBSyUhURwZtW.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
C:\Program Files (x86)\GameServerClient\GameService.exe
GameService remove GameServerClient confirm
C:\Users\Admin\AppData\Local\Temp\u49c.0.exe
"C:\Users\Admin\AppData\Local\Temp\u49c.0.exe"
C:\Users\Admin\Pictures\MRFhP83HvJC28rkGtrSyryhp.exe
"C:\Users\Admin\Pictures\MRFhP83HvJC28rkGtrSyryhp.exe"
C:\Users\Admin\AppData\Local\Temp\u47w.0.exe
"C:\Users\Admin\AppData\Local\Temp\u47w.0.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Users\Admin\Pictures\0Kc88XuJFfEZKgyqgVUUd3OL.exe
"C:\Users\Admin\Pictures\0Kc88XuJFfEZKgyqgVUUd3OL.exe"
C:\Users\Admin\AppData\Local\Temp\7zSCEA5.tmp\Install.exe
.\Install.exe /RvdidblCuX "385118" /S
C:\Users\Admin\Pictures\B8xmAbYiKvW48fzfvWYitgnb.exe
"C:\Users\Admin\Pictures\B8xmAbYiKvW48fzfvWYitgnb.exe" --silent --allusers=0
C:\Users\Admin\Pictures\B8xmAbYiKvW48fzfvWYitgnb.exe
C:\Users\Admin\Pictures\B8xmAbYiKvW48fzfvWYitgnb.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0x6c0ee1d0,0x6c0ee1dc,0x6c0ee1e8
C:\Users\Admin\AppData\Local\Temp\u49c.2\run.exe
"C:\Users\Admin\AppData\Local\Temp\u49c.2\run.exe"
C:\Users\Admin\Pictures\W4wmhgSqXELZ4fAICR7uPhXT.exe
"C:\Users\Admin\Pictures\W4wmhgSqXELZ4fAICR7uPhXT.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5324 -ip 5324
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5324 -s 444
C:\Users\Admin\AppData\Local\Temp\u47w.2\run.exe
"C:\Users\Admin\AppData\Local\Temp\u47w.2\run.exe"
C:\Program Files (x86)\GameServerClient\GameService.exe
GameService install GameServerClient "C:\Program Files (x86)\GameServerClient\GameServerClient.exe"
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\B8xmAbYiKvW48fzfvWYitgnb.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\B8xmAbYiKvW48fzfvWYitgnb.exe" --version
C:\Users\Admin\Pictures\58oqB0Gz7WYSTA8LXp6B2Q7q.exe
"C:\Users\Admin\Pictures\58oqB0Gz7WYSTA8LXp6B2Q7q.exe" --silent --allusers=0
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 932 -ip 932
C:\Users\Admin\Pictures\B8xmAbYiKvW48fzfvWYitgnb.exe
"C:\Users\Admin\Pictures\B8xmAbYiKvW48fzfvWYitgnb.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=6224 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240426042840" --session-guid=59adbca6-04e7-48f5-bd48-cbcc6c02c908 --server-tracking-blob="ZjVkYjE1MTY0YTIwMjNiYzZkY2I5MjNjNzcxYmI3OWMzYmU2ZDM1MDk5ODZjOGEzYmQzMzQ1NTE5MTVmNzE4Mzp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fNDU2Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzE0MTA1NzA0LjA4NTAiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzQ1NiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiN2M5NGQ4YzQtZmQxZi00NDEwLTg2NDItZDk3YTBkMTVmZTMyIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=FC04000000000000
C:\Users\Admin\Pictures\58oqB0Gz7WYSTA8LXp6B2Q7q.exe
C:\Users\Admin\Pictures\58oqB0Gz7WYSTA8LXp6B2Q7q.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x6b0fe1d0,0x6b0fe1dc,0x6b0fe1e8
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Users\Admin\Pictures\B8xmAbYiKvW48fzfvWYitgnb.exe
C:\Users\Admin\Pictures\B8xmAbYiKvW48fzfvWYitgnb.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x298,0x2a8,0x2ac,0x274,0x2b0,0x6ab6e1d0,0x6ab6e1dc,0x6ab6e1e8
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\58oqB0Gz7WYSTA8LXp6B2Q7q.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\58oqB0Gz7WYSTA8LXp6B2Q7q.exe" --version
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 1016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5324 -ip 5324
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5324 -s 464
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 932 -ip 932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 1300
C:\Users\Admin\AppData\Local\Temp\u49c.3.exe
"C:\Users\Admin\AppData\Local\Temp\u49c.3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5520 -ip 5520
C:\Program Files (x86)\GameServerClient\GameService.exe
GameService start GameServerClient
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5520 -s 1576
C:\Program Files (x86)\GameServerClient\GameService.exe
"C:\Program Files (x86)\GameServerClient\GameService.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 932 -ip 932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 1328
C:\Program Files (x86)\GameServerClient\GameServerClient.exe
"C:\Program Files (x86)\GameServerClient\GameServerClient.exe"
C:\Windows\Temp\729272.exe
"C:\Windows\Temp\729272.exe" --list-devices
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameServerClient\installc.bat" "
C:\Users\Admin\AppData\Local\Temp\u47w.3.exe
"C:\Users\Admin\AppData\Local\Temp\u47w.3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5468 -ip 5468
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404260428401\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404260428401\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5468 -s 1016
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404260428401\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404260428401\assistant\assistant_installer.exe" --version
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404260428401\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404260428401\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x220,0x224,0x228,0x200,0x22c,0xbe6038,0xbe6044,0xbe6050
C:\Windows\SysWOW64\sc.exe
Sc delete GameServerClientC
C:\Program Files (x86)\GameServerClient\GameService.exe
GameService remove GameServerClientC confirm
C:\Users\Admin\Pictures\UJr5dVCKeFo24GpWRyIZ7MJJ.exe
"C:\Users\Admin\Pictures\UJr5dVCKeFo24GpWRyIZ7MJJ.exe"
C:\Users\Admin\AppData\Local\Temp\7zS483A.tmp\Install.exe
.\Install.exe /RvdidblCuX "385118" /S
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 8 -ip 8
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 1016
C:\Program Files (x86)\GameServerClient\GameService.exe
GameService install GameServerClientC "C:\Program Files (x86)\GameServerClient\GameServerClientC.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Program Files (x86)\GameServerClient\GameService.exe
GameService start GameServerClientC
C:\Program Files (x86)\GameServerClient\GameService.exe
"C:\Program Files (x86)\GameServerClient\GameService.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 8 -ip 8
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 1292
C:\Program Files (x86)\GameServerClient\GameServerClientC.exe
"C:\Program Files (x86)\GameServerClient\GameServerClientC.exe"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
C:\Windows\Temp\494116.exe
"C:\Windows\Temp\494116.exe" --coin BTC -m ADDRESSES -t 0 --range 30940712680000000:309407126c0000000 -o xxx0.txt -i C:\Windows\Temp\curjob.bin
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 8 -ip 8
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 1320
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 04:30:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\TKQzxdN.exe\" em /zSsite_idQMv 385118 /S" /V1 /F
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.221.208.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.143.109.104.in-addr.arpa | udp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.132.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | affordcharmcropwo.shop | udp |
| US | 104.21.67.211:443 | affordcharmcropwo.shop | tcp |
| US | 8.8.8.8:53 | cleartotalfisherwo.shop | udp |
| US | 8.8.8.8:53 | 211.67.21.104.in-addr.arpa | udp |
| US | 104.21.72.132:443 | cleartotalfisherwo.shop | tcp |
| US | 8.8.8.8:53 | worryfillvolcawoi.shop | udp |
| US | 104.21.44.125:443 | worryfillvolcawoi.shop | tcp |
| US | 8.8.8.8:53 | enthusiasimtitleow.shop | udp |
| US | 104.21.18.233:443 | enthusiasimtitleow.shop | tcp |
| US | 8.8.8.8:53 | 132.72.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 125.44.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dismissalcylinderhostw.shop | udp |
| US | 104.21.22.160:443 | dismissalcylinderhostw.shop | tcp |
| US | 8.8.8.8:53 | diskretainvigorousiw.shop | udp |
| US | 104.21.23.143:443 | diskretainvigorousiw.shop | tcp |
| US | 8.8.8.8:53 | 233.18.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.22.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | communicationgenerwo.shop | udp |
| US | 104.21.83.19:443 | communicationgenerwo.shop | tcp |
| US | 8.8.8.8:53 | 143.23.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.83.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pillowbrocccolipe.shop | udp |
| US | 104.21.47.56:443 | pillowbrocccolipe.shop | tcp |
| US | 8.8.8.8:53 | 56.47.21.104.in-addr.arpa | udp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | productivelookewr.shop | udp |
| US | 172.67.150.207:443 | productivelookewr.shop | tcp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.33:8970 | tcp | |
| US | 8.8.8.8:53 | tolerateilusidjukl.shop | udp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 172.67.147.41:443 | tolerateilusidjukl.shop | tcp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| US | 8.8.8.8:53 | 207.150.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | shatterbreathepsw.shop | udp |
| US | 172.67.169.43:443 | shatterbreathepsw.shop | tcp |
| US | 8.8.8.8:53 | shortsvelventysjo.shop | udp |
| US | 172.67.216.69:443 | shortsvelventysjo.shop | tcp |
| US | 8.8.8.8:53 | 41.147.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.132.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.169.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.216.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | incredibleextedwj.shop | udp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| US | 172.67.218.63:443 | incredibleextedwj.shop | tcp |
| RU | 185.215.113.67:26260 | tcp | |
| US | 8.8.8.8:53 | alcojoldwograpciw.shop | udp |
| US | 172.67.157.23:443 | alcojoldwograpciw.shop | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | liabilitynighstjsko.shop | udp |
