Analysis Overview
SHA256
f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287
Threat Level: Known bad
The file f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287 was found to be: Known bad.
Malicious Activity Summary
Detect ZGRat V1
Glupteba payload
Glupteba
RedLine payload
ZGRat
Amadey
Stealc
UAC bypass
RedLine
Lumma Stealer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies Windows Firewall
Downloads MZ/PE file
Stops running service(s)
Blocklisted process makes network request
Executes dropped EXE
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
Identifies Wine through registry keys
Checks BIOS information in registry
Reads WinSCP keys stored on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Looks up external IP address via web service
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Launches sc.exe
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Program crash
System policy modification
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of FindShellTrayWindow
Checks processor information in registry
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-04-25 22:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-25 22:28
Reported
2024-04-25 22:34
Platform
win7-20240221-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Amadey
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\chrosha.job | C:\Users\Admin\AppData\Local\Temp\f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287.exe
"C:\Users\Admin\AppData\Local\Temp\f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287.exe"
Network
Files
memory/1940-0-0x0000000000300000-0x00000000007B7000-memory.dmp
memory/1940-1-0x0000000076FB0000-0x0000000076FB2000-memory.dmp
memory/1940-13-0x00000000008E0000-0x00000000008E1000-memory.dmp
memory/1940-12-0x0000000000800000-0x0000000000801000-memory.dmp
memory/1940-11-0x0000000001130000-0x0000000001131000-memory.dmp
memory/1940-10-0x0000000000F90000-0x0000000000F91000-memory.dmp
memory/1940-9-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
memory/1940-8-0x00000000008D0000-0x00000000008D1000-memory.dmp
memory/1940-7-0x00000000002E0000-0x00000000002E1000-memory.dmp
memory/1940-6-0x0000000002650000-0x0000000002651000-memory.dmp
memory/1940-5-0x0000000000DF0000-0x0000000000DF1000-memory.dmp
memory/1940-4-0x0000000001000000-0x0000000001001000-memory.dmp
memory/1940-3-0x0000000000FA0000-0x0000000000FA1000-memory.dmp
memory/1940-2-0x0000000000300000-0x00000000007B7000-memory.dmp
memory/1940-17-0x00000000002F0000-0x00000000002F1000-memory.dmp
memory/1940-22-0x0000000000300000-0x00000000007B7000-memory.dmp
memory/1940-18-0x00000000028C0000-0x00000000028C1000-memory.dmp
memory/1940-15-0x0000000002660000-0x0000000002661000-memory.dmp
memory/1940-14-0x0000000000BC0000-0x0000000000BC1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-25 22:28
Reported
2024-04-25 22:34
Platform
win10-20240404-en
Max time kernel
93s
Max time network
297s
Command Line
Signatures
Amadey
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe | N/A |
ZGRat
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads WinSCP keys stored on the system
Reads local data of messenger clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 200 set thread context of 2296 | N/A | C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 2336 set thread context of 956 | N/A | C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 1924 set thread context of 1932 | N/A | C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 4872 set thread context of 2984 | N/A | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
| PID 292 set thread context of 424 | N/A | C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 5028 set thread context of 4044 | N/A | C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\GameServerClient\installc.bat | C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe | N/A |
| File created | C:\Program Files (x86)\GameServerClient\installg.bat | C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe | N/A |
| File created | C:\Program Files (x86)\GameServerClient\GameService.exe | C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameServerClient\GameServerClient.exe | C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe | N/A |
| File created | C:\Program Files (x86)\GameServerClient\GameServerClientC.exe | C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameServerClient\installc.bat | C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameServerClient\installg.bat | C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameServerClient\GameService.exe | C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe | N/A |
| File created | C:\Program Files (x86)\GameServerClient\GameServerClient.exe | C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameServerClient\GameServerClientC.exe | C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\chrosha.job | C:\Users\Admin\AppData\Local\Temp\f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287.exe
"C:\Users\Admin\AppData\Local\Temp\f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287.exe"
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
"C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 200 -s 716
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
"C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 508
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 504
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
"C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe" /F
C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe
"C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
"C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
"C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe" -Force
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\735606991074_Desktop.zip' -CompressionLevel Optimal
C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe
"C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe"
C:\Users\Admin\Pictures\4bfKBpwrjclcPetR6QZGvVSR.exe
"C:\Users\Admin\Pictures\4bfKBpwrjclcPetR6QZGvVSR.exe"
C:\Users\Admin\Pictures\uULd8wDgkRpZYPF3wlNOaWaV.exe
"C:\Users\Admin\Pictures\uULd8wDgkRpZYPF3wlNOaWaV.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe" -Force
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
C:\Users\Admin\Pictures\A0DBxEb4CWJ5lqC6fVrKqGZv.exe
"C:\Users\Admin\Pictures\A0DBxEb4CWJ5lqC6fVrKqGZv.exe"
C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe
"C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameServerClient\installg.bat" "
C:\Users\Admin\Pictures\bR2wmEBEEi1em6seHLokEXnU.exe
"C:\Users\Admin\Pictures\bR2wmEBEEi1em6seHLokEXnU.exe"
C:\Users\Admin\AppData\Local\Temp\u3ts.0.exe
"C:\Users\Admin\AppData\Local\Temp\u3ts.0.exe"
