Technical Information
- [<HKLM>\SYSTEM\ControlSet001\services\sppsvc] 'Start' = '00000002'
- '<SYSTEM32>\Wat\WatAdminSvc.exe'
- '<SYSTEM32>\slui.exe' -Embedding
- '<SYSTEM32>\sppsvc.exe'
- '<SYSTEM32>\Wat\WatAdminSvc.exe' /run
- '<SYSTEM32>\taskhost.exe' --type=utility --channel="2976.6.1148781537\1702943405" --lang=en-US --with-feature:enhanced-autofill --ignored=" --type=renderer " /prefetch:-645351001
- '<SYSTEM32>\schtasks.exe' /pid=0xa14 /log
- %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\73CE.tmp
- %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\716C.tmp
- %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\7661.tmp
- %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\74AA.tmp
- %WINDIR%\ServiceProfiles\NetworkService\AppData\Local\Temp\Cab569D.tmp
- %WINDIR%\ServiceProfiles\NetworkService\AppData\Local\Temp\Cab477B.tmp
- %WINDIR%\Temp\tmpB6B1.tmp
- %WINDIR%\ServiceProfiles\NetworkService\AppData\Local\Temp\Cab567C.tmp
- %WINDIR%\ServiceProfiles\NetworkService\AppData\Local\Temp\Cab55DE.tmp
- %APPDATA%\Roaming\Opera Software\Opera Stable\Extension State\MANIFEST-000002
- %APPDATA%\Roaming\Opera Software\Opera Stable\Extension State\000001.dbtmp
- %APPDATA%\Roaming\Opera Software\Opera Stable\Extension State\LOG
- %APPDATA%\Roaming\Opera Software\Opera Stable\Extension State\000002.dbtmp
- %APPDATA%\Roaming\Opera Software\Opera Stable\Extension State\MANIFEST-000001
- %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\7C00.tmp
- %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\7931.tmp
- %APPDATA%\Roaming\Microsoft\Windows\Recent\CustomDestinations\HDZWQXURNJAIWNZWCLSZ.temp
- %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\7CAE.tmp
- %TEMP%\etilqs_qJh0fkqp5x41Kyo
- %APPDATA%\Roaming\Opera Software\Opera Stable\Extension Rules\LOG
- %APPDATA%\Roaming\Opera Software\Opera Stable\3F6.tmp
- %APPDATA%\Roaming\Opera Software\Opera Stable\History Provider Cache
- %APPDATA%\Roaming\Opera Software\Opera Stable\Extension Rules\000002.dbtmp
- %APPDATA%\Roaming\Opera Software\Opera Stable\Extension Rules\MANIFEST-000001
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\YIF7DGLM\index[1].php
- %APPDATA%\Roaming\Opera Software\Opera Stable\Extension Rules\MANIFEST-000002
- %APPDATA%\Roaming\Opera Software\Opera Stable\Extension Rules\000001.dbtmp
- %TEMP%\etilqs_mkxZxRWpaXWjoBn
- %WINDIR%\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C24EC5BDAF13613245B4CECC3DE91DC6
- %HOMEPATH%\Downloads\forums:Zone.Identifier
- %HOMEPATH%\Downloads\en:Zone.Identifier
- %WINDIR%\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C24EC5BDAF13613245B4CECC3DE91DC6
- %HOMEPATH%\Downloads\12C6.tmp
- <Auxiliary element>
- %TEMP%\etilqs_A54F8raXSbHa7ZQ
- %HOMEPATH%\Downloads\21E3.tmp
- %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\7651.tmp~RFc780c.TMP
- %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\7920.tmp~RFc7aba.TMP
- %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\7331.tmp~RFc7406.TMP
- %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\741D.tmp~RFc75ac.TMP
- %APPDATA%\Roaming\Opera Software\Opera Stable\Extension State\CURRENT~RFc8258.TMP
- %APPDATA%\Roaming\Opera Software\Opera Stable\Extension State\MANIFEST-000001
- %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\7BE0.tmp~RFc7c8e.TMP
- %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\7CAD.tmp~RFc7de6.TMP
- %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\70A0.tmp~RFc7271.TMP
- %APPDATA%\Roaming\Opera Software\Opera Stable\Extension Rules\MANIFEST-000001
- %WINDIR%\Temp\tmpB6B1.tmp
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\YIF7DGLM\index[1].php
- %APPDATA%\Roaming\Opera Software\Opera Stable\Extension Rules\CURRENT~RFadd72.TMP
- %WINDIR%\ServiceProfiles\NetworkService\AppData\Local\Temp\Cab567C.tmp
- %WINDIR%\ServiceProfiles\NetworkService\AppData\Local\Temp\Cab569D.tmp
- %WINDIR%\ServiceProfiles\NetworkService\AppData\Local\Temp\Cab477B.tmp
- %WINDIR%\ServiceProfiles\NetworkService\AppData\Local\Temp\Cab55DE.tmp
- from %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\7931.tmp to %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\7920.tmp
- from %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\7920.tmp to %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\7920.tmp~RFc7aba.TMP
- from %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\7C00.tmp to %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\7BE0.tmp
- from %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\741D.tmp to %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\741D.tmp~RFc75ac.TMP
