Malware Analysis Report

2025-01-02 11:08

Sample ID 240310-prrcfscf87
Target file.exe
SHA256 2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80
Tags
dcrat glupteba smokeloader socks5systemz pub1 backdoor botnet discovery dropper evasion infostealer loader persistence rat rootkit spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

dcrat glupteba smokeloader socks5systemz pub1 backdoor botnet discovery dropper evasion infostealer loader persistence rat rootkit spyware stealer trojan upx

DcRat

Glupteba

SmokeLoader

Socks5Systemz

Glupteba payload

Downloads MZ/PE file

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Reads user/profile data of web browsers

Loads dropped DLL

Drops startup file

Reads data files stored by FTP clients

Unexpected DNS network traffic destination

Adds Run key to start application

Enumerates connected drives

Accesses cryptocurrency files/wallets, possible credential harvesting

Manipulates WinMonFS driver.

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Suspicious use of SetThreadContext

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Enumerates physical storage devices

Program crash

NSIS installer

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

Modifies system certificate store

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-10 12:34

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-10 12:34

Reported

2024-03-10 12:36

Platform

win7-20240221-en

Max time kernel

120s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2180 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2180 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2180 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2180 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2180 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2180 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2180 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2180 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2180 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2180 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2180 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2180 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2180 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2180 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-10 12:34

Reported

2024-03-10 12:36

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

DcRat

rat infostealer dcrat

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Socks5Systemz

botnet socks5systemz

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nCKytdSB5KynFC85zAiaClrW.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locXPTpXtGAi2iIwIOCjSk6g.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cAbuhFFm3sGZEGrlbX8f7Nfw.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4WojiqiVx9md8GR8I0C4iz2b.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JNy39JoOJRzNuLwJbwm9miIZ.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rRb0jtjxrnIIVBVBJay5pfS9.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\WqvUjjnPluYpb8wCHhD0buwD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-75APT.tmp\WqvUjjnPluYpb8wCHhD0buwD.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe N/A
N/A N/A C:\Users\Admin\Pictures\u3Xpyo3vzUEhiidl1YpyOYFX.exe N/A
N/A N/A C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe N/A
N/A N/A C:\Users\Admin\Pictures\HYGEKFd3yEB3UbFViv9Y0Trc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A
N/A N/A C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe N/A
N/A N/A C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\q5k45BSDMtuPVECVy92Za6sx.exe N/A
N/A N/A C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe N/A
N/A N/A C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\assistant_installer.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 141.98.234.31 N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1700 set thread context of 692 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Pictures\u3Xpyo3vzUEhiidl1YpyOYFX.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Pictures\u3Xpyo3vzUEhiidl1YpyOYFX.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Pictures\u3Xpyo3vzUEhiidl1YpyOYFX.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-75APT.tmp\WqvUjjnPluYpb8wCHhD0buwD.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-75APT.tmp\WqvUjjnPluYpb8wCHhD0buwD.tmp N/A
N/A N/A C:\Users\Admin\Pictures\u3Xpyo3vzUEhiidl1YpyOYFX.exe N/A
N/A N/A C:\Users\Admin\Pictures\u3Xpyo3vzUEhiidl1YpyOYFX.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe N/A
N/A N/A C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\u3Xpyo3vzUEhiidl1YpyOYFX.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-75APT.tmp\WqvUjjnPluYpb8wCHhD0buwD.tmp N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1700 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1700 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1700 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1700 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1700 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1700 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1700 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1700 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1700 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1700 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1700 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 692 wrote to memory of 60 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\WqvUjjnPluYpb8wCHhD0buwD.exe
PID 692 wrote to memory of 60 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\WqvUjjnPluYpb8wCHhD0buwD.exe
PID 692 wrote to memory of 60 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\WqvUjjnPluYpb8wCHhD0buwD.exe
PID 60 wrote to memory of 316 N/A C:\Users\Admin\Pictures\WqvUjjnPluYpb8wCHhD0buwD.exe C:\Users\Admin\AppData\Local\Temp\is-75APT.tmp\WqvUjjnPluYpb8wCHhD0buwD.tmp
PID 60 wrote to memory of 316 N/A C:\Users\Admin\Pictures\WqvUjjnPluYpb8wCHhD0buwD.exe C:\Users\Admin\AppData\Local\Temp\is-75APT.tmp\WqvUjjnPluYpb8wCHhD0buwD.tmp
PID 60 wrote to memory of 316 N/A C:\Users\Admin\Pictures\WqvUjjnPluYpb8wCHhD0buwD.exe C:\Users\Admin\AppData\Local\Temp\is-75APT.tmp\WqvUjjnPluYpb8wCHhD0buwD.tmp
PID 316 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\is-75APT.tmp\WqvUjjnPluYpb8wCHhD0buwD.tmp C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe
PID 316 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\is-75APT.tmp\WqvUjjnPluYpb8wCHhD0buwD.tmp C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe
PID 316 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\is-75APT.tmp\WqvUjjnPluYpb8wCHhD0buwD.tmp C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe
PID 316 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\is-75APT.tmp\WqvUjjnPluYpb8wCHhD0buwD.tmp C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe
PID 316 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\is-75APT.tmp\WqvUjjnPluYpb8wCHhD0buwD.tmp C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe
PID 316 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\is-75APT.tmp\WqvUjjnPluYpb8wCHhD0buwD.tmp C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe
PID 692 wrote to memory of 1652 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\u3Xpyo3vzUEhiidl1YpyOYFX.exe
PID 692 wrote to memory of 1652 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\u3Xpyo3vzUEhiidl1YpyOYFX.exe
PID 692 wrote to memory of 1652 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\u3Xpyo3vzUEhiidl1YpyOYFX.exe
PID 692 wrote to memory of 4772 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe
PID 692 wrote to memory of 4772 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe
PID 692 wrote to memory of 4772 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe
PID 4772 wrote to memory of 3536 N/A C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 3536 N/A C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 3536 N/A C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 692 wrote to memory of 2308 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\HYGEKFd3yEB3UbFViv9Y0Trc.exe
PID 692 wrote to memory of 2308 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\HYGEKFd3yEB3UbFViv9Y0Trc.exe
PID 692 wrote to memory of 2308 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\HYGEKFd3yEB3UbFViv9Y0Trc.exe
PID 2308 wrote to memory of 2816 N/A C:\Users\Admin\Pictures\HYGEKFd3yEB3UbFViv9Y0Trc.exe C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
PID 2308 wrote to memory of 2816 N/A C:\Users\Admin\Pictures\HYGEKFd3yEB3UbFViv9Y0Trc.exe C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
PID 2308 wrote to memory of 2816 N/A C:\Users\Admin\Pictures\HYGEKFd3yEB3UbFViv9Y0Trc.exe C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
PID 2308 wrote to memory of 3660 N/A C:\Users\Admin\Pictures\HYGEKFd3yEB3UbFViv9Y0Trc.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2308 wrote to memory of 3660 N/A C:\Users\Admin\Pictures\HYGEKFd3yEB3UbFViv9Y0Trc.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2308 wrote to memory of 3660 N/A C:\Users\Admin\Pictures\HYGEKFd3yEB3UbFViv9Y0Trc.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 3660 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3660 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3660 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 8 wrote to memory of 4788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 8 wrote to memory of 4788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 8 wrote to memory of 4788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 8 wrote to memory of 4180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 8 wrote to memory of 4180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 8 wrote to memory of 4180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4628 wrote to memory of 4908 N/A C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4628 wrote to memory of 4908 N/A C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4628 wrote to memory of 4908 N/A C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4628 wrote to memory of 4180 N/A C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe C:\Windows\system32\cmd.exe
PID 4628 wrote to memory of 4180 N/A C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe C:\Windows\system32\cmd.exe
PID 4180 wrote to memory of 3352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4180 wrote to memory of 3352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4628 wrote to memory of 3996 N/A C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4628 wrote to memory of 3996 N/A C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4628 wrote to memory of 3996 N/A C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4628 wrote to memory of 904 N/A C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4628 wrote to memory of 904 N/A C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4628 wrote to memory of 904 N/A C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4628 wrote to memory of 1356 N/A C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe C:\Windows\rss\csrss.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"