C:\Users\Admin\Pictures\VX91subzGlh8JGsVl1hkHR4E.exe
"C:\Users\Admin\Pictures\VX91subzGlh8JGsVl1hkHR4E.exe"
C:\Users\Admin\Pictures\fndn0JFQGewyD6YAvv4IScwI.exe
"C:\Users\Admin\Pictures\fndn0JFQGewyD6YAvv4IScwI.exe"
C:\Windows\SysWOW64\sc.exe
Sc delete GameServerClient
C:\Program Files (x86)\GameServerClient\GameService.exe
GameService remove GameServerClient confirm
C:\Users\Admin\AppData\Local\Temp\u4ck.0.exe
"C:\Users\Admin\AppData\Local\Temp\u4ck.0.exe"
C:\Program Files (x86)\GameServerClient\GameService.exe
GameService install GameServerClient "C:\Program Files (x86)\GameServerClient\GameServerClient.exe"
C:\Program Files (x86)\GameServerClient\GameService.exe
GameService start GameServerClient
C:\Program Files (x86)\GameServerClient\GameService.exe
"C:\Program Files (x86)\GameServerClient\GameService.exe"
C:\Program Files (x86)\GameServerClient\GameServerClient.exe
"C:\Program Files (x86)\GameServerClient\GameServerClient.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameServerClient\installc.bat" "
C:\Users\Admin\AppData\Local\Temp\u3ts.2\run.exe
"C:\Users\Admin\AppData\Local\Temp\u3ts.2\run.exe"
C:\Program Files (x86)\GameServerClient\GameServerClient.exe
"C:\Program Files (x86)\GameServerClient\GameServerClient.exe"
C:\Users\Admin\Pictures\u1wfpxgDHV6skxM1Fy0QY0QV.exe
"C:\Users\Admin\Pictures\u1wfpxgDHV6skxM1Fy0QY0QV.exe" --silent --allusers=0
C:\Users\Admin\Pictures\u1wfpxgDHV6skxM1Fy0QY0QV.exe
C:\Users\Admin\Pictures\u1wfpxgDHV6skxM1Fy0QY0QV.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x2a0,0x2a4,0x2a8,0x120,0x2ac,0x6adfe1d0,0x6adfe1dc,0x6adfe1e8
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\u1wfpxgDHV6skxM1Fy0QY0QV.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\u1wfpxgDHV6skxM1Fy0QY0QV.exe" --version
C:\Users\Admin\Pictures\u1wfpxgDHV6skxM1Fy0QY0QV.exe
"C:\Users\Admin\Pictures\u1wfpxgDHV6skxM1Fy0QY0QV.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4312 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240425223045" --session-guid=3601f146-8a6b-45b1-8cf5-28306e354ae1 --server-tracking-blob="YjlkZWE3OTA5ZmE1ZDUzZjhlZjhkMDk4ZjNlNjkzY2U1OWVlOTI2ZTU2YjE0NDNiZGU5YTJiMWI4YjAxMzdhZjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fMTIzIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzE0MDg0MjIxLjI2ODUiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzEyMyIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiMjA2Mzg3NjItYTUxZS00OGJmLTgwYWUtYjQ4NGM0ZjkzMDQwIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=C004000000000000
C:\Windows\SysWOW64\sc.exe
Sc delete GameServerClientC
C:\Users\Admin\Pictures\u1wfpxgDHV6skxM1Fy0QY0QV.exe
C:\Users\Admin\Pictures\u1wfpxgDHV6skxM1Fy0QY0QV.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x2ac,0x2b0,0x2b4,0x27c,0x2b8,0x69c2e1d0,0x69c2e1dc,0x69c2e1e8
C:\Program Files (x86)\GameServerClient\GameService.exe
GameService remove GameServerClientC confirm
C:\Program Files (x86)\GameServerClient\GameService.exe
GameService install GameServerClientC "C:\Program Files (x86)\GameServerClient\GameServerClientC.exe"
C:\Program Files (x86)\GameServerClient\GameService.exe
GameService start GameServerClientC
C:\Program Files (x86)\GameServerClient\GameService.exe
"C:\Program Files (x86)\GameServerClient\GameService.exe"
C:\Program Files (x86)\GameServerClient\GameServerClientC.exe
"C:\Program Files (x86)\GameServerClient\GameServerClientC.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Program Files (x86)\GameServerClient\GameServerClient.exe
"C:\Program Files (x86)\GameServerClient\GameServerClient.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\Pictures\glS8pK7urpGl0V4Uglg8faYl.exe
"C:\Users\Admin\Pictures\glS8pK7urpGl0V4Uglg8faYl.exe" --silent --allusers=0
C:\Users\Admin\Pictures\N0l0UJd7MsNGmjMt43mJTRfK.exe
"C:\Users\Admin\Pictures\N0l0UJd7MsNGmjMt43mJTRfK.exe"
C:\Users\Admin\Pictures\glS8pK7urpGl0V4Uglg8faYl.exe
C:\Users\Admin\Pictures\glS8pK7urpGl0V4Uglg8faYl.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x2a0,0x2a4,0x2a8,0x258,0x2ac,0x6926e1d0,0x6926e1dc,0x6926e1e8
C:\Users\Admin\Pictures\kNfpNDOUekHYoBya0eTdMtCT.exe
"C:\Users\Admin\Pictures\kNfpNDOUekHYoBya0eTdMtCT.exe"
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\glS8pK7urpGl0V4Uglg8faYl.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\glS8pK7urpGl0V4Uglg8faYl.exe" --version
\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Users\Admin\AppData\Local\Temp\u3ts.3.exe
"C:\Users\Admin\AppData\Local\Temp\u3ts.3.exe"
C:\Users\Admin\AppData\Local\Temp\u4ck.2\run.exe
"C:\Users\Admin\AppData\Local\Temp\u4ck.2\run.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Users\Admin\Pictures\Hi4IYDKds9gYDcBNtiTroBud.exe
"C:\Users\Admin\Pictures\Hi4IYDKds9gYDcBNtiTroBud.exe"
C:\Users\Admin\Pictures\xwQ4rB9tg3am9UsDtsfZJtfz.exe
"C:\Users\Admin\Pictures\xwQ4rB9tg3am9UsDtsfZJtfz.exe"
C:\Users\Admin\AppData\Local\Temp\u4ck.3.exe
"C:\Users\Admin\AppData\Local\Temp\u4ck.3.exe"
C:\Users\Admin\AppData\Local\Temp\7zS3F03.tmp\Install.exe
.\Install.exe /RvdidblCuX "385118" /S
C:\Users\Admin\AppData\Local\Temp\7zS40D8.tmp\Install.exe
.\Install.exe /RvdidblCuX "385118" /S
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 22:32:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\DgywIex.exe\" em /MFsite_idphQ 385118 /S" /V1 /F
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 22:32:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\dvsbjhP.exe\" em /tBsite_idQao 385118 /S" /V1 /F
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
C:\Program Files (x86)\GameServerClient\GameServerClientC.exe
"C:\Program Files (x86)\GameServerClient\GameServerClientC.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
C:\Program Files (x86)\GameServerClient\GameServerClient.exe
"C:\Program Files (x86)\GameServerClient\GameServerClient.exe"
C:\Windows\Temp\321938.exe
"C:\Windows\Temp\321938.exe" --list-devices
C:\Windows\Temp\660037.exe
"C:\Windows\Temp\660037.exe" --coin BTC -m ADDRESSES -t 0 --range 3ff830d86c0000000:3ff830d8700000000 -o xxx0.txt -i C:\Windows\Temp\curjob.bin
C:\Users\Admin\Pictures\VX91subzGlh8JGsVl1hkHR4E.exe
"C:\Users\Admin\Pictures\VX91subzGlh8JGsVl1hkHR4E.exe"
C:\Users\Admin\Pictures\fndn0JFQGewyD6YAvv4IScwI.exe
"C:\Users\Admin\Pictures\fndn0JFQGewyD6YAvv4IScwI.exe"
C:\Users\Admin\Pictures\A0DBxEb4CWJ5lqC6fVrKqGZv.exe
"C:\Users\Admin\Pictures\A0DBxEb4CWJ5lqC6fVrKqGZv.exe"
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404252230451\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404252230451\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404252230451\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404252230451\assistant\assistant_installer.exe" --version