| US | 104.21.44.3:443 | tcp | |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| US | 8.8.8.8:53 | 23.157.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.44.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | demonstationfukewko.shop | udp |
| US | 8.8.8.8:53 | 67.113.215.185.in-addr.arpa | udp |
| US | 172.67.147.169:443 | demonstationfukewko.shop | tcp |
| US | 8.8.8.8:53 | 169.147.67.172.in-addr.arpa | udp |
| FR | 52.143.157.84:80 | 52.143.157.84 | tcp |
| RU | 77.221.151.47:80 | 77.221.151.47 | tcp |
| US | 172.67.19.24:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| DE | 185.172.128.59:80 | tcp | |
| RU | 193.233.132.175:80 | 193.233.132.175 | tcp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| US | 8.8.8.8:53 | skategirls.org | udp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| US | 8.8.8.8:53 | realdeepai.org | udp |
| US | 172.67.193.79:443 | realdeepai.org | tcp |
| RU | 5.42.65.67:48396 | tcp | |
| US | 172.67.193.79:443 | realdeepai.org | tcp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| US | 8.8.8.8:53 | yip.su | udp |
| NL | 185.26.182.112:80 | net.geo.opera.com | tcp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.132.233.193.in-addr.arpa | udp |
| US | 172.67.169.89:443 | yip.su | tcp |
| US | 8.8.8.8:53 | 79.193.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.65.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jonathantwo.com | udp |
| NL | 185.26.182.112:443 | net.geo.opera.com | tcp |
| US | 172.67.176.131:443 | jonathantwo.com | tcp |
| US | 172.67.176.131:443 | jonathantwo.com | tcp |
| RU | 193.233.132.167:80 | tcp | |
| US | 8.8.8.8:53 | 89.169.67.172.in-addr.arpa | udp |
| US | 172.67.169.89:443 | yip.su | tcp |
| US | 172.67.19.24:443 | tcp | |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| RU | 193.233.132.175:80 | 193.233.132.175 | tcp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| US | 172.67.193.79:443 | realdeepai.org | tcp |
| US | 8.8.8.8:53 | skategirls.org | udp |
| US | 172.67.176.131:443 | jonathantwo.com | tcp |
| US | 172.67.176.131:443 | jonathantwo.com | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| NL | 185.26.182.112:80 | net.geo.opera.com | tcp |
| NL | 185.26.182.112:443 | net.geo.opera.com | tcp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| US | 8.8.8.8:53 | 228.128.172.185.in-addr.arpa | udp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 8.8.8.8:53 | note.padd.cn.com | udp |
| RO | 176.97.76.106:80 | note.padd.cn.com | tcp |
| US | 8.8.8.8:53 | 106.76.97.176.in-addr.arpa | udp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| US | 172.67.188.178:443 | iplogger.com | tcp |
| RO | 176.97.76.106:80 | note.padd.cn.com | tcp |
| RU | 5.42.66.10:80 | 5.42.66.10 | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 172.67.75.163:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | 178.188.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.66.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 163.75.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.186.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| DE | 185.172.128.76:80 | tcp | |
| US | 8.8.8.8:53 | autoupdate.geo.opera.com | udp |
| US | 8.8.8.8:53 | desktop-netinstaller-sub.osp.opera.software | udp |
| NL | 185.26.182.124:443 | autoupdate.geo.opera.com | tcp |
| NL | 185.26.182.124:443 | autoupdate.geo.opera.com | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| GB | 85.192.56.26:80 | 85.192.56.26 | tcp |
| US | 8.8.8.8:53 | 76.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 124.182.26.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.217.145.82.in-addr.arpa | udp |
| NL | 185.26.182.124:443 | autoupdate.geo.opera.com | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 172.67.75.163:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | 26.56.192.85.in-addr.arpa | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | features.opera-api2.com | udp |
| US | 8.8.8.8:53 | download.opera.com | udp |
| NL | 185.26.182.117:443 | download.opera.com | tcp |
| NL | 185.26.182.94:443 | features.opera-api2.com | tcp |
| NL | 185.26.182.117:443 | download.opera.com | tcp |
| US | 8.8.8.8:53 | 117.182.26.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.182.26.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | download5.operacdn.com | udp |
| US | 104.18.11.89:443 | download5.operacdn.com | tcp |
| US | 8.8.8.8:53 | 89.11.18.104.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | svc.iolo.com | udp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 8.8.8.8:53 | 45.87.157.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | download.iolo.net | udp |
| FR | 185.93.2.244:443 | download.iolo.net | tcp |
| DE | 185.172.128.76:80 | 185.172.128.76 | tcp |
| US | 8.8.8.8:53 | 244.2.93.185.in-addr.arpa | udp |
| RU | 77.221.151.47:8080 | tcp | |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| RU | 91.215.85.66:15647 | tcp | |
| US | 8.8.8.8:53 | 66.85.215.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.201.50.20.in-addr.arpa | udp |
Files
memory/1648-0-0x0000000000380000-0x0000000000835000-memory.dmp
memory/1648-1-0x0000000077C74000-0x0000000077C76000-memory.dmp
memory/1648-2-0x0000000000380000-0x0000000000835000-memory.dmp
memory/1648-3-0x0000000005220000-0x0000000005221000-memory.dmp
memory/1648-4-0x0000000005230000-0x0000000005231000-memory.dmp
memory/1648-5-0x0000000005210000-0x0000000005211000-memory.dmp
memory/1648-6-0x0000000005250000-0x0000000005251000-memory.dmp
memory/1648-7-0x00000000051F0000-0x00000000051F1000-memory.dmp
memory/1648-8-0x0000000005200000-0x0000000005201000-memory.dmp
memory/1648-9-0x0000000005240000-0x0000000005241000-memory.dmp
memory/1648-11-0x0000000005260000-0x0000000005261000-memory.dmp
memory/1648-10-0x0000000005270000-0x0000000005271000-memory.dmp
memory/1648-16-0x0000000000380000-0x0000000000835000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
| MD5 | 3d4aba6f79628aa838e56d1a4b125382 |
| SHA1 | a66f2a92d6e96b3049249fa06bf23a4488f35730 |
| SHA256 | 8d9a07546be4fba37841af23d5fac678bf812e3cdd561033a505409f05a1354f |
| SHA512 | 5daccde7683fc90f2d470605fff72741bd0f15a12cd2c110cb45ac5233b57342aa6fa78bf5642358adaf4eab3f76f74e0781f30c206965c234cb02ec14e73090 |
memory/3920-19-0x00000000004D0000-0x0000000000985000-memory.dmp
memory/3920-20-0x00000000004D0000-0x0000000000985000-memory.dmp
memory/3920-26-0x00000000052D0000-0x00000000052D1000-memory.dmp
memory/3920-25-0x00000000052C0000-0x00000000052C1000-memory.dmp
memory/3920-24-0x0000000005320000-0x0000000005321000-memory.dmp
memory/3920-23-0x00000000052E0000-0x00000000052E1000-memory.dmp
memory/3920-21-0x00000000052F0000-0x00000000052F1000-memory.dmp
memory/3920-22-0x0000000005300000-0x0000000005301000-memory.dmp
memory/3920-28-0x0000000005340000-0x0000000005341000-memory.dmp
memory/3920-27-0x0000000005350000-0x0000000005351000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
| MD5 | 1c7d0f34bb1d85b5d2c01367cc8f62ef |
| SHA1 | 33aedadb5361f1646cffd68791d72ba5f1424114 |
| SHA256 | e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c |
| SHA512 | 53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d |
memory/2812-48-0x00000000009D0000-0x0000000000A22000-memory.dmp
memory/2812-49-0x0000000073880000-0x0000000074030000-memory.dmp
memory/2508-52-0x0000000000400000-0x000000000044C000-memory.dmp
memory/2812-56-0x0000000002EB0000-0x0000000004EB0000-memory.dmp
memory/2508-55-0x0000000000400000-0x000000000044C000-memory.dmp
memory/2508-57-0x00000000014D0000-0x00000000014D1000-memory.dmp
memory/2508-59-0x00000000014D0000-0x00000000014D1000-memory.dmp
memory/2508-61-0x0000000000400000-0x000000000044C000-memory.dmp
memory/2508-60-0x00000000014D0000-0x00000000014D1000-memory.dmp
memory/2508-58-0x00000000014D0000-0x00000000014D1000-memory.dmp
memory/2812-62-0x0000000073880000-0x0000000074030000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
| MD5 | 31841361be1f3dc6c2ce7756b490bf0f |
| SHA1 | ff2506641a401ac999f5870769f50b7326f7e4eb |
| SHA256 | 222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee |
| SHA512 | 53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019 |
memory/3388-79-0x0000000000400000-0x0000000000592000-memory.dmp
memory/1472-80-0x0000000000F10000-0x00000000011C8000-memory.dmp
memory/3388-81-0x0000000073880000-0x0000000074030000-memory.dmp
memory/3388-85-0x0000000005700000-0x0000000005710000-memory.dmp
memory/3920-84-0x00000000004D0000-0x0000000000985000-memory.dmp
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
| MD5 | 20ae0bb07ba77cb3748aa63b6eb51afb |
| SHA1 | 87c468dc8f3d90a63833d36e4c900fa88d505c6d |
| SHA256 | daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d |
| SHA512 | db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2 |
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
| MD5 | 0c582da789c91878ab2f1b12d7461496 |
| SHA1 | 238bd2408f484dd13113889792d6e46d6b41c5ba |
| SHA256 | a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67 |
| SHA512 | a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a |
memory/2244-105-0x0000000073880000-0x0000000074030000-memory.dmp
memory/2244-106-0x0000000000FC0000-0x0000000001012000-memory.dmp
memory/2244-107-0x0000000005E30000-0x00000000063D4000-memory.dmp
memory/2244-108-0x0000000005920000-0x00000000059B2000-memory.dmp
memory/3920-110-0x00000000004D0000-0x0000000000985000-memory.dmp
memory/2244-121-0x00000000058F0000-0x0000000005900000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
| MD5 | b22521fb370921bb5d69bf8deecce59e |
| SHA1 | 3d4486b206e8aaac14a3cf201c5ac152a2a7d4ea |
| SHA256 | b30d10e292f89f4d288839974f71f6b703d6d9a9ae698ea172a2b64364e77158 |
| SHA512 | 1f7d64ba5266314ed18f577f0984706c21f4f48e8cdb069130e4435c2bcdf219f8dd27e4d3bf3a373f4db4c01e30efe8d7f4d87f4d8cbbbeaf9c7043f685994c |
memory/2244-111-0x0000000005900000-0x000000000590A000-memory.dmp