C:\Users\Admin\Pictures\WqvUjjnPluYpb8wCHhD0buwD.exe

"C:\Users\Admin\Pictures\WqvUjjnPluYpb8wCHhD0buwD.exe"

C:\Users\Admin\AppData\Local\Temp\is-75APT.tmp\WqvUjjnPluYpb8wCHhD0buwD.tmp

"C:\Users\Admin\AppData\Local\Temp\is-75APT.tmp\WqvUjjnPluYpb8wCHhD0buwD.tmp" /SL5="$E0062,1697450,56832,C:\Users\Admin\Pictures\WqvUjjnPluYpb8wCHhD0buwD.exe"

C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe

"C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe" -i

C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe

"C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe" -s

C:\Users\Admin\Pictures\u3Xpyo3vzUEhiidl1YpyOYFX.exe

"C:\Users\Admin\Pictures\u3Xpyo3vzUEhiidl1YpyOYFX.exe"

C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe

"C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\Pictures\HYGEKFd3yEB3UbFViv9Y0Trc.exe

"C:\Users\Admin\Pictures\HYGEKFd3yEB3UbFViv9Y0Trc.exe"

C:\Users\Admin\AppData\Local\Temp\syncUpd.exe

C:\Users\Admin\AppData\Local\Temp\syncUpd.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3536 -ip 3536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 1744

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe

"C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe

"C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe" --silent --allusers=0

C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe

C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2f0,0x300,0x6e8a21c8,0x6e8a21d4,0x6e8a21e0

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\q5k45BSDMtuPVECVy92Za6sx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\q5k45BSDMtuPVECVy92Za6sx.exe" --version