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404252230451\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404252230451\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x238,0x23c,0x240,0x20c,0x210,0x336038,0x336044,0x336050
C:\Users\Admin\Pictures\uULd8wDgkRpZYPF3wlNOaWaV.exe
"C:\Users\Admin\Pictures\uULd8wDgkRpZYPF3wlNOaWaV.exe"
C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\dvsbjhP.exe
C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\dvsbjhP.exe em /tBsite_idQao 385118 /S
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARTXeDTAxvUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARTXeDTAxvUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ByWuwrOBU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ByWuwrOBU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DUGaRsFaSnqjC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DUGaRsFaSnqjC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RVqmAwyyxwiU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RVqmAwyyxwiU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wGkeBUkfAIhWvVVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wGkeBUkfAIhWvVVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ofqvFcNvzeRditbz\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ofqvFcNvzeRditbz\" /t REG_DWORD /d 0 /reg:64;"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wGkeBUkfAIhWvVVB /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wGkeBUkfAIhWvVVB /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY /t REG_DWORD /d 0 /reg:64
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ofqvFcNvzeRditbz /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ofqvFcNvzeRditbz /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gQoElPrcH" /SC once /ST 00:57:10 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gQoElPrcH"
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gQoElPrcH"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "BAnwxolbGpCzXNxkj" /SC once /ST 21:03:31 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\AQBKmYi.exe\" XT /iCsite_idiFA 385118 /S" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "BAnwxolbGpCzXNxkj"
C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\AQBKmYi.exe
C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\AQBKmYi.exe XT /iCsite_idiFA 385118 /S
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bWycNackLSywaqkmgR"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ByWuwrOBU\PWRvhM.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "qbSDwEgyNYPZlGA" /V1 /F
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "qbSDwEgyNYPZlGA2" /F /xml "C:\Program Files (x86)\ByWuwrOBU\AvxxVxR.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "qbSDwEgyNYPZlGA"
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "qbSDwEgyNYPZlGA"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "yJQYurcljWrTFb" /F /xml "C:\Program Files (x86)\RVqmAwyyxwiU2\ACMxZui.xml" /RU "SYSTEM"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "MrNSpwukvDtlP2" /F /xml "C:\ProgramData\wGkeBUkfAIhWvVVB\lmalwfO.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "qnWLzqfHNJaEQUiUn2" /F /xml "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\uvpBegG.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "FBXQMyjqJGqSqkHthaW2" /F /xml "C:\Program Files (x86)\DUGaRsFaSnqjC\GDwEUmD.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "QhciBzJOokLnyYZub" /SC once /ST 17:08:32 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ofqvFcNvzeRditbz\GYQTtcim\mEUtEMq.dll\",#1 /Pbsite_idsVj 385118" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "QhciBzJOokLnyYZub"
\??\c:\windows\system32\rundll32.EXE
c:\windows\system32\rundll32.EXE "C:\Windows\Temp\ofqvFcNvzeRditbz\GYQTtcim\mEUtEMq.dll",#1 /Pbsite_idsVj 385118
C:\Windows\SysWOW64\rundll32.exe
c:\windows\system32\rundll32.EXE "C:\Windows\Temp\ofqvFcNvzeRditbz\GYQTtcim\mEUtEMq.dll",#1 /Pbsite_idsVj 385118
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "BAnwxolbGpCzXNxkj"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "QhciBzJOokLnyYZub"
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
\??\c:\windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
Network
| Country | Destination | Domain | Proto |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| US | 8.8.8.8:53 | 167.132.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | affordcharmcropwo.shop | udp |
| US | 172.67.181.34:443 | affordcharmcropwo.shop | tcp |
| US | 8.8.8.8:53 | cleartotalfisherwo.shop | udp |
| US | 104.21.72.132:443 | cleartotalfisherwo.shop | tcp |
| US | 8.8.8.8:53 | 34.181.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | worryfillvolcawoi.shop | udp |
| US | 172.67.199.191:443 | worryfillvolcawoi.shop | tcp |
| US | 8.8.8.8:53 | enthusiasimtitleow.shop | udp |
| US | 104.21.18.233:443 | enthusiasimtitleow.shop | tcp |
| US | 8.8.8.8:53 | 132.72.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.199.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dismissalcylinderhostw.shop | udp |
| US | 172.67.205.132:443 | dismissalcylinderhostw.shop | tcp |
| US | 8.8.8.8:53 | diskretainvigorousiw.shop | udp |
| US | 172.67.211.165:443 | diskretainvigorousiw.shop | tcp |
| US | 8.8.8.8:53 | 233.18.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.205.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | communicationgenerwo.shop | udp |
| US | 104.21.83.19:443 | communicationgenerwo.shop | tcp |
| US | 8.8.8.8:53 | pillowbrocccolipe.shop | udp |
| US | 104.21.47.56:443 | pillowbrocccolipe.shop | tcp |
| US | 8.8.8.8:53 | 165.211.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.83.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.47.21.104.in-addr.arpa | udp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| DE | 185.172.128.33:8970 | tcp | |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | productivelookewr.shop | udp |
| US | 172.67.150.207:443 | productivelookewr.shop | tcp |
| US | 8.8.8.8:53 | tolerateilusidjukl.shop | udp |
| US | 172.67.147.41:443 | tolerateilusidjukl.shop | tcp |
| US | 8.8.8.8:53 | 33.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 207.150.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.147.67.172.in-addr.arpa | udp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | shatterbreathepsw.shop | udp |
| US | 172.67.169.43:443 | shatterbreathepsw.shop | tcp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| US | 8.8.8.8:53 | shortsvelventysjo.shop | udp |
| US | 104.21.16.225:443 | shortsvelventysjo.shop | tcp |
| US | 8.8.8.8:53 | 43.169.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.132.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | incredibleextedwj.shop | udp |
| US | 104.21.86.106:443 | incredibleextedwj.shop | tcp |
| US | 8.8.8.8:53 | alcojoldwograpciw.shop | udp |