memory/2892-122-0x0000000000410000-0x00000000004D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp62BC.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/2892-146-0x00007FFCEC260000-0x00007FFCECD21000-memory.dmp
memory/2244-147-0x00000000064E0000-0x0000000006556000-memory.dmp
memory/556-149-0x0000000000400000-0x000000000044E000-memory.dmp
memory/5068-148-0x0000000000C40000-0x0000000000CB4000-memory.dmp
memory/556-151-0x0000000000400000-0x000000000044E000-memory.dmp
memory/2244-152-0x0000000006D20000-0x0000000006D3E000-memory.dmp
memory/556-153-0x0000000000400000-0x000000000044E000-memory.dmp
memory/2244-156-0x00000000075A0000-0x0000000007BB8000-memory.dmp
memory/2244-157-0x00000000070F0000-0x00000000071FA000-memory.dmp
memory/2244-158-0x0000000007030000-0x0000000007042000-memory.dmp
memory/2244-159-0x0000000007090000-0x00000000070CC000-memory.dmp
memory/2244-160-0x0000000007200000-0x000000000724C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
| MD5 | 0099a99f5ffb3c3ae78af0084136fab3 |
| SHA1 | 0205a065728a9ec1133e8a372b1e3864df776e8c |
| SHA256 | 919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226 |
| SHA512 | 5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6 |
memory/5068-170-0x0000000000C40000-0x0000000000CB4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
| MD5 | 8510bcf5bc264c70180abe78298e4d5b |
| SHA1 | 2c3a2a85d129b0d750ed146d1d4e4d6274623e28 |
| SHA256 | 096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6 |
| SHA512 | 5ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d |
memory/3920-197-0x00000000004D0000-0x0000000000985000-memory.dmp
memory/2508-198-0x00000000004F0000-0x0000000000542000-memory.dmp
memory/2508-199-0x0000000073880000-0x0000000074030000-memory.dmp
memory/2508-200-0x0000000004D80000-0x0000000004D90000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2288054676-1871194608-3559553667-1000\76b53b3ec448f7ccdda2063b15d2bfc3_7c31d3ed-7f70-49de-870c-1f0d986cd62d
| MD5 | 4ce571703becd2d3e38fc8eaadf3bcb3 |
| SHA1 | 8d578a387cf9fcc3fe910dd2cb6550e09d0657bf |
| SHA256 | b80beba48363e7ccf2b5b353ee421a67b71ce5bf75e747df7c7c01bf009ec6d4 |
| SHA512 | d8110b09b9d5d2870725413108884426d8359c9c8c99dc043f703dc9d35b9b37e83ecc72b7b335b77fa5cc70a4d1dc3febce8c581c0afb04c268217ad48c9e3b |
C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe
| MD5 | 728a9d70eb2494e89873b0cbdc3ba430 |
| SHA1 | d69c4d7be694e0095058899613156e2452c1bc21 |
| SHA256 | 73e9463ce5ada7f99d693375e99bb7fa71624cd061c3cde643a2fd0083c5d1d7 |
| SHA512 | 8022e70e1355d1ef03c84749ece42fdc9b1d868e0c1be6222eba6e23a4b94862585f777aa62907e13e955eafe2508f340ac46aefab6c6e8060c9054e63d2a615 |
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | cd7d6bffccf9de2857208ad7cb5033a7 |
| SHA1 | d328cde3f0b10043c3a5bf824e6b465124ab66fa |
| SHA256 | 7c332c27d3432b1a65d2b063027ee4b6897d377258318cdffe6c613e6d3afa0a |
| SHA512 | e83e264c917954019ac3644a3f02baf888dea0cae785303724599b73b616f479682a1421acccd8cfc3c88bdc5c35b4f33f84faa7fb5c63f58d3e501a5649a5a9 |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | b3026d9d4531ff05b668e1701b49a377 |
| SHA1 | 0b6b2f0510d639aca3ed2f0f21f40a8cec31d176 |
| SHA256 | 968fe9ec4b781e23e96f79d7f117f36a6820935ff867fa62804211fdaa9a99c1 |
| SHA512 | 944dea13c76d40bc75c8614c7309ccb2185729798f0b857d642fd674c169d0cb1078441962d63d354ee368249f3d1c1b8d04ed4416242ca917834f9577a5bec5 |
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
| MD5 | 586f7fecacd49adab650fae36e2db994 |
| SHA1 | 35d9fb512a8161ce867812633f0a43b042f9a5e6 |
| SHA256 | cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e |
| SHA512 | a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772 |
memory/3388-258-0x0000000073880000-0x0000000074030000-memory.dmp
memory/1076-257-0x000002460DC90000-0x000002460DCE0000-memory.dmp
memory/1076-260-0x00007FFCEC260000-0x00007FFCECD21000-memory.dmp
memory/1076-262-0x000002460FA40000-0x000002460FA50000-memory.dmp
memory/1076-263-0x000002460F970000-0x000002460F9CE000-memory.dmp
memory/3388-266-0x0000000005700000-0x0000000005710000-memory.dmp
memory/4828-265-0x0000000000170000-0x000000000019E000-memory.dmp
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll
| MD5 | f35b671fda2603ec30ace10946f11a90 |
| SHA1 | 059ad6b06559d4db581b1879e709f32f80850872 |
| SHA256 | 83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7 |
| SHA512 | b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705 |
memory/3448-280-0x0000000000400000-0x000000000063B000-memory.dmp
memory/3448-284-0x0000000000400000-0x000000000063B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe
| MD5 | 54e30b1ca3a46a4e8cb293e0321a12c3 |
| SHA1 | e75bf8a99d2712545efc6e5c82a7b5906419208b |
| SHA256 | 907172368a603ddc2f63d3444876f127bc21e4bb598985271e09dfbe15d4691f |
| SHA512 | 1c26c8e1d13889b2b3deeb2648dfb4e6d37f30b29bb8802fe18762c3799cc381933b8c5795a9fc283a91887a706490949411300f53aedff72124d92fca0edb44 |
memory/4868-311-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe
| MD5 | 6184676075afacb9103ae8cbf542c1ed |
| SHA1 | bc757642ad2fcfd6d1da79c0754323cdc823a937 |
| SHA256 | a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b |
| SHA512 | 861ac361b585a069f2274b577b30f2a13baf72a60acd4f22da41885aee92c3975445150822f1072590d7b574ff54eb3abde6a6c4f800988ab9ff4344884f41fa |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j1gadd3g.vmd.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\Pictures\Ea28xyXmV42Fcfsy31slRxC4.exe
| MD5 | 71c036b28ca03baf96cc1cbfcfb7281e |
| SHA1 | bdf33cd1ced7176f06c7210a36c48faf57e4227e |
| SHA256 | ba9cbc88e931954d07f5c067e67699d3a91cf9e0917a4ccd4e5065296f2da80b |
| SHA512 | c4964e78ab408f0f72a77c7956aa2bb502633fe77e40daea840e4b7e3cfc2d119f083ab9c12c02a88f1a053f2529285fa31626c933ff9d3e0f10a99ea4e202b8 |
memory/5620-382-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3448-388-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\Users\Admin\Pictures\aMw0v9zgrDzABSWfpuCbiX93.exe
| MD5 | 03531611da083e20c3131f47f5923e52 |
| SHA1 | cc4ef0b6e9524ec74d4c95bb7dbf7981590f1ee2 |
| SHA256 | fbd0606b08bb98e955f5815d30cdc8e4069ec731b7dcee2c650eb4538cbfe30b |
| SHA512 | 11927c886935989e3a5f9c44127138b97dbc421b91986ffa5f726c6634d955060fe04b8f1daf2669ff879c6bdccde69a0ffac718247292ade19bddaf996a69f9 |
memory/2892-394-0x000000001B320000-0x000000001B4C9000-memory.dmp
C:\Users\Admin\Pictures\xcIkboOO07MmA8tldmHufrW3.exe
| MD5 | 5b423612b36cde7f2745455c5dd82577 |
| SHA1 | 0187c7c80743b44e9e0c193e993294e3b969cc3d |
| SHA256 | e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09 |
| SHA512 | c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c |
memory/3920-461-0x00000000004D0000-0x0000000000985000-memory.dmp
C:\Program Files (x86)\GameServerClient\installg.bat
| MD5 | b6b57c523f3733580d973f0f79d5c609 |
| SHA1 | 2cc30cfd66817274c84f71d46f60d9e578b7bf95 |
| SHA256 | d8d718641bdf39cca1a5db7bb52d3c66d400a97bef3cafdd81cd7e711a51c570 |
| SHA512 | d39440163592bc3b1cb7830f236a97d5819c10775e453637d5a04a981e9a336480c6b4701afdceba0d52dfe09413b7abe2ad58ff55b5057a26229f3ccdc3a7c7 |
C:\Users\Admin\Pictures\LFtQDZMHYmtoeGfbXSFEGOCp.exe
| MD5 | d39b7113410bf19d48d1f656c0ab009c |
| SHA1 | 133ff7840b78b98d639f14ebcc33ad8907503ca5 |
| SHA256 | 66b56c58735b627dedd96cd9e079be2f0a167df42b15932f054e6e2013c8ce41 |
| SHA512 | aac3a59575c6ad91c756f68b37419fe6d90ed1c3f2a481ab4d774353dec462ea9e08e00711b990c0307078ed740360d5d651f3454cd76cff1e71ce0afa10fc77 |
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll
| MD5 | 154c3f1334dd435f562672f2664fea6b |
| SHA1 | 51dd25e2ba98b8546de163b8f26e2972a90c2c79 |
| SHA256 | 5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f |
| SHA512 | 1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841 |
C:\Users\Admin\AppData\Local\Temp\u49c.0.exe
| MD5 | 92c44b47adc5e94d871e853a990630b7 |
| SHA1 | 5a7baf9d065fe9ee4e9e68dafb4f1836c19654ad |
| SHA256 | fd496043352e900780ba0ded51df57cd7ac6507ad916ff46fe2cff52e2b8e720 |
| SHA512 | 3d8c0a5bb8c33504c44fda7e0e9ebc784b7dd0a30761922cb1858e032dfdc2a4b0cf5cd251c7c9cbb42923b0f24b07242d3fc76501cacaa4da83201c69572e5f |
C:\Program Files (x86)\GameServerClient\GameService.exe
| MD5 | d9ec6f3a3b2ac7cd5eef07bd86e3efbc |
| SHA1 | e1908caab6f938404af85a7df0f80f877a4d9ee6 |
| SHA256 | 472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c |
| SHA512 | 1b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4 |
memory/5520-569-0x0000000000400000-0x0000000002B21000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpB15A.tmp
| MD5 | 8f5942354d3809f865f9767eddf51314 |
| SHA1 | 20be11c0d42fc0cef53931ea9152b55082d1a11e |
| SHA256 | 776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea |
| SHA512 | fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218 |
C:\Users\Admin\AppData\Local\Temp\tmpB4C8.tmp
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
memory/5864-598-0x0000000000400000-0x0000000002EE0000-memory.dmp
memory/3920-600-0x00000000004D0000-0x0000000000985000-memory.dmp
C:\Users\Admin\Pictures\MRFhP83HvJC28rkGtrSyryhp.exe
| MD5 | 806f295ff14699677790ca246cb69864 |
| SHA1 | 5ff2e05176ea77a6a12ed50ac8836757dd342829 |
| SHA256 | 8f1fb3595585747a418c6fc186c36e3c0a98d80cc81c5df56e8faeb5b2421fb6 |
| SHA512 | ecb12e1d799c107f39b998851938b428b1d81906615505aff3ab8426bba06d9d827e29405d8de26761341e57ef38c059d6ec68309df938326771c11dde7175a8 |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | e2aafed0ca5da498ad78e564f263b4af |
| SHA1 | 415c8a2b76b7d8cadb46d37e523aae77c0099bd4 |
| SHA256 | ecb5704a163238a6f26518dc30685655d8fcba215135ac3734bc5f8b922d52ea |
| SHA512 | 6135a0fc5052f8f3ab8a76556c622245069f9eeef7d97013c509d77233e6e6572ed909522a7f4f3a1acf9def466ad68e3191e08094fbcf67cc62d598b56edcab |
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | e3247180900497198dbe318d10748727 |
| SHA1 | e60209a67dbcc9fc967a84d0f6384fe7e41d078d |
| SHA256 | 103c7e4bf243af5b5059c4edcbc54acc87b16a79f0ec93e0a3359e1e98fb7fe5 |