C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe

"C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3876 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240310123443" --session-guid=9477b60e-ec3c-4c23-97a4-17043994aafc --server-tracking-blob=Y2JhYTNlZjQ5NGNjYjliOWFiYjdlODFiZDRkMGQyMGJjOTU2MmNkNjk5YTI1Njk1ZjI2ZTU0ZWVjZWI2MDRhYTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxMDA3NDA1OC4yMzY2IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiJiZWJiOTdiOC04ZWZiLTQ1NzgtODQ4Ny05MGFiMDY0NWUxNWEifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=4005000000000000

C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe

C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x2f0,0x300,0x304,0x2d4,0x308,0x6df221c8,0x6df221d4,0x6df221e0

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x530040,0x53004c,0x530058

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2816 -ip 2816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 1092

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 yip.su udp
US 8.8.8.8:53 pastebin.com udp
US 104.21.79.77:443 yip.su tcp
US 172.67.34.170:443 pastebin.com tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 galandskiyher5.com udp
US 8.8.8.8:53 namecloudvideo.org udp
DE 185.172.128.126:80 185.172.128.126 tcp
US 8.8.8.8:53 midnight.bestsup.su udp
US 8.8.8.8:53 net.geo.opera.com udp
US 15.204.49.148:80 15.204.49.148 tcp
NL 185.26.182.111:80 net.geo.opera.com tcp
RU 193.106.174.70:80 galandskiyher5.com tcp
US 172.67.171.112:80 midnight.bestsup.su tcp
US 172.67.164.28:443 namecloudvideo.org tcp
US 8.8.8.8:53 shipbank.org udp
US 104.21.10.217:443 shipbank.org tcp
US 8.8.8.8:53 170.34.67.172.in-addr.arpa udp
US 8.8.8.8:53 77.79.21.104.in-addr.arpa udp
US 8.8.8.8:53 126.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 111.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 112.171.67.172.in-addr.arpa udp
US 8.8.8.8:53 28.164.67.172.in-addr.arpa udp
US 8.8.8.8:53 148.49.204.15.in-addr.arpa udp
US 8.8.8.8:53 70.174.106.193.in-addr.arpa udp
NL 185.26.182.111:443 net.geo.opera.com tcp
US 8.8.8.8:53 217.10.21.104.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
DE 185.172.128.187:80 185.172.128.187 tcp
DE 185.172.128.145:80 185.172.128.145 tcp
US 8.8.8.8:53 187.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 145.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
NL 82.145.216.19:443 autoupdate.geo.opera.com tcp
NL 82.145.216.19:443 autoupdate.geo.opera.com tcp
US 8.8.8.8:53 121.217.145.82.in-addr.arpa udp
US 8.8.8.8:53 19.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 features.opera-api2.com udp
US 8.8.8.8:53 download.opera.com udp
NL 185.26.182.93:443 features.opera-api2.com tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 6b74b21e-632c-4ae1-a15c-b97ee370c66f.uuid.realupdate.ru udp
NL 82.145.216.23:443 download.opera.com tcp
US 8.8.8.8:53 download3.operacdn.com udp
GB 95.101.143.243:443 download3.operacdn.com tcp
US 8.8.8.8:53 23.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 93.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 243.143.101.95.in-addr.arpa udp
GB 88.221.135.217:80 tcp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 udp
CH 172.217.210.127:19302 udp
BG 185.82.216.96:443 tcp
US 8.8.8.8:53 127.210.217.172.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
RU 193.106.174.70:80 galandskiyher5.com tcp
US 8.8.8.8:53 tradein-myus.com udp
US 8.8.8.8:53 trade-inmyus.com udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
BG 185.82.216.96:443 tcp
DE 185.172.128.145:80 185.172.128.145 tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
HK 141.98.234.31:53 dldnrwd.info udp
US 8.8.8.8:53 31.234.98.141.in-addr.arpa udp
TR 195.16.74.230:80 dldnrwd.info tcp
NL 45.155.249.96:2023 tcp
US 8.8.8.8:53 96.249.155.45.in-addr.arpa udp
US 8.8.8.8:53 230.74.16.195.in-addr.arpa udp
DE 185.172.128.145:80 185.172.128.145 tcp

Files

memory/692-0-0x0000000000400000-0x0000000000408000-memory.dmp

memory/692-1-0x0000000074D10000-0x00000000754C0000-memory.dmp

memory/692-2-0x0000000005740000-0x0000000005750000-memory.dmp

C:\Users\Admin\Pictures\35g0sPicqdQXWNY48pVYrgLZ.exe

MD5 5b423612b36cde7f2745455c5dd82577
SHA1 0187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256 e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512 c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

C:\Users\Admin\Pictures\WqvUjjnPluYpb8wCHhD0buwD.exe

MD5 328adf79d56fef9b88089e2ccb17c8a0
SHA1 35a90318f8ab8ec3f99ca37b9d4b212e78867420
SHA256 d8e189e63bbe2fe65b973190b5ed8dbad9e7e90d2a086cfc0f1745c3d06e525b
SHA512 f16e15cf2f1012ceeba6017590e5f5fa3aec4a6441b29df6808d4f68fdbca4201d53c25aca84cba9549fff052864a5ec7ff7dc9022bd75e07fa4e9b5c8284667

memory/60-27-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-75APT.tmp\WqvUjjnPluYpb8wCHhD0buwD.tmp