| US | 104.21.48.243:443 | alcojoldwograpciw.shop | tcp |
| US | 8.8.8.8:53 | 225.16.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.86.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.48.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | liabilitynighstjsko.shop | udp |
| US | 104.21.44.3:443 | liabilitynighstjsko.shop | tcp |
| RU | 185.215.113.67:26260 | tcp | |
| US | 8.8.8.8:53 | 3.44.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | demonstationfukewko.shop | udp |
| US | 172.67.147.169:443 | demonstationfukewko.shop | tcp |
| US | 8.8.8.8:53 | 169.147.67.172.in-addr.arpa | udp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| RU | 5.42.65.67:48396 | tcp | |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| FR | 52.143.157.84:80 | 52.143.157.84 | tcp |
| US | 8.8.8.8:53 | 67.65.42.5.in-addr.arpa | udp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| RU | 193.233.132.175:80 | 193.233.132.175 | tcp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| US | 8.8.8.8:53 | skategirls.org | udp |
| US | 8.8.8.8:53 | realdeepai.org | udp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| US | 8.8.8.8:53 | yip.su | udp |
| NL | 185.26.182.111:80 | net.geo.opera.com | tcp |
| US | 104.21.79.77:443 | yip.su | tcp |
| NL | 185.26.182.111:443 | net.geo.opera.com | tcp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.157.143.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.132.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.79.21.104.in-addr.arpa | udp |
| US | 172.67.193.79:443 | realdeepai.org | tcp |
| US | 172.67.193.79:443 | realdeepai.org | tcp |
| US | 8.8.8.8:53 | jonathantwo.com | udp |
| US | 172.67.176.131:443 | jonathantwo.com | tcp |
| US | 172.67.176.131:443 | jonathantwo.com | tcp |
| RU | 77.221.151.47:80 | 77.221.151.47 | tcp |
| US | 8.8.8.8:53 | 67.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.193.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.176.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.151.221.77.in-addr.arpa | udp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.21.79.77:443 | yip.su | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| RU | 193.233.132.175:80 | 193.233.132.175 | tcp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| US | 8.8.8.8:53 | skategirls.org | udp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| US | 172.67.193.79:443 | realdeepai.org | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| US | 172.67.193.79:443 | realdeepai.org | tcp |
| NL | 185.26.182.111:80 | net.geo.opera.com | tcp |
| US | 8.8.8.8:53 | 228.128.172.185.in-addr.arpa | udp |
| NL | 185.26.182.111:443 | net.geo.opera.com | tcp |
| US | 172.67.176.131:443 | jonathantwo.com | tcp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| US | 8.8.8.8:53 | note.padd.cn.com | udp |
| RO | 176.97.76.106:80 | note.padd.cn.com | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 8.8.8.8:53 | 106.76.97.176.in-addr.arpa | udp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| RO | 176.97.76.106:80 | note.padd.cn.com | tcp |
| DE | 185.172.128.228:80 | tcp | |
| NL | 185.26.182.124:443 | tcp | |
| NL | 185.26.182.124:443 | tcp | |
| NL | 82.145.217.121:443 | tcp | |
| NL | 185.26.182.117:443 | tcp | |
| NL | 82.145.216.15:443 | tcp | |
| US | 2.16.106.156:443 | tcp | |
| NL | 185.26.182.124:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 104.26.9.59:443 | tcp | |
| US | 34.117.186.192:443 | tcp | |
| US | 8.8.8.8:53 | 59.9.26.104.in-addr.arpa | udp |
| US | 104.26.9.59:443 | tcp | |
| US | 8.8.8.8:53 | 192.186.117.34.in-addr.arpa | udp |
| DE | 185.172.128.228:80 | tcp | |
| US | 34.117.186.192:443 | tcp | |
| US | 20.157.87.45:80 | tcp | |
| RU | 5.42.66.10:80 | tcp | |
| DE | 185.172.128.76:80 | tcp | |
| US | 8.8.8.8:53 | 76.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.76:80 | tcp | |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | download.iolo.net | udp |
| FR | 143.244.56.51:443 | download.iolo.net | tcp |
| US | 8.8.8.8:53 | 51.56.244.143.in-addr.arpa | udp |
| RU | 77.221.151.47:8080 | tcp | |
| RU | 91.215.85.66:15647 | tcp | |
| US | 8.8.8.8:53 | svc.iolo.com | udp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 8.8.8.8:53 | 66.85.215.91.in-addr.arpa | udp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 199.232.210.172:80 | tcp | |
| US | 199.232.210.172:80 | tcp | |
| US | 199.232.210.172:80 | tcp | |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| NL | 185.26.182.117:443 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | download5.operacdn.com | udp |
| US | 104.18.10.89:443 | download5.operacdn.com | tcp |
| US | 8.8.8.8:53 | 89.10.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | westus2-2.in.applicationinsights.azure.com | udp |
| US | 20.9.155.145:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 8.8.8.8:53 | 145.155.9.20.in-addr.arpa | udp |
| RU | 77.221.151.47:8080 | tcp | |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| US | 8.8.8.8:53 | service-domain.xyz | udp |
| US | 3.80.150.121:443 | service-domain.xyz | tcp |
| US | 8.8.8.8:53 | 121.150.80.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.200.14:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | 74.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.googleusercontent.com | udp |
| GB | 216.58.201.97:443 | clients2.googleusercontent.com | tcp |
| US | 8.8.8.8:53 | 14.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api5.check-data.xyz | udp |
| US | 44.239.127.146:80 | api5.check-data.xyz | tcp |
| US | 8.8.8.8:53 | 146.127.239.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2835a0d1-f2ee-427a-b2fd-65f8e54e5645.uuid.statscreate.org | udp |
| US | 8.8.8.8:53 | server15.statscreate.org | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | stun.ipfire.org | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| BG | 185.82.216.96:443 | server15.statscreate.org | tcp |
| DE | 81.3.27.44:3478 | stun.ipfire.org | udp |
| US | 8.8.8.8:53 | carsalessystem.com | udp |
| US | 172.67.221.71:443 | carsalessystem.com | tcp |
| US | 8.8.8.8:53 | 44.27.3.81.in-addr.arpa | udp |
Files
memory/2916-0-0x0000000000B00000-0x0000000000FB7000-memory.dmp
memory/2916-1-0x00000000777A4000-0x00000000777A5000-memory.dmp
memory/2916-3-0x0000000004B20000-0x0000000004B21000-memory.dmp
memory/2916-2-0x0000000000B00000-0x0000000000FB7000-memory.dmp
memory/2916-9-0x0000000004B40000-0x0000000004B41000-memory.dmp
memory/2916-8-0x0000000004B00000-0x0000000004B01000-memory.dmp
memory/2916-7-0x0000000004AF0000-0x0000000004AF1000-memory.dmp
memory/2916-6-0x0000000004B50000-0x0000000004B51000-memory.dmp
memory/2916-5-0x0000000004B10000-0x0000000004B11000-memory.dmp