| SHA512 | fd4bfc7aff8f9f80439e7e4883bad57b22b9527f69abe455ba7d2072dbd526976276380cec73a5d87ae239d14636f192c4dfc7aaaf7d45e6af175529544def8e |
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 8ef9853d1881c5fe4d681bfb31282a01 |
| SHA1 | a05609065520e4b4e553784c566430ad9736f19f |
| SHA256 | 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2 |
| SHA512 | 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005 |
memory/5468-644-0x0000000000400000-0x0000000002B21000-memory.dmp
memory/2892-663-0x000000001B320000-0x000000001B4C9000-memory.dmp
memory/5936-675-0x0000000000400000-0x0000000002EE0000-memory.dmp
C:\Users\Admin\Pictures\0Kc88XuJFfEZKgyqgVUUd3OL.exe
| MD5 | d981fb3fc1f28bea729db051c75dae08 |
| SHA1 | d5eea12045a6d998da1a362f70748fc09874d0b4 |
| SHA256 | aa5689332012817778e4ef3602e918297c567c4d573b463f86e8d98fef2eb48f |
| SHA512 | a93576bc04ac5b1ba129913c3d4e5100cf7f0f8bd7a4c9a21ce3af645624890006e087eefa5d0cbd804b7b96ebc13cf32a722b8c1d66d409879f41d5bfa974cb |
memory/5984-682-0x0000000000400000-0x0000000002EE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u49c.1.zip
| MD5 | 78d3ca6355c93c72b494bb6a498bf639 |
| SHA1 | 2fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e |
| SHA256 | a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001 |
| SHA512 | 1b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\Users\Admin\Pictures\B8xmAbYiKvW48fzfvWYitgnb.exe
| MD5 | f0f4c9f054fc422e91aba4de7d3f6b67 |
| SHA1 | 900abce020833be4ee89ca871270aee03cb83ae3 |
| SHA256 | b33bb1734e70649e090b3ca47f7fe255e8966e2a29fdc71dd77bbf4eef2a6f06 |
| SHA512 | b03cd87c2ed5aed70ec8a91a98f6fa8f4168494a80a0d3910b0ef082071053a0fa6608728e0ae44a1ea6a5512ef8c9b0e94d43e3b9b9625562f9dcde7ebd6ad8 |
C:\Users\Admin\AppData\Local\Temp\u49c.2\run.exe
| MD5 | 9fb4770ced09aae3b437c1c6eb6d7334 |
| SHA1 | fe54b31b0db8665aa5b22bed147e8295afc88a03 |
| SHA256 | a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3 |
| SHA512 | 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256 |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404260428366076224.dll
| MD5 | 45fe60d943ad11601067bc2840cc01be |
| SHA1 | 911d70a6aad7c10b52789c0312c5528556a2d609 |
| SHA256 | 0715f9558363b04526499fcd6abf0b1946950af0a7f046a25f06b20dddb67add |
| SHA512 | 30c82f6b329fefa5f09a5974c36b70ea2bdab273e7d6eadd456fddcc2aa693f8f1cf096d57c3719d1106e9f85d50a4ffbf0ed7e66da2da0a5f23b6ee8c7194ba |
C:\Users\Admin\Pictures\W4wmhgSqXELZ4fAICR7uPhXT.exe
| MD5 | 69f6614893028c60394f744c7ebc1551 |
| SHA1 | ccd4a9f86876ddbfe2bc86a2b17a4cbc1857b1dd |
| SHA256 | b96a4de2d4f97380388b6b515e8cdef28a92f358a7d487be3463828303d8661d |
| SHA512 | 4a40bcf25303accf93bb15e281a53ee0cda93c1f7c1ede741338b8080daa0a61c6751c5d11ed8ceeec520782913f748298b5016565a31f47c980d8e868461855 |
C:\Users\Admin\AppData\Local\Temp\u47w.2\relay.dll
| MD5 | 10d51becd0bbce0fab147ff9658c565e |
| SHA1 | 4689a18112ff876d3c066bc8c14a08fd6b7b7a4a |
| SHA256 | 7b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed |
| SHA512 | 29faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29 |
C:\Users\Admin\AppData\Local\Temp\u47w.2\whale.dbf
| MD5 | a723bf46048e0bfb15b8d77d7a648c3e |
| SHA1 | 8952d3c34e9341e4425571e10f22b782695bb915 |
| SHA256 | b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422 |
| SHA512 | ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273 |
C:\Users\Admin\AppData\Local\Temp\u47w.2\UIxMarketPlugin.dll
| MD5 | d1ba9412e78bfc98074c5d724a1a87d6 |
| SHA1 | 0572f98d78fb0b366b5a086c2a74cc68b771d368 |
| SHA256 | cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15 |
| SHA512 | 8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f |
C:\Users\Admin\AppData\Local\Temp\u47w.2\bunch.dat
| MD5 | 1e8237d3028ab52821d69099e0954f97 |
| SHA1 | 30a6ae353adda0c471c6ed5b7a2458b07185abf2 |
| SHA256 | 9387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742 |
| SHA512 | a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3 |
C:\Users\Admin\AppData\Local\Temp\7zSCEA5.tmp\Install.exe
| MD5 | e77964e011d8880eae95422769249ca4 |
| SHA1 | 8e15d7c4b7812a1da6c91738c7178adf0ff3200f |
| SHA256 | f200984380d291051fc4b342641cd34e7560cadf4af41b2e02b8778f14418f50 |
| SHA512 | 8feb3dc4432ec0a87416cbc75110d59efaf6504b4de43090fc90286bd37f98fc0a5fb12878bb33ac2f6cd83252e8dfd67dd96871b4a224199c1f595d33d4cade |
C:\Users\Admin\Pictures\58oqB0Gz7WYSTA8LXp6B2Q7q.exe
| MD5 | b2ea38f0d023e05f81b8494f49d1ec0c |
| SHA1 | b5e3896c12ecd16e47a0d5749a2572e4d7ecb5ad |
| SHA256 | 7d8e5ec3fff9aabbac9bbf87e827d17a7d0a591e2ed216a535951ed4ab0245c0 |
| SHA512 | 95fa934ef05e11279512ae3b1bf64096a403c045798f0f1a64e71d05ccb4d477194a2fa5a262eab95f4403b10915124f49942f84ac26db771d5f24b1a7f3bab9 |
memory/6680-953-0x000000006B380000-0x000000006B4FB000-memory.dmp
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 7cc972a3480ca0a4792dc3379a763572 |
| SHA1 | f72eb4124d24f06678052706c542340422307317 |
| SHA256 | 02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5 |
| SHA512 | ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7 |
memory/3920-969-0x00000000004D0000-0x0000000000985000-memory.dmp
memory/6680-960-0x00007FFD0CE10000-0x00007FFD0D005000-memory.dmp
memory/6836-982-0x000000006B380000-0x000000006B4FB000-memory.dmp
memory/6836-984-0x00007FFD0CE10000-0x00007FFD0D005000-memory.dmp
memory/5468-1000-0x0000000000400000-0x0000000002B21000-memory.dmp
memory/4560-1003-0x0000000140000000-0x000000014075E000-memory.dmp
memory/8-1005-0x0000000000400000-0x0000000002AFD000-memory.dmp
memory/5936-1036-0x0000000000400000-0x0000000002EE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u49c.3.exe
| MD5 | 397926927bca55be4a77839b1c44de6e |
| SHA1 | e10f3434ef3021c399dbba047832f02b3c898dbd |
| SHA256 | 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7 |
| SHA512 | cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954 |
memory/5984-1051-0x0000000000400000-0x0000000002EE0000-memory.dmp
memory/6680-1058-0x000000006B380000-0x000000006B4FB000-memory.dmp
memory/6836-1068-0x000000006B380000-0x000000006B4FB000-memory.dmp
memory/932-1070-0x0000000000400000-0x0000000002AFD000-memory.dmp
memory/5520-1074-0x0000000000400000-0x0000000002B21000-memory.dmp
memory/6696-1075-0x0000000140000000-0x0000000140712000-memory.dmp
memory/5836-1078-0x0000000000400000-0x0000000002EE0000-memory.dmp
memory/5864-1079-0x0000000000400000-0x0000000002EE0000-memory.dmp
memory/3316-1081-0x00007FFD0CE10000-0x00007FFD0D005000-memory.dmp
memory/3920-1083-0x00000000004D0000-0x0000000000985000-memory.dmp
memory/6652-1086-0x00007FFD0CE10000-0x00007FFD0D005000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404260428401\opera_package
| MD5 | a2adeb3772489d8676fb29eaf68c38e6 |
| SHA1 | 6716c1adb1683aaed41456cb554be283d74ad50e |
| SHA256 | 762c5a494e5568930d52d996948128965768cc1b2df49d974f9fef1b43e3e7ad |
| SHA512 | 88d599676157431df6a6b2da8917dea59650811a81def7bb4385b991bd19c4b1bff3ddcd8e6d41b1bc8a8cb68af690c0a8de46c688a57a89b1448e378c113bdc |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404260428401\additional_file0.tmp
| MD5 | 15d8c8f36cef095a67d156969ecdb896 |
| SHA1 | a1435deb5866cd341c09e56b65cdda33620fcc95 |
| SHA256 | 1521c69f478e9ced2f64b8714b9e19724e747cd8166e0f7ab5db1151a523dda8 |
| SHA512 | d6f48180d4dcb5ba83a9c0166870ac00ea67b615e749edf5994bc50277bf97ca87f582ac6f374c5351df252db73ee1231c943b53432dbb7563e12bbaf5bb393a |
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
| MD5 | 1eb1e7e66f35eb37db5852b2a459135e |
| SHA1 | 217d720c1955f56eb73178d3b38f26721d54e03e |
| SHA256 | 98b934dfca8163114a04e2ead30ef57e81aeb5e5754f824c70aeca13626004d5 |
| SHA512 | 0d7c82600ac5425a3c96fc6fb64748d6c38ff0d480f07a55694f805d39c50cdfbecc80bc449d314f8e30038ff245a50ec4bf83114568d36e113204593007a0e1 |
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | 5af9fe7c4c99421ab79d4b7886f12fc7 |
| SHA1 | cf06b7a222f3fee5729025fdef84733040443f97 |
| SHA256 | 75226a97a8dd3e253654e9c9bcaea355e8f5913d7e2a5f1e4a5871e8882c97e4 |
| SHA512 | bdd389bc32910d6c012edb71c207be7b3d3366cb640c633748ea005ab359df982ecc365754b8fdd2f480938895c0a53543f2374c4459ac7c52537bf859a60998 |
C:\Users\Admin\AppData\Local\Temp\7zS483A.tmp\charmap.exe
| MD5 | e35a9d0f7ce4eac01063af580938d567 |
| SHA1 | b56cb9f141c3a307f339880c23d2b9ac8c177196 |
| SHA256 | a8891ead974a428655ee5f25d4976242fcb49918698addb06e029d6e5470e22a |
| SHA512 | b9667316d038d80be4b1a1b8d3211f04c240117c9c6f9db028b882f9447c2658064cd79f3a34954afd524ed7718ad90b959f09308f82129b499d0cad5d0f8923 |
C:\Users\Admin\AppData\Local\Temp\7zS483A.tmp\BitLockerWizard.exe
| MD5 | ff14495654c9db0b82481cf562cf70d2 |
| SHA1 | b610e43426b934e9c90acfed213638c64d24fc13 |
| SHA256 | a7f666489614c94c8677f159d7bd3edbb210df77f94acd6e68979b1dd0ea2649 |
| SHA512 | e77d1a90a8f762839b01c05b59006d82c9b588a78db8d1e78f0bd0e5774ea50ef6fcec4ce7298b6952026e6ae3b48c8c381c917c01420fc9c8f000d0236d9917 |
C:\Users\Admin\AppData\Local\Temp\7zS483A.tmp\atieah64.exe
| MD5 | bbd4e96b91fcf16a38da733c6939d47f |
| SHA1 | 66073fff85d4fbd9de5102c70096c7dbb4ff5a6e |
| SHA256 | 5fd16e242c136447fb7b0ffbd8cbff3635b05c94cd90af3f1e99fad7ef6295e5 |
| SHA512 | 9adeceb309c33217b2e4a5dfe343306fabd4fc2b62d9ba860f52bc6af84d6f7f078890b7d0e7dd4d54467315c2426722c77485419e6b40f5acced27472b71729 |
C:\Users\Admin\AppData\Local\Temp\7zS483A.tmp\AppVNice.exe
| MD5 | 0b6cde84d57c866473357ff6915961f7 |
| SHA1 | dc701582d291e8128c6a5d6c981d7857f4357a64 |
| SHA256 | 14f631bb8112f04d38dc3bdbfbc6641cad0fa2e6ef5d09211396f126eacb2869 |
| SHA512 | 3c5bf3caa0a9b6e6009b4503776cdb610ad060fe22b34d567da8862391fb7fe5a6270037fd507be74f3e8b783c5ca9eef2cbf410e62943f5d9a7329eb8e265f8 |
C:\Users\Admin\AppData\Local\Temp\7zS483A.tmp\amdfendrsr.exe
| MD5 | 5e18b81a9f038cd2e6ac3a9ffbde9b5d |
| SHA1 | 7150f9b2b238b5b2c3573c66c4741831e941a1e6 |
| SHA256 | 523bcc22c0380ffa1aaf4bbf29808b1ad9c9f532e0405b923cc51000eb875fbd |
| SHA512 | f55a8b158d8385c3eaba5fd2159b1e66859b6318a5ec5e221283349a584b5c63a306215d483b300fb1fb019c9fa8ae25d75d9c80b0ad33d25e41d10ce47447a7 |