MD5 085aca27fe0b6d4c479500fb4a586129
SHA1 88e775fab99e3bc02e2bc44b0171b8a70cc5f9a3
SHA256 6cdeb9602e2346ea8c4b86eaf32bf07dea3350a9fa4ae99f5c15fcde96055cb7
SHA512 a7d37e57f1421a8b407204aad3089995dd2eb6fc03a37dbb0f2b8a3c387143f55e1e41c04059db265f330e96fd17d8d7c56bfc4398810b90b69cbe59e156339b

memory/316-33-0x00000000005E0000-0x00000000005E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-J4JCU.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe

MD5 3b5b9bd8bbf39e9996072c71dfbcf7ca
SHA1 ba59908f0714a7e1682b3edefb0b723fbf8e8a38
SHA256 45397a25baca6fdcf93bfa132e6be8c3ef2403b09ec049e164c365310ac1e5a7
SHA512 ecf2dc225a7de0e0321d000d8762a2bb4ea97c789ff4940d7e43eb9f76b79b50d3b1543b4ed4c69a82566336eed045d1dfa59d12c4d2df5032904806af101d28

memory/3296-63-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/3296-64-0x0000000000400000-0x00000000005DB000-memory.dmp

C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe

MD5 28c62765c0d3951c98331a12febbab59
SHA1 06894799aa377dca12da424bcf2a6a6f7400c8d8
SHA256 d00fa4460a6de61d26a035dd10bebfdcc0f28b81c85728e43e89af3d04da0260
SHA512 0ec630eef2e3b6d175732612f94196a738f62a7d79abe9c23497886c3d772c00f3c3896b5f6dac2eadfc91bf47798ee58d7717c96d59260165c3573a591d077d

memory/3296-68-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/3296-67-0x0000000000400000-0x00000000005DB000-memory.dmp

C:\Users\Admin\Pictures\u3Xpyo3vzUEhiidl1YpyOYFX.exe

MD5 38783b735530ec3595f8cfc57704e0a4
SHA1 297d2424423506702a6f42fff06b37a89a9fc8e6
SHA256 95d772adaee04f58f13c59ab65bcbefe9d6d6b2fc9b0f5fb6b4304902c5b2a8d
SHA512 980ff17ecdd36f1efbaced0b9599d4032eb4b27d5836c7d9d26828e478a75c73f4604bb568052aacc7519a54feb517efbf475e4d2610d8af6dbd4d6afb45fb4f

memory/3188-81-0x0000000000400000-0x00000000005DB000-memory.dmp

C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe

MD5 78441713602f8860f76dcb726d35c787
SHA1 be11ed46be79a6bf22290a887cc289d7a9bdeb48
SHA256 99e1a8a9641c7592de2101ed1de297d37226036e29f7839ca93c7ad5409a60af
SHA512 ab23f06273f4337c2ec0bb8ee53c736cfb93b6b58bb700a43c969be7c233881474afca360d21bad952a0f19f25ee8cb675f8ea7cce1e9f0f41c41033f12baef6

C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe

MD5 fbd8c3441a6860996d762513c9db1bc9
SHA1 bf1c2916cec7eeb327d0857a1f484268425a7239
SHA256 dbdc20d075f94e8979dd5a75f6a26b47d60de1e88552bfda1805abab08f6454a
SHA512 c516760a64d2a5c166ba6cc14cda4b558c2f9db53465a98bfc50cc78c9a237809cb7a725f6e987ce32c93f8c49e6f1c1135fe7995bfd47df2c71030842ff6216

memory/1652-99-0x0000000000670000-0x0000000000770000-memory.dmp

memory/1652-101-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1652-100-0x00000000004C0000-0x00000000004CB000-memory.dmp

memory/692-103-0x0000000074D10000-0x00000000754C0000-memory.dmp

memory/4772-104-0x0000000002A00000-0x0000000002E08000-memory.dmp

memory/4772-105-0x0000000002E10000-0x00000000036FB000-memory.dmp

memory/692-106-0x0000000005740000-0x0000000005750000-memory.dmp

memory/4772-107-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/60-108-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3536-109-0x0000000002C80000-0x0000000002CB6000-memory.dmp

memory/3536-110-0x0000000074D10000-0x00000000754C0000-memory.dmp

memory/3536-113-0x0000000002C00000-0x0000000002C10000-memory.dmp

memory/316-112-0x00000000005E0000-0x00000000005E1000-memory.dmp

memory/3536-111-0x0000000002C00000-0x0000000002C10000-memory.dmp

memory/3536-114-0x0000000005840000-0x0000000005E68000-memory.dmp

memory/3536-115-0x00000000055D0000-0x00000000055F2000-memory.dmp

memory/3536-116-0x0000000005770000-0x00000000057D6000-memory.dmp

memory/3536-122-0x0000000005F70000-0x0000000005FD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rzaqncrt.sfu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3536-127-0x00000000060E0000-0x0000000006434000-memory.dmp