memory/2916-4-0x0000000004B30000-0x0000000004B31000-memory.dmp
memory/2916-11-0x0000000004B70000-0x0000000004B71000-memory.dmp
memory/2916-12-0x0000000004B60000-0x0000000004B61000-memory.dmp
memory/2916-16-0x0000000000B00000-0x0000000000FB7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
| MD5 | 7b51614032cf0e89432f5ff123c65044 |
| SHA1 | c9aeeee7d2db471eac0bf71cfa948d491a2bb4b6 |
| SHA256 | f9e1bf035e5664900080e1ae1d88d6249049aec0da812c49bb976af43a7bc287 |
| SHA512 | 20603dc18c014996fdf5773f473471527c8454c64c67344264ffa1798ed151d4bb09375fc151b2cfa4503607b707db18d9f0ba96775872fc3e94be58963b55f2 |
memory/1680-19-0x0000000001120000-0x00000000015D7000-memory.dmp
memory/1680-24-0x00000000057F0000-0x00000000057F1000-memory.dmp
memory/1680-23-0x0000000005850000-0x0000000005851000-memory.dmp
memory/1680-22-0x0000000005820000-0x0000000005821000-memory.dmp
memory/1680-26-0x0000000005800000-0x0000000005801000-memory.dmp
memory/1680-25-0x0000000005810000-0x0000000005811000-memory.dmp
memory/1680-21-0x0000000005830000-0x0000000005831000-memory.dmp
memory/1680-20-0x0000000001120000-0x00000000015D7000-memory.dmp
memory/1680-27-0x0000000005880000-0x0000000005881000-memory.dmp
memory/1680-28-0x0000000005870000-0x0000000005871000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
| MD5 | 1c7d0f34bb1d85b5d2c01367cc8f62ef |
| SHA1 | 33aedadb5361f1646cffd68791d72ba5f1424114 |
| SHA256 | e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c |
| SHA512 | 53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d |
memory/200-42-0x0000000000CD0000-0x0000000000D22000-memory.dmp
memory/200-43-0x00000000729F0000-0x00000000730DE000-memory.dmp
memory/2296-46-0x0000000000400000-0x000000000044C000-memory.dmp
memory/2296-49-0x0000000000400000-0x000000000044C000-memory.dmp
memory/200-50-0x0000000003020000-0x0000000005020000-memory.dmp
memory/2296-52-0x0000000001480000-0x00000000014C0000-memory.dmp
memory/2296-51-0x0000000001480000-0x00000000014C0000-memory.dmp
memory/2296-53-0x0000000001480000-0x00000000014C0000-memory.dmp
memory/2296-54-0x0000000001480000-0x00000000014C0000-memory.dmp
memory/2296-55-0x0000000001480000-0x00000000014C0000-memory.dmp
memory/2296-56-0x0000000000400000-0x000000000044C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
| MD5 | 31841361be1f3dc6c2ce7756b490bf0f |
| SHA1 | ff2506641a401ac999f5870769f50b7326f7e4eb |
| SHA256 | 222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee |
| SHA512 | 53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019 |
memory/956-70-0x0000000000400000-0x0000000000592000-memory.dmp
memory/1680-71-0x0000000001120000-0x00000000015D7000-memory.dmp
memory/2336-72-0x0000000000020000-0x00000000002D8000-memory.dmp
memory/956-75-0x00000000729F0000-0x00000000730DE000-memory.dmp
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
| MD5 | 20ae0bb07ba77cb3748aa63b6eb51afb |
| SHA1 | 87c468dc8f3d90a63833d36e4c900fa88d505c6d |
| SHA256 | daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d |
| SHA512 | db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2 |
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
| MD5 | 0c582da789c91878ab2f1b12d7461496 |
| SHA1 | 238bd2408f484dd13113889792d6e46d6b41c5ba |
| SHA256 | a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67 |
| SHA512 | a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a |
memory/1396-83-0x00000000729F0000-0x00000000730DE000-memory.dmp
memory/1396-84-0x0000000000100000-0x0000000000152000-memory.dmp
memory/1396-85-0x0000000004EC0000-0x00000000053BE000-memory.dmp
memory/1396-86-0x0000000004A60000-0x0000000004AF2000-memory.dmp
memory/1680-88-0x0000000001120000-0x00000000015D7000-memory.dmp
memory/1396-89-0x0000000004A50000-0x0000000004A60000-memory.dmp
memory/1396-87-0x00000000049D0000-0x00000000049DA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp8865.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/2892-105-0x00000000004F0000-0x00000000005B0000-memory.dmp
memory/1396-108-0x0000000005540000-0x00000000055B6000-memory.dmp
memory/2892-109-0x00007FF931350000-0x00007FF931D3C000-memory.dmp
memory/200-110-0x00000000729F0000-0x00000000730DE000-memory.dmp
memory/1396-111-0x0000000005CD0000-0x0000000005CEE000-memory.dmp
memory/200-112-0x0000000003020000-0x0000000005020000-memory.dmp
memory/2892-113-0x000000001B1D0000-0x000000001B1E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
| MD5 | b22521fb370921bb5d69bf8deecce59e |
| SHA1 | 3d4486b206e8aaac14a3cf201c5ac152a2a7d4ea |
| SHA256 | b30d10e292f89f4d288839974f71f6b703d6d9a9ae698ea172a2b64364e77158 |
| SHA512 | 1f7d64ba5266314ed18f577f0984706c21f4f48e8cdb069130e4435c2bcdf219f8dd27e4d3bf3a373f4db4c01e30efe8d7f4d87f4d8cbbbeaf9c7043f685994c |
memory/1396-124-0x0000000006540000-0x0000000006B46000-memory.dmp
memory/1396-125-0x00000000060B0000-0x00000000061BA000-memory.dmp
memory/1396-127-0x0000000006040000-0x000000000607E000-memory.dmp
memory/1932-133-0x0000000000400000-0x000000000044E000-memory.dmp
memory/1396-132-0x00000000061C0000-0x000000000620B000-memory.dmp
memory/1924-134-0x0000000000E20000-0x0000000000E94000-memory.dmp
memory/1932-136-0x0000000000400000-0x000000000044E000-memory.dmp
memory/1932-137-0x0000000000400000-0x000000000044E000-memory.dmp
memory/1396-126-0x0000000005FE0000-0x0000000005FF2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
| MD5 | 0099a99f5ffb3c3ae78af0084136fab3 |
| SHA1 | 0205a065728a9ec1133e8a372b1e3864df776e8c |
| SHA256 | 919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226 |
| SHA512 | 5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6 |
C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe
| MD5 | 8026082d59bac905bcc4098c69b98743 |
| SHA1 | 5c8bffce653aa3b6c3e14d5f02927648b5ca8768 |
| SHA256 | f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005 |
| SHA512 | 304339d26694f1225a23014862676f759c9332ea43ab53c9cb665346228dbed5ece4dca5e41b4d577fdf18ea70f7c61cda852e5122a7fbcf3bdfec5acc0f9f42 |
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
| MD5 | 8510bcf5bc264c70180abe78298e4d5b |
| SHA1 | 2c3a2a85d129b0d750ed146d1d4e4d6274623e28 |
| SHA256 | 096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6 |
| SHA512 | 5ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d |
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll
| MD5 | f35b671fda2603ec30ace10946f11a90 |
| SHA1 | 059ad6b06559d4db581b1879e709f32f80850872 |
| SHA256 | 83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7 |
| SHA512 | b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705 |
memory/4872-189-0x0000020F73AB0000-0x0000020F73AC0000-memory.dmp
memory/4872-187-0x00007FF931350000-0x00007FF931D3C000-memory.dmp
memory/3228-194-0x00000000729F0000-0x00000000730DE000-memory.dmp
memory/3228-193-0x0000000000950000-0x00000000009A2000-memory.dmp