C:\Users\Admin\AppData\Local\Temp\7zS483A.tmp\agentactivationruntimestarter.exe
| MD5 | cbcf178f0c9a0cca3d88f2a46bca0d58 |
| SHA1 | 789b4712bdc99583a9a5770a620bb6d87051f34b |
| SHA256 | 95539fc4b845de78db0d44d414bab07bd420f83cc42bb6ed5bc3d0f35124a405 |
| SHA512 | babe0613c92ccdf30302afa03b63f06c3073705cebe471a621635d38bb8a9f55ece8eb9c4e60913a17352f64c466a20f7bb58ff9971302895b39f0a6050c4609 |
C:\Users\Admin\AppData\Local\Temp\tmp9D8F.tmp
| MD5 | 42c395b8db48b6ce3d34c301d1eba9d5 |
| SHA1 | b7cfa3de344814bec105391663c0df4a74310996 |
| SHA256 | 5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d |
| SHA512 | 7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845 |
C:\Users\Admin\AppData\Local\Temp\tmp9E5D.tmp
| MD5 | 49693267e0adbcd119f9f5e02adf3a80 |
| SHA1 | 3ba3d7f89b8ad195ca82c92737e960e1f2b349df |
| SHA256 | d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f |
| SHA512 | b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-26 04:26
Reported
2024-04-26 04:29
Platform
win11-20240412-en
Max time kernel
76s
Max time network
151s
Command Line
Signatures
Amadey
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe = "0" | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe = "0" | C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe | N/A |
ZGRat
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\8d9a07546be4fba37841af23d5fac678bf812e3cdd561033a505409f05a1354f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Downloads MZ/PE file
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\8d9a07546be4fba37841af23d5fac678bf812e3cdd561033a505409f05a1354f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\8d9a07546be4fba37841af23d5fac678bf812e3cdd561033a505409f05a1354f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\8d9a07546be4fba37841af23d5fac678bf812e3cdd561033a505409f05a1354f.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Reads WinSCP keys stored on the system
Reads local data of messenger clients
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe = "0" | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe = "0" | C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8d9a07546be4fba37841af23d5fac678bf812e3cdd561033a505409f05a1354f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2364 set thread context of 3068 | N/A | C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 2692 set thread context of 5044 | N/A | C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 1272 set thread context of 3824 | N/A | C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 1348 set thread context of 4160 | N/A | C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 3872 set thread context of 3560 | N/A | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\chrosha.job | C:\Users\Admin\AppData\Local\Temp\8d9a07546be4fba37841af23d5fac678bf812e3cdd561033a505409f05a1354f.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8d9a07546be4fba37841af23d5fac678bf812e3cdd561033a505409f05a1354f.exe
"C:\Users\Admin\AppData\Local\Temp\8d9a07546be4fba37841af23d5fac678bf812e3cdd561033a505409f05a1354f.exe"
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
"C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2364 -ip 2364
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 884
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
"C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2692 -ip 2692
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 424
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1272 -ip 1272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 400
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
"C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe" /F
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
"C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"
C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe
"C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe"
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
"C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe
"C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe" -Force
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe" -Force
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\344820275820_Desktop.zip' -CompressionLevel Optimal
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe
"C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameServerClient\installg.bat" "
C:\Windows\SysWOW64\sc.exe
Sc delete GameServerClient
C:\Users\Admin\Pictures\fhaC16f4tfdz3fI63VIizGKx.exe
"C:\Users\Admin\Pictures\fhaC16f4tfdz3fI63VIizGKx.exe"
C:\Program Files (x86)\GameServerClient\GameService.exe
GameService remove GameServerClient confirm
C:\Users\Admin\Pictures\PMfuf8WfqJ2q8IY4CZ6PhbWy.exe
"C:\Users\Admin\Pictures\PMfuf8WfqJ2q8IY4CZ6PhbWy.exe"
C:\Users\Admin\Pictures\rUOwKLKprsQQA5LOPHcWfB35.exe
"C:\Users\Admin\Pictures\rUOwKLKprsQQA5LOPHcWfB35.exe"
C:\Users\Admin\Pictures\Mx5YIBPHaqla91UMyWIqudUc.exe
"C:\Users\Admin\Pictures\Mx5YIBPHaqla91UMyWIqudUc.exe"
C:\Users\Admin\Pictures\6ererPoGtcOtEVxKse1dtAYj.exe
"C:\Users\Admin\Pictures\6ererPoGtcOtEVxKse1dtAYj.exe"
C:\Users\Admin\Pictures\xtfBWleE4m4UtbE8Y8D1nHda.exe
"C:\Users\Admin\Pictures\xtfBWleE4m4UtbE8Y8D1nHda.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
C:\Program Files (x86)\GameServerClient\GameService.exe
GameService install GameServerClient "C:\Program Files (x86)\GameServerClient\GameServerClient.exe"
C:\Users\Admin\Pictures\YiNhccxIqe3bgD8U6rAwVBxF.exe
"C:\Users\Admin\Pictures\YiNhccxIqe3bgD8U6rAwVBxF.exe"
C:\Users\Admin\Pictures\fMgNIkbJs17kD8c9YqQ8EpRv.exe
"C:\Users\Admin\Pictures\fMgNIkbJs17kD8c9YqQ8EpRv.exe" --silent --allusers=0
C:\Users\Admin\Pictures\fMgNIkbJs17kD8c9YqQ8EpRv.exe
C:\Users\Admin\Pictures\fMgNIkbJs17kD8c9YqQ8EpRv.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x2b0,0x2b4,0x2b8,0x28c,0x2bc,0x6c22e1d0,0x6c22e1dc,0x6c22e1e8
C:\Users\Admin\AppData\Local\Temp\u22k.0.exe
"C:\Users\Admin\AppData\Local\Temp\u22k.0.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\fMgNIkbJs17kD8c9YqQ8EpRv.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\fMgNIkbJs17kD8c9YqQ8EpRv.exe" --version
C:\Users\Admin\Pictures\fMgNIkbJs17kD8c9YqQ8EpRv.exe
"C:\Users\Admin\Pictures\fMgNIkbJs17kD8c9YqQ8EpRv.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5052 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240426042829" --session-guid=66a6353b-79b1-4bc2-b197-e8f1e2113572 --server-tracking-blob="OWExZTMwY2JjYTJiMDE4YWY0Zjk0NTMzNDEwYmM0OGRlMGE1NGYwMjNhOTRkZDRmNTkzN2E4ZDkwYWZiYTM5Mzp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fNDU2Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTEiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzE0MTA1Njk5LjU4MzMiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzQ1NiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiZGE1OTJjMDYtZTI2Yy00NjM5LThhMmMtNmE1NzE2YzE3ZTllIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=6004000000000000
C:\Users\Admin\AppData\Local\Temp\u17k.0.exe
"C:\Users\Admin\AppData\Local\Temp\u17k.0.exe"
C:\Users\Admin\Pictures\jKDeFrqjBuMmdbJJCMgTgDFR.exe
"C:\Users\Admin\Pictures\jKDeFrqjBuMmdbJJCMgTgDFR.exe" --silent --allusers=0
C:\Users\Admin\Pictures\fMgNIkbJs17kD8c9YqQ8EpRv.exe
C:\Users\Admin\Pictures\fMgNIkbJs17kD8c9YqQ8EpRv.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x2bc,0x2c0,0x2c4,0x28c,0x2c8,0x6b5be1d0,0x6b5be1dc,0x6b5be1e8
C:\Users\Admin\Pictures\jKDeFrqjBuMmdbJJCMgTgDFR.exe
C:\Users\Admin\Pictures\jKDeFrqjBuMmdbJJCMgTgDFR.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x6b0fe1d0,0x6b0fe1dc,0x6b0fe1e8
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\jKDeFrqjBuMmdbJJCMgTgDFR.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\jKDeFrqjBuMmdbJJCMgTgDFR.exe" --version
C:\Program Files (x86)\GameServerClient\GameService.exe
GameService start GameServerClient
C:\Program Files (x86)\GameServerClient\GameService.exe
"C:\Program Files (x86)\GameServerClient\GameService.exe"
C:\Program Files (x86)\GameServerClient\GameServerClient.exe
"C:\Program Files (x86)\GameServerClient\GameServerClient.exe"
C:\Windows\Temp\506436.exe
"C:\Windows\Temp\506436.exe" --list-devices
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameServerClient\installc.bat" "
C:\Windows\SysWOW64\sc.exe
Sc delete GameServerClientC
C:\Program Files (x86)\GameServerClient\GameService.exe
GameService remove GameServerClientC confirm
C:\Program Files (x86)\GameServerClient\GameService.exe
GameService install GameServerClientC "C:\Program Files (x86)\GameServerClient\GameServerClientC.exe"
C:\Program Files (x86)\GameServerClient\GameService.exe
GameService start GameServerClientC
C:\Program Files (x86)\GameServerClient\GameService.exe
"C:\Program Files (x86)\GameServerClient\GameService.exe"
C:\Program Files (x86)\GameServerClient\GameServerClientC.exe
"C:\Program Files (x86)\GameServerClient\GameServerClientC.exe"
C:\Windows\Temp\287874.exe
"C:\Windows\Temp\287874.exe" --coin BTC -m ADDRESSES -t 0 --range 2ca0743d700000000:2ca0743d740000000 -o xxx0.txt -i C:\Windows\Temp\curjob.bin
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
C:\Users\Admin\Pictures\lwq7kncrC3D95UBJYyqKLP19.exe
"C:\Users\Admin\Pictures\lwq7kncrC3D95UBJYyqKLP19.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
C:\Users\Admin\AppData\Local\Temp\u17k.2\run.exe
"C:\Users\Admin\AppData\Local\Temp\u17k.2\run.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1752 -ip 1752
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 1092
C:\Users\Admin\AppData\Local\Temp\u22k.2\run.exe
"C:\Users\Admin\AppData\Local\Temp\u22k.2\run.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 1752 -ip 1752
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 1316
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1752 -ip 1752
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 1344
C:\Users\Admin\Pictures\xtfBWleE4m4UtbE8Y8D1nHda.exe