memory/3536-128-0x0000000006590000-0x00000000065AE000-memory.dmp

memory/3536-129-0x0000000006650000-0x000000000669C000-memory.dmp

memory/3536-130-0x0000000006AF0000-0x0000000006B34000-memory.dmp

memory/3536-131-0x00000000078C0000-0x0000000007936000-memory.dmp

C:\Users\Admin\Pictures\HYGEKFd3yEB3UbFViv9Y0Trc.exe

MD5 fb7eac191e9c9b750d2039ec79edea19
SHA1 296c528bf34dfa3444e8b11d63cfe3956431fcd0
SHA256 1e5d6444bfabff040a71e0d656452e1050034523a96a454e7e9ca14af53825b9
SHA512 ac90fd6e17cf0fd03029e348f1c604f4748c32ad52fa7b3fcb92fb181ac1e6754e7312444c7a9598cae19b91e296866b2a4f680280b78e178c8164c19de9bd29

C:\Users\Admin\Pictures\HYGEKFd3yEB3UbFViv9Y0Trc.exe

MD5 2b1ee4ff451d7fc5fac73c16956b9da2
SHA1 cd488bdeaa9ad3ba68e3cedee2b3d7c3120cbfe1
SHA256 2086fb1cdf52179c52dd7afdd29a9fae503defd979e721f447d48ed9b85c6f0b
SHA512 aa94cf386dc51b5be9d551bb5462c234c0f7c0193a74286909020ba6bb86e226da26f01e1c90c322f72d372d2ca4fca11445bbfbec658f4006c85cf46e783590

C:\Users\Admin\Pictures\HYGEKFd3yEB3UbFViv9Y0Trc.exe

MD5 f4fe0f9c69dbcdf0ecccf0e8f92e6895
SHA1 fada96c7107c270cc30462c95ff60747f0a999a8
SHA256 341de9c61303397763325e9ef5633bb74f8dabcfaaa8f79791f488bc180e425a
SHA512 1267c5cc297004d4c628e32744283360b77e94e028b6e3f715ca7a13d49709775642b913e322141bd32e50ceb4f1e149d361f258b368cf5b0967afed39ff5083

C:\Users\Admin\AppData\Local\Temp\syncUpd.exe

MD5 4daa194c9f29f77b6a97afcc50793020
SHA1 fa03fe3b16bc39ca17366c7b22bd71d0693cbf6f
SHA256 421f8d69e9d99d7e447bae84e0574e19c9210c6f6121944408be0669aa63c56e
SHA512 0638935945b3c181b59bda9dc13e53fc88cbbabe046af0460049f6e89688a9cd4e67783b93002330aa94cd25a04db492e1791bad4cc6c634ab6975affd63ba05

C:\Users\Admin\AppData\Local\Temp\nsd5C3B.tmp\INetC.dll

MD5 2b342079303895c50af8040a91f30f71
SHA1 b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA256 2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512 550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

memory/3536-151-0x0000000007FC0000-0x000000000863A000-memory.dmp

memory/3536-152-0x0000000007960000-0x000000000797A000-memory.dmp

memory/3536-153-0x000000007FC90000-0x000000007FCA0000-memory.dmp

memory/3536-154-0x0000000007B20000-0x0000000007B52000-memory.dmp

memory/3536-155-0x000000006F2B0000-0x000000006F2FC000-memory.dmp

memory/3536-156-0x000000006EF20000-0x000000006F274000-memory.dmp

memory/3536-166-0x0000000007B60000-0x0000000007B7E000-memory.dmp

memory/3536-168-0x0000000007B80000-0x0000000007C23000-memory.dmp

memory/1652-170-0x0000000000400000-0x0000000000437000-memory.dmp

memory/3436-167-0x0000000002920000-0x0000000002936000-memory.dmp

memory/3536-172-0x0000000007C70000-0x0000000007C7A000-memory.dmp

memory/3536-173-0x0000000074D10000-0x00000000754C0000-memory.dmp

memory/316-176-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/2816-178-0x0000000002250000-0x0000000002277000-memory.dmp

memory/2816-184-0x0000000000400000-0x000000000063B000-memory.dmp

memory/3188-185-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/2816-177-0x00000000009B0000-0x0000000000AB0000-memory.dmp

memory/2308-192-0x0000000000400000-0x0000000000459000-memory.dmp

C:\Users\Admin\Pictures\jZ93yVW3Sw1HMmqyFo0txVQs.exe

MD5 c8e4562ad2c711911eb62a3f186114fa
SHA1 e01922e5921dbc03ddd251bf9588ed8e4561158f
SHA256 23d782c4c411f5bef4e97f13de9a831bf3d8e4cdae8258437824022364780230
SHA512 b2c146020d75d24514c7a77fe010c936871c09c69ef3cc32b94c06ae43f0f8047607dbec9c078b8d168352251ea45ecbcb15b20b252ad8f90a2f10eadfc62789