memory/956-192-0x00000000729F0000-0x00000000730DE000-memory.dmp
memory/3228-195-0x0000000005200000-0x0000000005210000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-873560699-1074803302-2326074425-1000\76b53b3ec448f7ccdda2063b15d2bfc3_9251837d-e9a5-4229-9a78-b1085d98b1bb
| MD5 | c117b2495e0bf84ef6be7c4efd6974b8 |
| SHA1 | c26648871010d12fd8159e6cba9da8a129ccba22 |
| SHA256 | 321e013dd27479144dbc9adf9c76cdcce19dc34b76fe5a83448a98229bcff95a |
| SHA512 | 5ffb45f7d1891acdbbe4a51faa12b746758d21888ca3812d16a81f97770119207fc6fabff4913dbd4d80a70999ecf5afef11e1307dbdc1850fa2f272b9f1ca38 |
memory/4872-182-0x0000020F594A0000-0x0000020F5950E000-memory.dmp
memory/4872-213-0x0000020F5B100000-0x0000020F5B15E000-memory.dmp
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | bc66475ee3b9ba37ec6828944dadd734 |
| SHA1 | 9b82600ed9625cd85c114473a66b2160aea60b0a |
| SHA256 | 4c14b7589cf62d4a93c2e2e3f6b74c3b2424973df96e12dfbfb988cc6d29d409 |
| SHA512 | e45e908918f2c08cc2a1fe85f268c858a6bfa082c792ce893ef649aeffe7d570b791236f70f6f9e1ac2388173a6e5b76fe53a340685d0f1880bb2f28a440cbdf |
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
| MD5 | 586f7fecacd49adab650fae36e2db994 |
| SHA1 | 35d9fb512a8161ce867812633f0a43b042f9a5e6 |
| SHA256 | cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e |
| SHA512 | a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772 |
memory/292-229-0x0000000000170000-0x000000000019E000-memory.dmp
memory/1396-231-0x00000000729F0000-0x00000000730DE000-memory.dmp
memory/424-243-0x0000000000400000-0x000000000063B000-memory.dmp
memory/2984-236-0x0000000000400000-0x0000000000408000-memory.dmp
memory/424-250-0x0000000000400000-0x000000000063B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe
| MD5 | 7fabf15848c951f6665ec449c8c77098 |
| SHA1 | f9ef6114a8e2d3838d0cadd4a71d6baf95e133cf |
| SHA256 | a440e88b2c1d1746b82ffaadaef0571a14f3d76dbabba87b0c3de6ac5eff2f35 |
| SHA512 | 4e8b84b13bf04befb12d2f1b2f36a1a7285be640315c1a8eb61137f77ca2202b62892d95fee02debaa75ca3b5d782a5d0a7a08a010206929187504a91e9ddb0a |
memory/1680-289-0x0000000001120000-0x00000000015D7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vj2byeji.lk3.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
C:\Users\Admin\Pictures\6p7Lc6wCyyx5sjdGwLrlnZ6Q.exe
| MD5 | 5b423612b36cde7f2745455c5dd82577 |
| SHA1 | 0187c7c80743b44e9e0c193e993294e3b969cc3d |
| SHA256 | e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09 |
| SHA512 | c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c |
C:\Users\Admin\Pictures\4bfKBpwrjclcPetR6QZGvVSR.exe
| MD5 | 5639162c3324d30242a477f678cdf7ae |
| SHA1 | 6383b421604381f6418a65219e47629d110d5a9a |
| SHA256 | 5166f78d79dd4747fd9b2215b272427b8cf4cd80fa4fee5f1a291a81fb5f50cd |
| SHA512 | 02528ebb3e42f38b65152fb341e01dfe0d9aa6c381bdb742432335d8850af1fd7813d1369d05b03d884d61910fa5d1140ee6553bc25a0d5e043ef1c6d3aabd61 |
C:\Users\Admin\Pictures\uULd8wDgkRpZYPF3wlNOaWaV.exe
| MD5 | b6c03763d95cfc6ddfabcac9c0b36dc2 |
| SHA1 | 122d715c03c197df8e4ede8b94f4cd2c9dba6c57 |
| SHA256 | 77809f86a370b278605306dd2bc04c713e0061d7092c8b7e5a2c6334b49314a2 |
| SHA512 | e1dbfb5ed5d3d9c147433577893fde4db790cdd966dfae2a19c93ab4e97dc23662089fb0682e50ff4c7950ac75a955e9bc15ebc145e9f426b5f2e43c2d6a7199 |
memory/4044-335-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe
| MD5 | 6184676075afacb9103ae8cbf542c1ed |
| SHA1 | bc757642ad2fcfd6d1da79c0754323cdc823a937 |
| SHA256 | a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b |
| SHA512 | 861ac361b585a069f2274b577b30f2a13baf72a60acd4f22da41885aee92c3975445150822f1072590d7b574ff54eb3abde6a6c4f800988ab9ff4344884f41fa |
memory/424-400-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll
| MD5 | 154c3f1334dd435f562672f2664fea6b |
| SHA1 | 51dd25e2ba98b8546de163b8f26e2972a90c2c79 |
| SHA256 | 5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f |
| SHA512 | 1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841 |
C:\Users\Admin\AppData\Local\ybNrgxULfUnAMWHEEnovJtXp.exe
| MD5 | f8010cfbb1ea6f0c8525eaba77721cf7 |
| SHA1 | cf5e7b72af904301fa13f7ec8a8be324dde5c3ea |
| SHA256 | 5f07907b56589f833d0916aa6b4428977082a844878e620f49053dc868670f52 |
| SHA512 | f295deaf43a8a6f1ec8fc2172da6c569914e8e91f814ff575be2856b227a7ad3be889913113d8c0f690dcf7b321ba74adc74eac00b05e1abeb3a288b6ab5dcec |
C:\Users\Admin\AppData\Local\Temp\tmpD0D9.tmp
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
memory/1680-513-0x0000000001120000-0x00000000015D7000-memory.dmp
memory/4960-516-0x0000000000400000-0x0000000002C46000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u3ts.0.exe
| MD5 | 986c6384b1282fbf0053f17ed64e8d6b |
| SHA1 | c92f082073a5d85f433c985b9d7cd62e4b03b239 |
| SHA256 | bb175eb1e0a3560fa5bd83ffa7291420e4be8382a2c36c9687018d77fe86721e |
| SHA512 | b46706cf42ade93c0ddc1925a2a1acca39da1183462b5121c01888e40c5bcc05e698b6929985e308495ed6f528fe01b51cf9204f51d38ad3e58ad8f859ab69f2 |
C:\Program Files (x86)\GameServerClient\installg.bat
| MD5 | b6b57c523f3733580d973f0f79d5c609 |
| SHA1 | 2cc30cfd66817274c84f71d46f60d9e578b7bf95 |
| SHA256 | d8d718641bdf39cca1a5db7bb52d3c66d400a97bef3cafdd81cd7e711a51c570 |
| SHA512 | d39440163592bc3b1cb7830f236a97d5819c10775e453637d5a04a981e9a336480c6b4701afdceba0d52dfe09413b7abe2ad58ff55b5057a26229f3ccdc3a7c7 |
memory/1360-543-0x0000000000400000-0x0000000003005000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u3ts.1.zip
| MD5 | 78d3ca6355c93c72b494bb6a498bf639 |
| SHA1 | 2fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e |
| SHA256 | a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001 |
| SHA512 | 1b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea |
memory/4980-556-0x0000000000400000-0x0000000003005000-memory.dmp
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | 039e44f4c3f36bbd059c2dee6ad0b06d |
| SHA1 | 4749f71f21eb9069cfacc3f2be88184c08ae19f8 |
| SHA256 | 1daf147d884f525ad7c501c492637ccd2202881d992893e762cc825e50f53576 |
| SHA512 | 1146f08174af0d3f854fac7d434cce0a6f639cb0057d9f5ed3bb897822198a87c5cdf2c361d9f2cff87bc0cd40bbad15ce271631608bdb548eea2bf1a3de0e08 |
C:\Program Files (x86)\GameServerClient\GameService.exe
| MD5 | d9ec6f3a3b2ac7cd5eef07bd86e3efbc |
| SHA1 | e1908caab6f938404af85a7df0f80f877a4d9ee6 |
| SHA256 | 472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c |
| SHA512 | 1b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4 |
memory/5636-707-0x0000000000400000-0x0000000002C46000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 7ce47df53c8f0ba7ccf885c309afc484 |
| SHA1 | b25ad9723b06d3861498caa32ffb1b7b38701a95 |
| SHA256 | 7031b6b7bc43cf4ee90d4ec4860b78a442352243ea28f5d959b56222b13de2e4 |
| SHA512 | 78585fbfcfe2e7a27f0ee168075958923184e67da1668850d0e66e31f0fd0a5516c04a17693ad197da7ffffb179265cd54fe0629fa30e00a6f269c6d68277efd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e5d2bce770d65e0ae6792874dcc48233 |