"C:\Users\Admin\Pictures\xtfBWleE4m4UtbE8Y8D1nHda.exe"
C:\Users\Admin\Pictures\6ererPoGtcOtEVxKse1dtAYj.exe
"C:\Users\Admin\Pictures\6ererPoGtcOtEVxKse1dtAYj.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2896 -ip 2896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1096
C:\Users\Admin\Pictures\Mx5YIBPHaqla91UMyWIqudUc.exe
"C:\Users\Admin\Pictures\Mx5YIBPHaqla91UMyWIqudUc.exe"
C:\Users\Admin\Pictures\rUOwKLKprsQQA5LOPHcWfB35.exe
"C:\Users\Admin\Pictures\rUOwKLKprsQQA5LOPHcWfB35.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2896 -ip 2896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1364
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2896 -ip 2896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1400
C:\Users\Admin\AppData\Local\Temp\u22k.3.exe
"C:\Users\Admin\AppData\Local\Temp\u22k.3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2684 -ip 2684
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 1020
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Users\Admin\Pictures\2Ozc53aT1p4LCg5tM2A5FirN.exe
"C:\Users\Admin\Pictures\2Ozc53aT1p4LCg5tM2A5FirN.exe"
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404260428291\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404260428291\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404260428291\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404260428291\assistant\assistant_installer.exe" --version
C:\Users\Admin\AppData\Local\Temp\7zS4433.tmp\Install.exe
.\Install.exe /RvdidblCuX "385118" /S
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404260428291\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404260428291\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x234,0x238,0x23c,0x210,0x240,0x8d6038,0x8d6044,0x8d6050
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 04:30:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\hjGlzqq.exe\" em /bZsite_idDKU 385118 /S" /V1 /F
C:\Users\Admin\AppData\Local\Temp\u17k.3.exe
"C:\Users\Admin\AppData\Local\Temp\u17k.3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1568 -ip 1568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 1644
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Users\Admin\Pictures\bFRj0lMVx30eSwr2NCoC74pR.exe
"C:\Users\Admin\Pictures\bFRj0lMVx30eSwr2NCoC74pR.exe"
C:\Users\Admin\AppData\Local\Temp\7zS96B8.tmp\Install.exe
.\Install.exe /RvdidblCuX "385118" /S
Network
| Country | Destination | Domain | Proto |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| US | 8.8.8.8:53 | 167.132.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | affordcharmcropwo.shop | udp |
| US | 104.21.67.211:443 | affordcharmcropwo.shop | tcp |
| US | 104.21.72.132:443 | cleartotalfisherwo.shop | tcp |
| US | 104.21.44.125:443 | worryfillvolcawoi.shop | tcp |
| US | 172.67.183.226:443 | enthusiasimtitleow.shop | tcp |
| US | 172.67.205.132:443 | dismissalcylinderhostw.shop | tcp |
| US | 8.8.8.8:53 | 226.183.67.172.in-addr.arpa | udp |
| US | 104.21.23.143:443 | diskretainvigorousiw.shop | tcp |
| US | 104.21.83.19:443 | communicationgenerwo.shop | tcp |
| US | 104.21.47.56:443 | pillowbrocccolipe.shop | tcp |
| DE | 185.172.128.33:8970 | tcp | |
| US | 104.21.11.250:443 | productivelookewr.shop | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 104.21.89.202:443 | tolerateilusidjukl.shop | tcp |
| US | 104.21.95.19:443 | shatterbreathepsw.shop | tcp |
| US | 172.67.216.69:443 | shortsvelventysjo.shop | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| US | 104.21.86.106:443 | incredibleextedwj.shop | tcp |
| US | 172.67.157.23:443 | alcojoldwograpciw.shop | tcp |
| RU | 5.42.65.67:48396 | tcp | |
| US | 172.67.192.138:443 | liabilitynighstjsko.shop | tcp |
| US | 8.8.8.8:53 | 23.157.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.65.42.5.in-addr.arpa | udp |
| US | 172.67.147.169:443 | demonstationfukewko.shop | tcp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| RU | 185.215.113.67:26260 | tcp | |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| FR | 52.143.157.84:80 | 52.143.157.84 | tcp |
| RU | 77.221.151.47:80 | 77.221.151.47 | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| RU | 193.233.132.175:80 | 193.233.132.175 | tcp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| US | 104.21.90.14:443 | realdeepai.org | tcp |
| US | 104.21.90.14:443 | realdeepai.org | tcp |
| NL | 185.26.182.112:80 | net.geo.opera.com | tcp |
| US | 172.67.169.89:443 | yip.su | tcp |
| NL | 185.26.182.112:443 | net.geo.opera.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.169.89:443 | yip.su | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| RU | 193.233.132.175:80 | 193.233.132.175 | tcp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| US | 104.21.90.14:443 | realdeepai.org | tcp |
| US | 104.21.90.14:443 | realdeepai.org | tcp |
| NL | 185.26.182.112:80 | net.geo.opera.com | tcp |
| NL | 185.26.182.112:443 | net.geo.opera.com | tcp |
| US | 172.67.176.131:443 | jonathantwo.com | tcp |
| US | 172.67.176.131:443 | jonathantwo.com | tcp |
| US | 172.67.176.131:443 | jonathantwo.com | tcp |
| US | 172.67.176.131:443 | jonathantwo.com | tcp |
| IE | 52.111.236.23:443 | tcp | |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| RU | 5.42.66.10:80 | 5.42.66.10 | tcp |
| US | 104.26.9.59:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 8.8.8.8:53 | note.padd.cn.com | udp |
| US | 104.21.76.57:443 | iplogger.com | tcp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| RO | 176.97.76.106:80 | note.padd.cn.com | tcp |
| RO | 176.97.76.106:80 | note.padd.cn.com | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| NL | 82.145.216.20:443 | autoupdate.geo.opera.com | tcp |
| NL | 82.145.216.20:443 | autoupdate.geo.opera.com | tcp |
| US | 8.8.8.8:53 | 20.216.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.217.145.82.in-addr.arpa | udp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| NL | 82.145.216.20:443 | autoupdate.geo.opera.com | tcp |
| NL | 185.26.182.117:443 | download.opera.com | tcp |
| RU | 77.221.151.47:8080 | tcp | |
| RU | 5.42.66.10:80 | 5.42.66.10 | tcp |
| US | 104.26.9.59:443 | api.myip.com | tcp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| NL | 82.145.216.20:443 | autoupdate.geo.opera.com | tcp |
| NL | 82.145.216.20:443 | autoupdate.geo.opera.com | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| NL | 82.145.216.15:443 | features.opera-api2.com | tcp |
| NL | 185.26.182.117:443 | download.opera.com | tcp |
| DE | 185.172.128.76:80 | 185.172.128.76 | tcp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| US | 104.18.10.89:443 | download5.operacdn.com | tcp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| DE | 185.172.128.76:80 | 185.172.128.76 | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| NL | 2.17.112.33:443 | download3.operacdn.com | tcp |
| FR | 185.93.2.244:443 | download.iolo.net | tcp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| RU | 91.215.85.66:15647 | tcp | |
| RU | 91.215.85.66:9000 | tcp |
Files
memory/3136-0-0x00000000004E0000-0x0000000000995000-memory.dmp
memory/3136-1-0x0000000077BD6000-0x0000000077BD8000-memory.dmp
memory/3136-2-0x00000000004E0000-0x0000000000995000-memory.dmp
memory/3136-5-0x00000000050E0000-0x00000000050E1000-memory.dmp
memory/3136-4-0x00000000050A0000-0x00000000050A1000-memory.dmp
memory/3136-6-0x0000000005080000-0x0000000005081000-memory.dmp
memory/3136-7-0x0000000005090000-0x0000000005091000-memory.dmp
memory/3136-3-0x00000000050B0000-0x00000000050B1000-memory.dmp
memory/3136-8-0x00000000050C0000-0x00000000050C1000-memory.dmp
memory/3136-9-0x0000000005100000-0x0000000005101000-memory.dmp
memory/3136-14-0x00000000004E0000-0x0000000000995000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
| MD5 | 3d4aba6f79628aa838e56d1a4b125382 |
| SHA1 | a66f2a92d6e96b3049249fa06bf23a4488f35730 |
| SHA256 | 8d9a07546be4fba37841af23d5fac678bf812e3cdd561033a505409f05a1354f |
| SHA512 | 5daccde7683fc90f2d470605fff72741bd0f15a12cd2c110cb45ac5233b57342aa6fa78bf5642358adaf4eab3f76f74e0781f30c206965c234cb02ec14e73090 |
memory/480-17-0x0000000000230000-0x00000000006E5000-memory.dmp
memory/480-18-0x0000000000230000-0x00000000006E5000-memory.dmp
memory/480-19-0x0000000004CC0000-0x0000000004CC1000-memory.dmp
memory/480-20-0x0000000004CB0000-0x0000000004CB1000-memory.dmp
memory/480-22-0x0000000004C90000-0x0000000004C91000-memory.dmp
memory/480-21-0x0000000004CF0000-0x0000000004CF1000-memory.dmp
memory/480-23-0x0000000004CA0000-0x0000000004CA1000-memory.dmp
memory/480-24-0x0000000004CD0000-0x0000000004CD1000-memory.dmp
memory/480-25-0x0000000004D10000-0x0000000004D11000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
| MD5 | 1c7d0f34bb1d85b5d2c01367cc8f62ef |
| SHA1 | 33aedadb5361f1646cffd68791d72ba5f1424114 |
| SHA256 | e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c |
| SHA512 | 53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d |
memory/2364-46-0x0000000073590000-0x0000000073D41000-memory.dmp
memory/2364-45-0x00000000001D0000-0x0000000000222000-memory.dmp
memory/3068-49-0x0000000000400000-0x000000000044C000-memory.dmp
memory/3068-52-0x0000000000400000-0x000000000044C000-memory.dmp
memory/2364-53-0x0000000002770000-0x0000000004770000-memory.dmp
memory/3068-54-0x0000000001240000-0x0000000001241000-memory.dmp
memory/3068-55-0x0000000000400000-0x000000000044C000-memory.dmp
memory/2364-56-0x0000000073590000-0x0000000073D41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
| MD5 | 31841361be1f3dc6c2ce7756b490bf0f |
| SHA1 | ff2506641a401ac999f5870769f50b7326f7e4eb |
| SHA256 | 222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee |
| SHA512 | 53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019 |
memory/2692-74-0x0000000000510000-0x00000000007C8000-memory.dmp
memory/5044-73-0x0000000000400000-0x0000000000592000-memory.dmp
memory/5044-77-0x0000000073590000-0x0000000073D41000-memory.dmp