memory/3660-193-0x0000000000400000-0x0000000000930000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 0551f7eb5a45268efa4882cadf5d0f4f
SHA1 53aa3eda93cc8dffb7e3fbf585e3fdb9e21c7d71
SHA256 f8dfa02038a056f1ebf9ff0c25674c6c7764c3cda82a966922ba5d5d800d4e29
SHA512 e197f663e3263814f74e7d41ced582adff9685f13618dacad3012b0d3db57603c3d758b245685584ba42204b1cd6b5db2bbe5d9dd59cf2a0af4376f3db9b1378

memory/4772-196-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3660-197-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

memory/3188-195-0x0000000000400000-0x00000000005DB000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/4628-203-0x0000000002A60000-0x0000000002E63000-memory.dmp

memory/3188-202-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/4628-204-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4908-206-0x0000000004E50000-0x0000000004E60000-memory.dmp

memory/4908-205-0x0000000074D10000-0x00000000754C0000-memory.dmp

memory/4908-207-0x0000000004E50000-0x0000000004E60000-memory.dmp

memory/4908-208-0x0000000005C10000-0x0000000005F64000-memory.dmp

memory/4908-220-0x0000000006420000-0x000000000646C000-memory.dmp

memory/2816-218-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/4908-258-0x000000007FBB0000-0x000000007FBC0000-memory.dmp

memory/4908-259-0x000000006EF40000-0x000000006EF8C000-memory.dmp

memory/4908-260-0x000000006E630000-0x000000006E984000-memory.dmp

memory/4908-270-0x0000000004E50000-0x0000000004E60000-memory.dmp

memory/4908-271-0x0000000007430000-0x00000000074D3000-memory.dmp

memory/4908-272-0x0000000007830000-0x00000000078C6000-memory.dmp

memory/4908-273-0x0000000007750000-0x0000000007761000-memory.dmp

memory/4908-274-0x0000000007790000-0x000000000779E000-memory.dmp

memory/4908-275-0x00000000077A0000-0x00000000077B4000-memory.dmp

memory/4908-276-0x00000000077E0000-0x00000000077FA000-memory.dmp

memory/4908-277-0x00000000077D0000-0x00000000077D8000-memory.dmp

memory/2816-362-0x0000000000400000-0x000000000063B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7641e72088cb15d3865ac77640f5af74
SHA1 c5fdd4d5f43029d1063e896a3a4c5d142e208275
SHA256 78241c158fcca49f32f07d992e5e6b7a13ba30e5c2596af7347a8f562919f150
SHA512 ec08092c05613f0a09e56d6e7bb6ad7758716d470f4b2a98ecd95b6773fd39cbe9331e7e92ddb7d5ff3d5e5e7d09c2626fc5a7b3b3951ae1cf7762f0ac7c18e5

memory/3188-402-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/4628-404-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a7d8ecca447a85ae41d88113bbba989f
SHA1 caad5c09ea968ae23cbae1d4c39bef4728934500
SHA256 e5215e33c62c9516700fdcff44718a40407f984dcc69f08cb20c06c3b43737c8
SHA512 d1bc09c7cff479e80bcf529bffa99f9f74c8cd0b9e8233325a1dc9dc4dffe70444f394eef19a46ae5cccdd5108b83fce456492e24b9f95d2764002406aaba131

C:\Windows\rss\csrss.exe

MD5 cf408c1e1d45558c26ecb829483557ac
SHA1 7828aa5da21ec627b8707abbb5c8801ef674f73e
SHA256 93f006af9a8e6bc4ec0e8bf8f5bb09a1c196e4c69f117a9f7174b1d1965eb68f
SHA512 0290122f969d3d73a37bb0179f4ace9479e117ef3b684be2f52eac971cfbdf7386f741af6055095416972e7ff0c70bae3cfe6fb5d4226f60f6023889fda39c0f

C:\Windows\rss\csrss.exe

MD5 aeaef55e36e8d3a0614e3ba13f7f5306
SHA1 9aa7faf649ff4254899e152be2e3a7ffc7857105
SHA256 12e17f1943f7df27d07d8b73aedd3774cde829ccb3619a60de7878d8c9136a3a
SHA512 0111b6911dd670f340f6d3f1903823eebee2bc60e23f806d15f017c01cf44c36dd58429362276b78b837f270427c93ff2f614750e1d9a47044337d9c9b0e36cc

C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe

MD5 fa09deca29c8def396ad17def1f710c2
SHA1 f1e4666e4af21b6bb582f78ebb2a906e07b8c00a
SHA256 4ad7baa7a04d0b7bef58f04306b8d3169cce563d78faeea6e52863cb7ccacec8
SHA512 4a21d5398e6741d2bd223a0bd44fd97b8f5a4f704828e76570fe27b5307b4496252b78ace3d7f051212ae0a8fb9388c769b4d2175f40c653db6d2d5767661667