| SHA1 | 853be0952dc8a6ba3c0256f86392b96196483c32 |
| SHA256 | e84d4bfc979ea85f4b431584089da16709a836bae727dc3f1ee97e5092a2836f |
| SHA512 | 11abdf2bb84b0d8fc43c81e7f7af5400889c3d3d180f9533113f375893e014c1dd7ffae655f677318211ed1d894635b56223cb712c460d6e6a55c045ba401998 |
C:\Program Files (x86)\GameServerClient\GameServerClient.exe
| MD5 | bf4360d76b38ed71a8ec2391f1985a5f |
| SHA1 | 57d28dc8fd4ac052d0ae32ca22143e7b57733003 |
| SHA256 | 4ebec636d15203378e15cc11967d00cbd17e040db1fca85cf3c10bbf7451adaf |
| SHA512 | 7b46bc87dc384d8227adf5b538861165fa9efa18e28f2de5c1a1bb1a3a9f6bef29b449706c4d8e637ae9805bb51c8548cb761facf82d1c273d3e3699ae727acd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1713c1068fbcd242e0e2a7409a1dc4f1 |
| SHA1 | 1421c2e7c40559e382f9c8e7cd449a693e2ee4c4 |
| SHA256 | 3562ad72f78b76bcb26547ff3a74dea0c86e9d3e97efbeaba663c5300e3d2769 |
| SHA512 | 0b18ced85a8657e03b123b682333cf81358d2b9edc10c390c9d4e500d9e0c91995bc65cdf7cf45a74a9531f6724cabe9f3751fd4782f0eeefefb4ba84d3c04c1 |
C:\Users\Admin\AppData\Local\Temp\u3ts.2\run.exe
| MD5 | 9fb4770ced09aae3b437c1c6eb6d7334 |
| SHA1 | fe54b31b0db8665aa5b22bed147e8295afc88a03 |
| SHA256 | a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3 |
| SHA512 | 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256 |
memory/1680-758-0x0000000001120000-0x00000000015D7000-memory.dmp
memory/4960-759-0x0000000000400000-0x0000000002C46000-memory.dmp
memory/6132-760-0x0000000000400000-0x0000000003005000-memory.dmp
memory/5268-761-0x0000000000400000-0x0000000003005000-memory.dmp
memory/1360-764-0x0000000000400000-0x0000000003005000-memory.dmp
C:\Users\Admin\Pictures\u1wfpxgDHV6skxM1Fy0QY0QV.exe
| MD5 | f75a721168b26ed37766cea55ab2601c |
| SHA1 | c878bc98c0571bae149c5a716811ea0f082f793a |
| SHA256 | a438d6fb093ab1057905c745d8be9199ce8ff5b8c7a74ba274cf0f2a491a4ef4 |
| SHA512 | 166abccddc272c1d487195e340ff0ea9e4e51376e04308195f198aaf6744437818606cd3ef3f217ecf89a474d677b01bd5fc6bbf491883f912318d6c37b16455 |
\Users\Admin\AppData\Local\Temp\Opera_installer_2404252230432084312.dll
| MD5 | 45fe60d943ad11601067bc2840cc01be |
| SHA1 | 911d70a6aad7c10b52789c0312c5528556a2d609 |
| SHA256 | 0715f9558363b04526499fcd6abf0b1946950af0a7f046a25f06b20dddb67add |
| SHA512 | 30c82f6b329fefa5f09a5974c36b70ea2bdab273e7d6eadd456fddcc2aa693f8f1cf096d57c3719d1106e9f85d50a4ffbf0ed7e66da2da0a5f23b6ee8c7194ba |
memory/3900-783-0x000000006A250000-0x000000006A3CB000-memory.dmp
memory/3900-784-0x00007FF94DFB0000-0x00007FF94E18B000-memory.dmp
memory/4980-792-0x0000000000400000-0x0000000003005000-memory.dmp
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/5636-845-0x0000000000400000-0x0000000002C46000-memory.dmp
memory/3900-866-0x000000006A250000-0x000000006A3CB000-memory.dmp
memory/1680-880-0x0000000001120000-0x00000000015D7000-memory.dmp
C:\Users\Admin\Pictures\glS8pK7urpGl0V4Uglg8faYl.exe
| MD5 | df6f31e8f5932ede1ac816775d68a7db |
| SHA1 | a734ee93779fafc90beeb511a99e90b8d3335bbd |
| SHA256 | 1de6cb566557a3e8703ec676a8e626e192f095f35640575bdabb5d2edb179c40 |
| SHA512 | caee1a09e4091f2b649cc831773e2e13600d75ff47ef252e126c099bad4a29feac7c76d6f7f718e4c6be344dc0e2fcd00498514a6beca20f4a977a1e597ffbf4 |
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 8ef9853d1881c5fe4d681bfb31282a01 |
| SHA1 | a05609065520e4b4e553784c566430ad9736f19f |
| SHA256 | 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2 |
| SHA512 | 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005 |
memory/6132-895-0x0000000000400000-0x0000000003005000-memory.dmp
memory/5268-907-0x0000000000400000-0x0000000003005000-memory.dmp
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 7cc972a3480ca0a4792dc3379a763572 |
| SHA1 | f72eb4124d24f06678052706c542340422307317 |
| SHA256 | 02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5 |
| SHA512 | ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7 |
memory/1360-908-0x0000000000400000-0x0000000003005000-memory.dmp
memory/4632-917-0x00007FF94DFB0000-0x00007FF94E18B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u4ck.2\bunch.dat
| MD5 | 1e8237d3028ab52821d69099e0954f97 |
| SHA1 | 30a6ae353adda0c471c6ed5b7a2458b07185abf2 |
| SHA256 | 9387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742 |
| SHA512 | a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3 |
memory/4980-933-0x0000000000400000-0x0000000003005000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u4ck.2\whale.dbf
| MD5 | a723bf46048e0bfb15b8d77d7a648c3e |
| SHA1 | 8952d3c34e9341e4425571e10f22b782695bb915 |
| SHA256 | b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422 |
| SHA512 | ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273 |
C:\Users\Admin\AppData\Local\Temp\u4ck.2\relay.dll
| MD5 | 10d51becd0bbce0fab147ff9658c565e |
| SHA1 | 4689a18112ff876d3c066bc8c14a08fd6b7b7a4a |
| SHA256 | 7b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed |
| SHA512 | 29faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29 |
memory/4960-993-0x0000000000400000-0x0000000002C46000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u4ck.2\UIxMarketPlugin.dll
| MD5 | d1ba9412e78bfc98074c5d724a1a87d6 |
| SHA1 | 0572f98d78fb0b366b5a086c2a74cc68b771d368 |
| SHA256 | cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15 |
| SHA512 | 8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f |
memory/6592-1006-0x000000006A250000-0x000000006A3CB000-memory.dmp
memory/6592-1011-0x00007FF94DFB0000-0x00007FF94E18B000-memory.dmp
C:\Users\Admin\Pictures\xwQ4rB9tg3am9UsDtsfZJtfz.exe
| MD5 | d981fb3fc1f28bea729db051c75dae08 |
| SHA1 | d5eea12045a6d998da1a362f70748fc09874d0b4 |
| SHA256 | aa5689332012817778e4ef3602e918297c567c4d573b463f86e8d98fef2eb48f |
| SHA512 | a93576bc04ac5b1ba129913c3d4e5100cf7f0f8bd7a4c9a21ce3af645624890006e087eefa5d0cbd804b7b96ebc13cf32a722b8c1d66d409879f41d5bfa974cb |
memory/5636-1012-0x0000000000400000-0x0000000002C46000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u4ck.3.exe
| MD5 | 397926927bca55be4a77839b1c44de6e |
| SHA1 | e10f3434ef3021c399dbba047832f02b3c898dbd |
| SHA256 | 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7 |
| SHA512 | cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954 |
memory/5636-1043-0x0000000000400000-0x0000000002C46000-memory.dmp
memory/1680-1066-0x0000000001120000-0x00000000015D7000-memory.dmp
memory/6036-1076-0x0000000000400000-0x0000000000846000-memory.dmp
memory/7028-1075-0x0000000000400000-0x00000000008AD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS40D8.tmp\Install.exe
| MD5 | e77964e011d8880eae95422769249ca4 |
| SHA1 | 8e15d7c4b7812a1da6c91738c7178adf0ff3200f |
| SHA256 | f200984380d291051fc4b342641cd34e7560cadf4af41b2e02b8778f14418f50 |