memory/480-78-0x0000000000230000-0x00000000006E5000-memory.dmp
memory/5044-79-0x00000000054B0000-0x00000000054C0000-memory.dmp
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
| MD5 | 20ae0bb07ba77cb3748aa63b6eb51afb |
| SHA1 | 87c468dc8f3d90a63833d36e4c900fa88d505c6d |
| SHA256 | daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d |
| SHA512 | db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2 |
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
| MD5 | 0c582da789c91878ab2f1b12d7461496 |
| SHA1 | 238bd2408f484dd13113889792d6e46d6b41c5ba |
| SHA256 | a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67 |
| SHA512 | a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a |
memory/4304-99-0x00000000000F0000-0x00000000001B0000-memory.dmp
memory/4304-100-0x00007FF9856B0000-0x00007FF986172000-memory.dmp
memory/4304-102-0x000000001AE40000-0x000000001AE50000-memory.dmp
memory/480-101-0x0000000000230000-0x00000000006E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
| MD5 | b22521fb370921bb5d69bf8deecce59e |
| SHA1 | 3d4486b206e8aaac14a3cf201c5ac152a2a7d4ea |
| SHA256 | b30d10e292f89f4d288839974f71f6b703d6d9a9ae698ea172a2b64364e77158 |
| SHA512 | 1f7d64ba5266314ed18f577f0984706c21f4f48e8cdb069130e4435c2bcdf219f8dd27e4d3bf3a373f4db4c01e30efe8d7f4d87f4d8cbbbeaf9c7043f685994c |
memory/3824-119-0x0000000000400000-0x000000000044E000-memory.dmp
memory/1272-120-0x0000000000600000-0x0000000000674000-memory.dmp
memory/3824-122-0x0000000000400000-0x000000000044E000-memory.dmp
memory/3824-123-0x0000000000400000-0x000000000044E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
| MD5 | 0099a99f5ffb3c3ae78af0084136fab3 |
| SHA1 | 0205a065728a9ec1133e8a372b1e3864df776e8c |
| SHA256 | 919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226 |
| SHA512 | 5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6 |
memory/480-140-0x0000000000230000-0x00000000006E5000-memory.dmp
memory/4304-141-0x000000001D4C0000-0x000000001D5CA000-memory.dmp
memory/4304-144-0x000000001BD50000-0x000000001BD8C000-memory.dmp
memory/4304-143-0x000000001B1D0000-0x000000001B1E2000-memory.dmp
memory/4304-142-0x000000001AE40000-0x000000001AE50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
| MD5 | 8510bcf5bc264c70180abe78298e4d5b |
| SHA1 | 2c3a2a85d129b0d750ed146d1d4e4d6274623e28 |
| SHA256 | 096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6 |
| SHA512 | 5ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d |
memory/3508-164-0x0000000073590000-0x0000000073D41000-memory.dmp
memory/3508-165-0x0000000000330000-0x0000000000382000-memory.dmp
memory/3508-166-0x00000000051E0000-0x0000000005786000-memory.dmp
memory/3508-167-0x0000000004D10000-0x0000000004DA2000-memory.dmp
memory/5044-169-0x0000000073590000-0x0000000073D41000-memory.dmp
memory/3508-168-0x0000000004EC0000-0x0000000004ECA000-memory.dmp
memory/3508-170-0x0000000004CF0000-0x0000000004D00000-memory.dmp
memory/3508-185-0x0000000005810000-0x0000000005886000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp7143.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/3508-186-0x0000000006160000-0x000000000617E000-memory.dmp
memory/3508-189-0x00000000068A0000-0x0000000006EB8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe
| MD5 | 728a9d70eb2494e89873b0cbdc3ba430 |
| SHA1 | d69c4d7be694e0095058899613156e2452c1bc21 |
| SHA256 | 73e9463ce5ada7f99d693375e99bb7fa71624cd061c3cde643a2fd0083c5d1d7 |
| SHA512 | 8022e70e1355d1ef03c84749ece42fdc9b1d868e0c1be6222eba6e23a4b94862585f777aa62907e13e955eafe2508f340ac46aefab6c6e8060c9054e63d2a615 |
memory/3508-199-0x00000000063F0000-0x00000000064FA000-memory.dmp
memory/3508-200-0x0000000006330000-0x0000000006342000-memory.dmp
memory/3508-203-0x0000000006390000-0x00000000063CC000-memory.dmp
memory/3508-209-0x0000000006500000-0x000000000654C000-memory.dmp
memory/4304-212-0x000000001D9D0000-0x000000001DA46000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
| MD5 | 586f7fecacd49adab650fae36e2db994 |
| SHA1 | 35d9fb512a8161ce867812633f0a43b042f9a5e6 |
| SHA256 | cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e |
| SHA512 | a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772 |
memory/4304-222-0x000000001B1B0000-0x000000001B1CE000-memory.dmp
memory/3872-231-0x000001C7367B0000-0x000001C736800000-memory.dmp
memory/3872-234-0x00007FF9856B0000-0x00007FF986172000-memory.dmp
memory/4304-235-0x000000001E020000-0x000000001E1E2000-memory.dmp
memory/4304-236-0x000000001E720000-0x000000001EC48000-memory.dmp
memory/5044-237-0x00000000054B0000-0x00000000054C0000-memory.dmp
memory/4304-239-0x00007FF9856B0000-0x00007FF986172000-memory.dmp
memory/1348-242-0x0000000000500000-0x000000000052E000-memory.dmp
memory/3872-240-0x000001C738460000-0x000001C738470000-memory.dmp
memory/3872-238-0x000001C738400000-0x000001C73845E000-memory.dmp
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll
| MD5 | f35b671fda2603ec30ace10946f11a90 |
| SHA1 | 059ad6b06559d4db581b1879e709f32f80850872 |
| SHA256 | 83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7 |
| SHA512 | b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705 |
memory/4160-256-0x0000000000400000-0x000000000063B000-memory.dmp
memory/4160-260-0x0000000000400000-0x000000000063B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe
| MD5 | 54e30b1ca3a46a4e8cb293e0321a12c3 |
| SHA1 | e75bf8a99d2712545efc6e5c82a7b5906419208b |
| SHA256 | 907172368a603ddc2f63d3444876f127bc21e4bb598985271e09dfbe15d4691f |
| SHA512 | 1c26c8e1d13889b2b3deeb2648dfb4e6d37f30b29bb8802fe18762c3799cc381933b8c5795a9fc283a91887a706490949411300f53aedff72124d92fca0edb44 |
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | 3580aba10bb8006ab9f582ff875628cc |
| SHA1 | 755d188b8873ec335ff1f301d648a2ec49dd5388 |
| SHA256 | 4bbcf9f66736ae405bddef72f8961e3f295cee86ee2bbe2cdf693d10e9eca670 |
| SHA512 | d3f910e55ae8d9e4d0e22bd9b6ef9a940d0b272db555864472d0bb20622fcdddbf18b1343313b05eea1eefeaadd53ff4adbfd4ed0fb690e645510a27c42f1f34 |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | 0517d0fc1c39f6ff3e3c8386e8a308cb |
| SHA1 | b9bdb922201db566f2443faba6393f84cfc58e24 |
| SHA256 | 0e8b523db226b53ee9ea6e66d3affb3b99870f1f837b1149978d27e999e05ce2 |
| SHA512 | 4960f1294e05c254d04d2e3d4c5940ed3461b7384f88c351fed1879de1e28e385b94bc04a6b9ef012f80eca00d45e4c008ffdc07bfd93234551cbd81c9d65681 |
memory/3560-310-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jrukiczl.tzr.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe
| MD5 | 6184676075afacb9103ae8cbf542c1ed |
| SHA1 | bc757642ad2fcfd6d1da79c0754323cdc823a937 |
| SHA256 | a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b |
| SHA512 | 861ac361b585a069f2274b577b30f2a13baf72a60acd4f22da41885aee92c3975445150822f1072590d7b574ff54eb3abde6a6c4f800988ab9ff4344884f41fa |
memory/376-345-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 627073ee3ca9676911bee35548eff2b8 |
| SHA1 | 4c4b68c65e2cab9864b51167d710aa29ebdcff2e |
| SHA256 | 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c |
| SHA512 | 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7d760ca2472bcb9fe9310090d91318ce |
| SHA1 | cb316b8560b38ea16a17626e685d5a501cd31c4a |
| SHA256 | 5c362b53c4a4578d8b57c51e1eac15f7f3b2447e43e0dad5102ecd003d5b41d4 |
| SHA512 | 141e8661d7348ebbc1f74f828df956a0c6e4cdb70f3b9d52623c9a30993bfd91da9ed7d8d284b84f173d3e6f47c876fb4a8295110895f44d97fd6cc4c5659c35 |
C:\Users\Admin\Pictures\T2zwe9E00J1Ukjv7VpEwlltI.exe
| MD5 | 5b423612b36cde7f2745455c5dd82577 |
| SHA1 | 0187c7c80743b44e9e0c193e993294e3b969cc3d |
| SHA256 | e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09 |
| SHA512 | c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c |
C:\Program Files (x86)\GameServerClient\installg.bat
| MD5 | b6b57c523f3733580d973f0f79d5c609 |
| SHA1 | 2cc30cfd66817274c84f71d46f60d9e578b7bf95 |
| SHA256 | d8d718641bdf39cca1a5db7bb52d3c66d400a97bef3cafdd81cd7e711a51c570 |
| SHA512 | d39440163592bc3b1cb7830f236a97d5819c10775e453637d5a04a981e9a336480c6b4701afdceba0d52dfe09413b7abe2ad58ff55b5057a26229f3ccdc3a7c7 |
C:\Users\Admin\Pictures\fhaC16f4tfdz3fI63VIizGKx.exe
| MD5 | d39b7113410bf19d48d1f656c0ab009c |
| SHA1 | 133ff7840b78b98d639f14ebcc33ad8907503ca5 |
| SHA256 | 66b56c58735b627dedd96cd9e079be2f0a167df42b15932f054e6e2013c8ce41 |
| SHA512 | aac3a59575c6ad91c756f68b37419fe6d90ed1c3f2a481ab4d774353dec462ea9e08e00711b990c0307078ed740360d5d651f3454cd76cff1e71ce0afa10fc77 |
memory/4160-434-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\Users\Admin\Pictures\PMfuf8WfqJ2q8IY4CZ6PhbWy.exe
| MD5 | 71c036b28ca03baf96cc1cbfcfb7281e |
| SHA1 | bdf33cd1ced7176f06c7210a36c48faf57e4227e |
| SHA256 | ba9cbc88e931954d07f5c067e67699d3a91cf9e0917a4ccd4e5065296f2da80b |
| SHA512 | c4964e78ab408f0f72a77c7956aa2bb502633fe77e40daea840e4b7e3cfc2d119f083ab9c12c02a88f1a053f2529285fa31626c933ff9d3e0f10a99ea4e202b8 |
C:\Program Files (x86)\GameServerClient\GameService.exe
| MD5 | d9ec6f3a3b2ac7cd5eef07bd86e3efbc |
| SHA1 | e1908caab6f938404af85a7df0f80f877a4d9ee6 |
| SHA256 | 472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c |
| SHA512 | 1b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4 |
C:\Users\Admin\Pictures\Mx5YIBPHaqla91UMyWIqudUc.exe
| MD5 | 03531611da083e20c3131f47f5923e52 |
| SHA1 | cc4ef0b6e9524ec74d4c95bb7dbf7981590f1ee2 |
| SHA256 | fbd0606b08bb98e955f5815d30cdc8e4069ec731b7dcee2c650eb4538cbfe30b |
| SHA512 | 11927c886935989e3a5f9c44127138b97dbc421b91986ffa5f726c6634d955060fe04b8f1daf2669ff879c6bdccde69a0ffac718247292ade19bddaf996a69f9 |
memory/1216-533-0x0000013A50EF0000-0x0000013A5103F000-memory.dmp
memory/480-535-0x0000000000230000-0x00000000006E5000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 56db2d5d39a37ae11509ae38d8ee0385 |
| SHA1 | 1d279f51fc0c546f05c561a24861f3ce1469386a |
| SHA256 | 4f5a4d243fa9daad396510c711bcff839a315e71aadf59f2a5e7325ee1b5b788 |