C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe

MD5 1cd875544d51cdd655b372af893d6e03
SHA1 22285b2b0df7560bf7537ff949c95a3dc1133487
SHA256 d890bb3b35496f1afedb0b4c70c6483754cb39cd5e827f3cd7eaa94768a799c5
SHA512 71f8f6e9539e573d6abd711af178ac7e74a62eb92dad9573e881bb66f42042dcab6fd0417e70cc59579739e8b2f75ef51d5ff5ca92023a6edc6b87ca761d6475

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403101234427383876.dll

MD5 bdc1cd113d90fd65ff5240720d4398ef
SHA1 9f7cede45b8fe9c31b9c6b5692b6fcfc70d332f0
SHA256 26b777deb343efb65c25c716dfe1862258c3b19d762754d30bfe87e79c7c5732
SHA512 1bd592f2ab74d6a08a6a52d90691652ce04361524700ab97ccb85e2be8b651904056d4fd34cab31a97d1765149de6cf7724772be00be7f8a248ef6c1782059b8

C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe

MD5 3f177eb6160b21c77931f37eb4da249e
SHA1 0ac6a8346e8bf85f4c9c531d7866ac6fe58b811e
SHA256 89fc22e29a4d34aa72c1b75d8c7be6b6ce75a215040eccd9dec0cf3ce49522d9
SHA512 b4c1fe2d2ae69838210404ea5ef8db0a65999c176f0593801998e59b0c0732171c4ab45a81d10438618e65664321f4e9fa30748ad110b8e248d613c6492d6772

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403101234428633988.dll

MD5 6eb11c216165ddc393e5335a53c1ba85
SHA1 f27df15f40bbe7e9df1fe0e987a33ea4b37ada30
SHA256 dca2fbece79c684ad074bac073171e8e44d4b97356d6daa81b7770dd954d5e37
SHA512 b03c49977105f6efc48c3a850c9848073ed54cde6508805be009aa76f65fcee6fafc9dd8a3f1f610e8fa5ba0d1b601535b925c01f64919d55979c631d7e473f6

C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe

MD5 99dc1fb590df169c7dff4596d46a6f19
SHA1 32767dade36b24dd34a04cebd2f1e5366ae61eba
SHA256 2cec22223b6529340e813d7364a8e04a98de90c7a59edfcd6a1ce4a880c314fd
SHA512 ef98844d7ff3620394f1a82cd70afd9991e4d627893eae4895458d59e39c4a356add055b9229d89f294e30db853332fe3e8e0f532d0781c9937bebfb8edddf71

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\q5k45BSDMtuPVECVy92Za6sx.exe

MD5 2c19e573001b16c221065edc3e7b8b41
SHA1 8dfb9ea571882949d0364ad429261980b0bde784
SHA256 4c3929f3e2d68677759a3fd30ca701f884f7c76eb37af42b112e3960491d5801
SHA512 a5099a7ccb428573334c8bcefa42448589124f3d1b92e47cd70e3aa7348a2ab98d172b56b183c3d46c896cef4919f38dbc64420ced5b152b6aa02559c7fd5375

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403101234431925100.dll

MD5 d34aba3507407dda596c187c2cb01179
SHA1 99f8d473c7fa4db50ebb564e8dab7562cd199289
SHA256 3f13121c2dbc3839c1138ffc40d823e338706bcdecf98fcdc4b9bc6309d11cce
SHA512 f4cbd0d79b91f68a11d2041e2c2582bdd018046e58d974b97065c7cd0b057ac3b0017e34924c2a40acdb60231a167e0157e9055eb15b9497df34793c5568772a

memory/5100-473-0x0000000000350000-0x0000000000888000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403101234435813284.dll

MD5 57ed06b82563f3a793a0c1854da3adc2
SHA1 88dff0aa6bbb675abc8096ad6918249352ef4cb7
SHA256 d61c5972b5a68c9bfd63a9fd2b17ae0980f8dbec233e700e70ff6bb2beb0d6aa
SHA512 ced927e46cc577f5b14ff3c44e7270dc857cfd17ebf2b28d2bc3d47d35ce8932a6498343401a696b83edfc0add3a43cf5db6a8ae7427606ad475202937777a23

C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe

MD5 c29edf70ca66aed33e5d32af65cab58d
SHA1 68351f4081266811fa9e6eb03075e2e758719db6
SHA256 06968cc02de53f5cfd358eb7658060bb570bc730eabe2fa4a6b86608a1fc48af
SHA512 87817fe98a170e58195cb341ea2d819d59e2072594099506a68d483c34549fd4a68ce8864491a5c84befff26a3b4da6c8239ef8b131feb93af3015f1808f8487

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403101234431925100.dll

MD5 c023da23536d39e32d29184f1a6540d0
SHA1 a9b20005a2a8f34c1aac9bf849b2c22ec11d6c7c
SHA256 f29dbf269e20955d86afd11d06ae3785d4f0246f5157adbea706a51f869c6b12
SHA512 447c9b8b30481a1b2704c327b86309dc8b515e4894b42c99a759dc96da4abd340d4643b92e2cded1be4c3b2390dffa41fd751de9da0933215e829e97ea1dc680