| SHA512 | 8feb3dc4432ec0a87416cbc75110d59efaf6504b4de43090fc90286bd37f98fc0a5fb12878bb33ac2f6cd83252e8dfd67dd96871b4a224199c1f595d33d4cade |
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | 5c3e994c103c8ef6b4d39fbc13ff3dda |
| SHA1 | 0c93b59816d33ce2490cf06dec7f4667247f77c3 |
| SHA256 | a6c88c9298cea4a022bb9b1dabef9df6ca4fa2c8e83d01d755ebb5893340563f |
| SHA512 | 2f4a5d8cebb7f81b9e8b309a91a77be1d99903675ae1fd8a6306e573b7783f30797fea43c90602f861e51b226fc81fbee21ba89f4153476706f60fe99ddbe972 |
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | e473e3946573b90708bde22b29a02940 |
| SHA1 | 7dc064d815aed7a15b91115526a48a4c50181839 |
| SHA256 | 1ed3a0144651fd6ead2d235a353455e80d09272a08132b4187bd51423a26bfbd |
| SHA512 | 54d2c69005b8918f11df17f4f7be7d807c6b7429e9accfb4a4843b188d31dc69129a5b5ee03a18e4939d0be71a02a7688cad0ebd6356235c336372f72259193e |
C:\Users\Admin\AppData\Local\Temp\tmpF851.tmp
| MD5 | c9ff7748d8fcef4cf84a5501e996a641 |
| SHA1 | 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9 |
| SHA256 | 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988 |
| SHA512 | d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404252230451\opera_package
| MD5 | b7e7c07657383452919ee39c5b975ae8 |
| SHA1 | 2a6463ac1eb8be1825b123b12f75c86b7fff6591 |
| SHA256 | 1d3f55e541be41e98341cb1d7b5d10487f886093370bdccdb26c70c322246bb9 |
| SHA512 | daeabc9a4d76e1107681e96b1371682fa6dd589001f8b03fe41165d5c32a96179daeac359f86772c9768fdbdee271c16f92ad0dbd10b2fc7cde3970f0c92aa39 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404252230451\additional_file0.tmp
| MD5 | 15d8c8f36cef095a67d156969ecdb896 |
| SHA1 | a1435deb5866cd341c09e56b65cdda33620fcc95 |
| SHA256 | 1521c69f478e9ced2f64b8714b9e19724e747cd8166e0f7ab5db1151a523dda8 |
| SHA512 | d6f48180d4dcb5ba83a9c0166870ac00ea67b615e749edf5994bc50277bf97ca87f582ac6f374c5351df252db73ee1231c943b53432dbb7563e12bbaf5bb393a |
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
| MD5 | 3cef4dfadd6c840c867d315c02bfd295 |
| SHA1 | 9d506625424a2e9d21fefd47beeba3d6fc2f555f |
| SHA256 | d1662851581e2111be37fa20630b900b830cd7c9d98c6e3506e05dccd137c75d |
| SHA512 | 73c03630a60cf81664a69446c037733e94f04bdbebc74b6abbe62c6aa614e8dc7e2aaa03a4710d8287acde9f64009d40d839fbaa72399223e0878400ace81968 |
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi
| MD5 | f562bb3e60c14a1a9059beedbee685f9 |
| SHA1 | d04ecb1cf6bb0fc97a20b7b5ce696a69915dd189 |
| SHA256 | 3d8ad2ba1198931971f6eb04083f5412bc66274cbb9e4bc9bc92a1f025d3b85f |
| SHA512 | 5c0b2709376e210c212760791c75e5d01e1fe541eff4f8da0e0a1345838a563b8c0f14c5f913bc51afdfcd830c8d85eb6b365dbae739c058f0fe21a1db6fa335 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
| MD5 | 238d2612f510ea51d0d3eaa09e7136b1 |
| SHA1 | 0953540c6c2fd928dd03b38c43f6e8541e1a0328 |
| SHA256 | 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e |
| SHA512 | 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
| MD5 | 0b1cf3deab325f8987f2ee31c6afc8ea |
| SHA1 | 6a51537cef82143d3d768759b21598542d683904 |
| SHA256 | 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf |
| SHA512 | 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
| MD5 | 2a1e12a4811892d95962998e184399d8 |
| SHA1 | 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720 |
| SHA256 | 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb |
| SHA512 | bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | e7bd8b1fc43753c3bff7f7f6dc738466 |
| SHA1 | 706f95b3ccde2bff396415eea5257758a3da94f4 |
| SHA256 | 695e5810fb0fbb30df794b4b811790d1184680ff7afd1a3a9edbe19bf910432c |
| SHA512 | f62d90131c3d5ae1ae149c6e3e3c518db420605accad1f3e0f4791d462268b34cfbfe23ecd52ce5e4c38bae102bf8b6c9eafa40c9707ab263e91bd4ca01ac3ea |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs.js
| MD5 | 516209f083f89d9658fbd0a685a9f2e2 |
| SHA1 | 536659cf49ab7ca6cfcae8db5d0c5045e89116a5 |
| SHA256 | cb5715ec1991b798e8d410bd82b7d2cd9ebe43995edb84b6ab3d930cabc9fe82 |
| SHA512 | 6c410ea50322e8ef87346db65f060d5f90c00426b2b5b32d0ae2ce4a0a5f2fb11e71a12870803c98f93b0b1c4056514ffbf3d58c2d3b6251b577be50a2bab4b9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | dab769b58773f31715c627422f30f814 |
| SHA1 | 79a7a1bd7f3672ca07105b3600f6c8428368ae97 |
| SHA256 | 067dfe4e9201bade4c99a8ed5a9d0d7bb4423efd9d66aa6a7cbad0e3bbb4db31 |
| SHA512 | 2e88373c0eeee9349694aaecf98fe798bcd0fff6935089a2093efb0a86ada9fbf02ddfae426a4871307078fdcc656adb4d7ef107d5545fd1c791306c31d8f1d5 |
C:\Users\Admin\AppData\Local\Temp\7zS40D8.tmp\charmap.exe
| MD5 | e35a9d0f7ce4eac01063af580938d567 |
| SHA1 | b56cb9f141c3a307f339880c23d2b9ac8c177196 |
| SHA256 | a8891ead974a428655ee5f25d4976242fcb49918698addb06e029d6e5470e22a |
| SHA512 | b9667316d038d80be4b1a1b8d3211f04c240117c9c6f9db028b882f9447c2658064cd79f3a34954afd524ed7718ad90b959f09308f82129b499d0cad5d0f8923 |
C:\Users\Admin\AppData\Local\Temp\7zS40D8.tmp\BitLockerWizard.exe
| MD5 | ff14495654c9db0b82481cf562cf70d2 |
| SHA1 | b610e43426b934e9c90acfed213638c64d24fc13 |
| SHA256 | a7f666489614c94c8677f159d7bd3edbb210df77f94acd6e68979b1dd0ea2649 |
| SHA512 | e77d1a90a8f762839b01c05b59006d82c9b588a78db8d1e78f0bd0e5774ea50ef6fcec4ce7298b6952026e6ae3b48c8c381c917c01420fc9c8f000d0236d9917 |
C:\Users\Admin\AppData\Local\Temp\7zS40D8.tmp\atieah64.exe
| MD5 | bbd4e96b91fcf16a38da733c6939d47f |
| SHA1 | 66073fff85d4fbd9de5102c70096c7dbb4ff5a6e |
| SHA256 | 5fd16e242c136447fb7b0ffbd8cbff3635b05c94cd90af3f1e99fad7ef6295e5 |
| SHA512 | 9adeceb309c33217b2e4a5dfe343306fabd4fc2b62d9ba860f52bc6af84d6f7f078890b7d0e7dd4d54467315c2426722c77485419e6b40f5acced27472b71729 |
C:\Users\Admin\AppData\Local\Temp\7zS40D8.tmp\AppVNice.exe
| MD5 | 0b6cde84d57c866473357ff6915961f7 |
| SHA1 | dc701582d291e8128c6a5d6c981d7857f4357a64 |
| SHA256 | 14f631bb8112f04d38dc3bdbfbc6641cad0fa2e6ef5d09211396f126eacb2869 |
| SHA512 | 3c5bf3caa0a9b6e6009b4503776cdb610ad060fe22b34d567da8862391fb7fe5a6270037fd507be74f3e8b783c5ca9eef2cbf410e62943f5d9a7329eb8e265f8 |
C:\Users\Admin\AppData\Local\Temp\7zS40D8.tmp\amdfendrsr.exe
| MD5 | 5e18b81a9f038cd2e6ac3a9ffbde9b5d |
| SHA1 | 7150f9b2b238b5b2c3573c66c4741831e941a1e6 |
| SHA256 | 523bcc22c0380ffa1aaf4bbf29808b1ad9c9f532e0405b923cc51000eb875fbd |
| SHA512 | f55a8b158d8385c3eaba5fd2159b1e66859b6318a5ec5e221283349a584b5c63a306215d483b300fb1fb019c9fa8ae25d75d9c80b0ad33d25e41d10ce47447a7 |
C:\Users\Admin\AppData\Local\Temp\7zS40D8.tmp\agentactivationruntimestarter.exe
| MD5 | cbcf178f0c9a0cca3d88f2a46bca0d58 |
| SHA1 | 789b4712bdc99583a9a5770a620bb6d87051f34b |
| SHA256 | 95539fc4b845de78db0d44d414bab07bd420f83cc42bb6ed5bc3d0f35124a405 |
| SHA512 | babe0613c92ccdf30302afa03b63f06c3073705cebe471a621635d38bb8a9f55ece8eb9c4e60913a17352f64c466a20f7bb58ff9971302895b39f0a6050c4609 |