| SHA512 | af9a425fddd1d6f9d39bc7fb12137e7c05f24cef65b49d7f65eb4b50fb6daa0050a865d91a26b820d3cc9e67351a6c067032f746c718fa0ece1ecef25e53eaaf |
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll
| MD5 | 154c3f1334dd435f562672f2664fea6b |
| SHA1 | 51dd25e2ba98b8546de163b8f26e2972a90c2c79 |
| SHA256 | 5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f |
| SHA512 | 1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841 |
memory/2932-560-0x0000013E34920000-0x0000013E34A6F000-memory.dmp
C:\Users\Admin\Pictures\YiNhccxIqe3bgD8U6rAwVBxF.exe
| MD5 | 69f6614893028c60394f744c7ebc1551 |
| SHA1 | ccd4a9f86876ddbfe2bc86a2b17a4cbc1857b1dd |
| SHA256 | b96a4de2d4f97380388b6b515e8cdef28a92f358a7d487be3463828303d8661d |
| SHA512 | 4a40bcf25303accf93bb15e281a53ee0cda93c1f7c1ede741338b8080daa0a61c6751c5d11ed8ceeec520782913f748298b5016565a31f47c980d8e868461855 |
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 8ef9853d1881c5fe4d681bfb31282a01 |
| SHA1 | a05609065520e4b4e553784c566430ad9736f19f |
| SHA256 | 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2 |
| SHA512 | 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005 |
C:\Users\Admin\Pictures\fMgNIkbJs17kD8c9YqQ8EpRv.exe
| MD5 | b46256c85fda31c9b25ee4fd138c6a5e |
| SHA1 | 174d427e48c4969accd0f65826a9ff6425c07359 |
| SHA256 | 15ee148d20a5b933a6c721944c57199d0ff6848b77a9f011f38b336bcf4174db |
| SHA512 | d1cd451d76c256c831660f63baa2eeb037ab57dd7e17fb417e1c2a5ec558e9247c29e8350e12af4c7045cbd3d40f664b245a869d2b438968a455a8f4638ea3b0 |
C:\Users\Admin\AppData\Local\Temp\u22k.0.exe
| MD5 | 92c44b47adc5e94d871e853a990630b7 |
| SHA1 | 5a7baf9d065fe9ee4e9e68dafb4f1836c19654ad |
| SHA256 | fd496043352e900780ba0ded51df57cd7ac6507ad916ff46fe2cff52e2b8e720 |
| SHA512 | 3d8c0a5bb8c33504c44fda7e0e9ebc784b7dd0a30761922cb1858e032dfdc2a4b0cf5cd251c7c9cbb42923b0f24b07242d3fc76501cacaa4da83201c69572e5f |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404260428279945052.dll
| MD5 | 45fe60d943ad11601067bc2840cc01be |
| SHA1 | 911d70a6aad7c10b52789c0312c5528556a2d609 |
| SHA256 | 0715f9558363b04526499fcd6abf0b1946950af0a7f046a25f06b20dddb67add |
| SHA512 | 30c82f6b329fefa5f09a5974c36b70ea2bdab273e7d6eadd456fddcc2aa693f8f1cf096d57c3719d1106e9f85d50a4ffbf0ed7e66da2da0a5f23b6ee8c7194ba |
C:\Users\Admin\Pictures\jKDeFrqjBuMmdbJJCMgTgDFR.exe
| MD5 | 22636316888c8f4a712ff3fdaafe6ba8 |
| SHA1 | bba98ee4ab1f31dda7eeb6d10c3a2d4526595f55 |
| SHA256 | d0374e051de0ee2e64e84a0520f577c0868523c12d03bc16e1268ec599e3c8c9 |
| SHA512 | 9bc3f17833c3a7226270b5f1c88acface5757d7fb9f94a2aa0c495552e04dad6f47be646380a36addafebe39bd8a1e8d4d4c811dff5184fdc2d27cf0539259f8 |
memory/2684-661-0x0000000000400000-0x0000000002B21000-memory.dmp
memory/1568-675-0x0000000000400000-0x0000000002B21000-memory.dmp
memory/480-689-0x0000000000230000-0x00000000006E5000-memory.dmp
memory/4156-690-0x0000000000400000-0x0000000002EE0000-memory.dmp
memory/3788-698-0x0000000000400000-0x0000000002EE0000-memory.dmp
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\Users\Admin\Pictures\lwq7kncrC3D95UBJYyqKLP19.exe
| MD5 | 806f295ff14699677790ca246cb69864 |
| SHA1 | 5ff2e05176ea77a6a12ed50ac8836757dd342829 |
| SHA256 | 8f1fb3595585747a418c6fc186c36e3c0a98d80cc81c5df56e8faeb5b2421fb6 |
| SHA512 | ecb12e1d799c107f39b998851938b428b1d81906615505aff3ab8426bba06d9d827e29405d8de26761341e57ef38c059d6ec68309df938326771c11dde7175a8 |
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 7cc972a3480ca0a4792dc3379a763572 |
| SHA1 | f72eb4124d24f06678052706c542340422307317 |
| SHA256 | 02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5 |
| SHA512 | ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7 |
C:\Users\Admin\AppData\Local\Temp\u17k.1.zip
| MD5 | 78d3ca6355c93c72b494bb6a498bf639 |
| SHA1 | 2fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e |
| SHA256 | a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001 |
| SHA512 | 1b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea |
C:\Users\Admin\AppData\Local\Temp\u17k.2\run.exe
| MD5 | 9fb4770ced09aae3b437c1c6eb6d7334 |
| SHA1 | fe54b31b0db8665aa5b22bed147e8295afc88a03 |
| SHA256 | a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3 |
| SHA512 | 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256 |
memory/3784-915-0x000000006EB50000-0x000000006ECCD000-memory.dmp
memory/1568-910-0x0000000000400000-0x0000000002B21000-memory.dmp
memory/3784-917-0x00007FF9A6720000-0x00007FF9A6929000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u22k.2\bunch.dat
| MD5 | 1e8237d3028ab52821d69099e0954f97 |
| SHA1 | 30a6ae353adda0c471c6ed5b7a2458b07185abf2 |
| SHA256 | 9387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742 |
| SHA512 | a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3 |
memory/480-955-0x0000000000230000-0x00000000006E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u22k.2\relay.dll
| MD5 | 10d51becd0bbce0fab147ff9658c565e |
| SHA1 | 4689a18112ff876d3c066bc8c14a08fd6b7b7a4a |
| SHA256 | 7b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed |
| SHA512 | 29faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29 |
C:\Users\Admin\AppData\Local\Temp\u22k.2\whale.dbf
| MD5 | a723bf46048e0bfb15b8d77d7a648c3e |
| SHA1 | 8952d3c34e9341e4425571e10f22b782695bb915 |
| SHA256 | b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422 |
| SHA512 | ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273 |
C:\Users\Admin\AppData\Local\Temp\u22k.2\UIxMarketPlugin.dll
| MD5 | d1ba9412e78bfc98074c5d724a1a87d6 |
| SHA1 | 0572f98d78fb0b366b5a086c2a74cc68b771d368 |
| SHA256 | cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15 |
| SHA512 | 8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f |
memory/4156-978-0x0000000000400000-0x0000000002EE0000-memory.dmp
memory/3228-1004-0x0000000000400000-0x0000000002EE0000-memory.dmp
memory/3788-1008-0x0000000000400000-0x0000000002EE0000-memory.dmp
memory/388-1009-0x0000000000400000-0x0000000002EE0000-memory.dmp
memory/5904-1010-0x000000006EB50000-0x000000006ECCD000-memory.dmp
memory/5904-1012-0x00007FF9A6720000-0x00007FF9A6929000-memory.dmp
memory/3784-1074-0x000000006EB50000-0x000000006ECCD000-memory.dmp
memory/5232-1086-0x0000000140000000-0x000000014075E000-memory.dmp
memory/1752-1083-0x0000000000400000-0x0000000002AFD000-memory.dmp
memory/5904-1095-0x000000006EB50000-0x000000006ECCD000-memory.dmp
memory/2684-1097-0x0000000000400000-0x0000000002B21000-memory.dmp
memory/5312-1101-0x00007FF9A6720000-0x00007FF9A6929000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404260428291\opera_package
| MD5 | add8113190da0a7e1aa0e309cb666e6e |
| SHA1 | c4d9ee6155648bf16945a73d5587f26609a2e608 |
| SHA256 | b807fc970ea238f94e6bdc6ef0365563d74175aec6ee212839ee152adb0885ba |
| SHA512 | 91841dedc060eee156d8bf4770ffb9a23dc05f54bcf551129590970b160a9c10cc1848265e5c221853070b1d96e4a8f6180fd7d82d1697491ffb1de32093015e |
C:\Users\Admin\AppData\Local\Temp\u22k.3.exe
| MD5 | 397926927bca55be4a77839b1c44de6e |
| SHA1 | e10f3434ef3021c399dbba047832f02b3c898dbd |
| SHA256 | 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7 |
| SHA512 | cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954 |
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | 9a72658dd70407cd9587b3d327bd9055 |
| SHA1 | 28b48d76629c15b045b6ca045262e9c1a61375bc |
| SHA256 | a49f082ecee9ae05aab2137b22280013e02f452c0bf7f07776c0c3549772658c |
| SHA512 | d36fafd13c3251be6235b468ad6a9feb8ac5a92aa1950db97fca66ce731b8e97912f57734813733f6390127dd418475045fb774b55b08b589b5a6568f304b606 |
C:\Users\Admin\Pictures\2Ozc53aT1p4LCg5tM2A5FirN.exe
| MD5 | d981fb3fc1f28bea729db051c75dae08 |
| SHA1 | d5eea12045a6d998da1a362f70748fc09874d0b4 |
| SHA256 | aa5689332012817778e4ef3602e918297c567c4d573b463f86e8d98fef2eb48f |
| SHA512 | a93576bc04ac5b1ba129913c3d4e5100cf7f0f8bd7a4c9a21ce3af645624890006e087eefa5d0cbd804b7b96ebc13cf32a722b8c1d66d409879f41d5bfa974cb |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404260428291\additional_file0.tmp
| MD5 | 15d8c8f36cef095a67d156969ecdb896 |
| SHA1 | a1435deb5866cd341c09e56b65cdda33620fcc95 |
| SHA256 | 1521c69f478e9ced2f64b8714b9e19724e747cd8166e0f7ab5db1151a523dda8 |
| SHA512 | d6f48180d4dcb5ba83a9c0166870ac00ea67b615e749edf5994bc50277bf97ca87f582ac6f374c5351df252db73ee1231c943b53432dbb7563e12bbaf5bb393a |
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
| MD5 | b40687514354d585eff256fe7de9d287 |
| SHA1 | b62a0ffc40d8ca061c37ddcecab28e976d3ad099 |
| SHA256 | 59aff682f8cd6d6bd875fe528a6b5324775b5df01d7e08f9eb1374099d4272f8 |
| SHA512 | 483131395530d9515a6e81eee02880b427c2059d7eb704722ee2093f64c53d699aa8a4b613f0441ed60c5dc6de04f96b0b7ed405dce1ad4d34503cd8ce230e8d |
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | a5d41f4380108fa497ad1eea80ba1beb |
| SHA1 | 28587a24e252e91b6d149748d792b047ae57af73 |
| SHA256 | 7fbe9fd73147562e6c660912e7e27c337d8301091e42806dcae6208bcb1b4f7a |
| SHA512 | de1e2d636924bbc60b4495318dc45415575edadbbb5134b308b34e66ef095f99811b5ca80b6e0ad8c9ff94c278169cce46d2f03b937bfe64bc6e60ccc64012f6 |
C:\Users\Admin\AppData\Local\Temp\tmp865E.tmp
| MD5 | 42c395b8db48b6ce3d34c301d1eba9d5 |
| SHA1 | b7cfa3de344814bec105391663c0df4a74310996 |
| SHA256 | 5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d |
| SHA512 | 7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845 |
C:\Users\Admin\AppData\Local\Temp\tmp877A.tmp
| MD5 | 22be08f683bcc01d7a9799bbd2c10041 |
| SHA1 | 2efb6041cf3d6e67970135e592569c76fc4c41de |
| SHA256 | 451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457 |
| SHA512 | 0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936 |
C:\Users\Admin\AppData\Local\Temp\7zS96B8.tmp\Install.exe
| MD5 | e77964e011d8880eae95422769249ca4 |
| SHA1 | 8e15d7c4b7812a1da6c91738c7178adf0ff3200f |
| SHA256 | f200984380d291051fc4b342641cd34e7560cadf4af41b2e02b8778f14418f50 |
| SHA512 | 8feb3dc4432ec0a87416cbc75110d59efaf6504b4de43090fc90286bd37f98fc0a5fb12878bb33ac2f6cd83252e8dfd67dd96871b4a224199c1f595d33d4cade |