- from %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\7661.tmp to %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\7651.tmp
- from %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\7651.tmp to %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\7651.tmp~RFc780c.TMP
- from %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\7BE0.tmp to %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\7BE0.tmp~RFc7c8e.TMP
- from %APPDATA%\Roaming\Opera Software\Opera Stable\Extension State\000001.dbtmp to %APPDATA%\Roaming\Opera Software\Opera Stable\Extension State\CURRENT
- from %APPDATA%\Roaming\Opera Software\Opera Stable\Extension State\000002.dbtmp to %APPDATA%\Roaming\Opera Software\Opera Stable\Extension State\CURRENT
- from %APPDATA%\Roaming\Opera Software\Opera Stable\Extension State\CURRENT to %APPDATA%\Roaming\Opera Software\Opera Stable\Extension State\CURRENT~RFc8258.TMP
- from %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\7CAE.tmp to %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\7CAD.tmp
- from %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\7CAD.tmp to %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\7CAD.tmp~RFc7de6.TMP
- from %APPDATA%\Roaming\Microsoft\Windows\Recent\CustomDestinations\HDZWQXURNJAIWNZWCLSZ.temp to %APPDATA%\Roaming\Microsoft\Windows\Recent\CustomDestinations\8548f632abe97aa3.customDestinations-ms
- from %APPDATA%\Roaming\Opera Software\Opera Stable\3F6.tmp to %APPDATA%\Roaming\Opera Software\Opera Stable\Preferences
- from %HOMEPATH%\Downloads\21E3.tmp to %HOMEPATH%\Downloads\en.opdownload
- from %HOMEPATH%\Downloads\12C6.tmp to %HOMEPATH%\Downloads\forums.opdownload
- from %APPDATA%\Roaming\Opera Software\Opera Stable\Extension Rules\000001.dbtmp to %APPDATA%\Roaming\Opera Software\Opera Stable\Extension Rules\CURRENT
- from %APPDATA%\Roaming\Opera Software\Opera Stable\Extension Rules\000002.dbtmp to %APPDATA%\Roaming\Opera Software\Opera Stable\Extension Rules\CURRENT
- from %APPDATA%\Roaming\Opera Software\Opera Stable\Extension Rules\CURRENT to %APPDATA%\Roaming\Opera Software\Opera Stable\Extension Rules\CURRENT~RFadd72.TMP
- from %HOMEPATH%\Downloads\en.opdownload to %HOMEPATH%\Downloads\en
- from %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\73CE.tmp to %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\7331.tmp
- from %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\7331.tmp to %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\7331.tmp~RFc7406.TMP
- from %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\74AA.tmp to %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\741D.tmp
- from %HOMEPATH%\Downloads\forums.opdownload to %HOMEPATH%\Downloads\forums
- from %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\716C.tmp to %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\70A0.tmp
- from %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\70A0.tmp to %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\70A0.tmp~RFc7271.TMP
- 'ct###.#indowsupdate.com':80
- '93.##8.134.11':80
- 'bi##.#ikimedia.org':80
- 'ap#.###sys.opera.com':443
- 'au######te.geo.opera.com':443
- '20#.#6.232.182':80
- 'pi###hideout.us':80
- 'si#####ck2.opera.com':80
- 'www.pi###hideout.us':80
- 'i.##0.ru':80
- 'www.go##le.ru':80
- 'www.ic#.com':80
- 20#.#6.232.182/pki/crl/products/microsoftrootcert.crl
- ct###.#indowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?3c##############
- www.ic#.com/en
- 20#.#6.232.182/pki/crl/products/WinPCA.crl
- ct###.#indowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?07##############
- ct###.#indowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8e##############
- 20#.#6.232.182/fwlink/?Li###########
- pi###hideout.us/forums
- si#####ck2.opera.com/?ho#######################################################
- si#####ck2.opera.com/?ho###############################################
- www.pi###hideout.us/guidsys/index.php?Gu##############
- www.go##le.ru/favicon.ico
- 93.##8.134.11/favicon.ico
- bi##.#ikimedia.org/favicon/wikipedia.ico
- i.##0.ru/2011/icons/rambler.ico
- DNS ASK crl.microsoft.com
- DNS ASK www.microsoft.com
- DNS ASK sl####i.yandex.ru
- DNS ASK ct###.#indowsupdate.com
- DNS ASK dn#.##ftncsi.com
- DNS ASK ap#.###sys.opera.com
- DNS ASK go.###rosoft.com
- DNS ASK au######te.geo.opera.com
- DNS ASK si#####ck2.opera.com
- DNS ASK pi###hideout.us
- DNS ASK www.pi###hideout.us
- DNS ASK www.google.com
- DNS ASK i.##0.ru
- DNS ASK bi##.#ikimedia.org
- DNS ASK www.ic#.com
- DNS ASK www.go##le.ru
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'Opera_MessageWindow' WindowName: '%APPDATA%\Roaming\Opera Software\Opera Stable'