C:\Users\Admin\Pictures\q5k45BSDMtuPVECVy92Za6sx.exe

MD5 ddb6e4f97e34da07d4293acd123511ed
SHA1 aaf50ed5f5cf3b68aced7c01870c3b68160b9844
SHA256 41161aed1471a9797e188c10f813ade74f647238a725ea7ff2dfad98952d391d
SHA512 9dd4c4495cf5080e2546e442d9d7f842a644e344b9831d6692daec1f3dfe1866f53f071ee88a5036944472de1b3f74188a65d98aada135b4336bba78b184d515

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403101234437255084.dll

MD5 bc3fde52b560592f09a8b29afe3b5e88
SHA1 88d27d3148a99c473a60c78c8cde194c49bc1b71
SHA256 80bdbc7555d9fcc80d959cb45d354c60cda8e8b4f902af834a04eb2a8340924f
SHA512 5a00eed6a8d8a8952c5d9814665082c46b80402854ac4719c07914a9af8b17558435b470a382d815088c933ce3bd1cded7b9fdde130bdda810ef80ab84b41552

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 c5c43f0e3d972dd1e7a2185f4f848728
SHA1 5a5d91e820d252fb9a796ab9b24ff367dc9a0dd0
SHA256 51f318280f0ca9126f1b3f20586908c12bfa47719aae4884cfd4d8b5d827d80c
SHA512 8f9e093fe3a6c695df112d649e9c0e0a253f7b24f1429ae5b93ff06f8cff93b481d4cb7229073d366f5c73d344ede83376f7e0c948bdc3a9ddcd04f2cd6c6168

memory/2816-497-0x0000000000400000-0x000000000063B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ae847fdc4f3c7dc40f563818a051061d
SHA1 791b6e5c9e3232791295ec34bcbc863b50bf9242
SHA256 04557025d7ebfcb50d2c6da4fb10488e7bea1c9d2f0cfabb2fc2082503a89534
SHA512 01b0a8a7e2cc85e30416a869f52e08b76bd694b62fbdea8fcc326faaa3e6248c9a010ab3ec9a0136d8ba6ddf4024e3e6bef8e50a399e75a896b2e956d5a46da8

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7da14cc45752b1b12c596afad3d79458
SHA1 502d02daefe7845acaebd301cf00db8ff17f1c57
SHA256 d020102224aac8e07a9aa74b8d634eb92bebfd3957694262a0a080d970324ffd
SHA512 c305c09b9d437fb9e9de89c4dc517cecfc07d1099d9ab424b92450277c5ab3f10240eb09625b475cff8673f78f54b548238c2b3199b4f956496f81304fa6f1a0

memory/4628-553-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3188-567-0x0000000000400000-0x00000000005DB000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6484058066d06ffb003dca57950147e6
SHA1 c76f54ad2a32b6082b6e9b584f894244a52c0910
SHA256 32025681920f823ec2ed527a59507658a3437c2f92f803978f2f3ff1045d38f4
SHA512 612ae7c7706292d6743077658abc298cda3f10fb37e447c96a6ebb938aaa9386c35a73ff29546e2bb8fb515add00fb6a6443321c80b89a0194d8ac0068e3a434

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1356-607-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3188-615-0x0000000000400000-0x00000000005DB000-memory.dmp

\??\c:\users\admin\appdata\local\temp\broomsetup.exe

MD5 eee5ddcffbed16222cac0a1b4e2e466e
SHA1 28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5
SHA256 2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54
SHA512 8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc

memory/1356-619-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 05becb88f11ad383f0349263d6d63200
SHA1 fbd286fc2764b52934a68900a416d6e2aab49e5b
SHA256 0830be2e292e76f7073ed56b706e80f3c923dcf100ba9503e1ef13cd5debfafa
SHA512 d1223bc7201732dcacad4fe0513834155b2f2104cbc5f82bc6b2fdb30f414394cde283b16887f534f11189dc6f0df8f2095df8557bef1a055eee9b75003156ba

C:\Windows\windefender.exe

MD5 8d1cc6975dc8a7f89e38203f1eb34df1
SHA1 584aab721b9a467a4fb99600396caf64830d022a
SHA256 fbbaf09b4be45a52d54fb44b2c0f82c10b884696d41ae43f82647f97af02edbc
SHA512 2f7026156da8df831312f8dd9f9b6337c2e5c8f3568a3b56384b51a80108cfd5c1f0631c1166cf9b8644e237550bbaf372ae7b97b79a6ec0116c7fe8eae822f4

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2424-632-0x0000000000400000-0x00000000008DF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\opera_package

MD5 ef24d9ea54bc2e91a12b9e18b57191c1
SHA1 953cfb323c8553ba53c6b8c67fdd5d2123a1eba1
SHA256 06fa294a806e2860e30043e89d5e34ed9a176d126eda63777f83aaec9b8e918c
SHA512 ccc59403ecac95259b97e74d43d7ec6ac72c591fb98cad3b320e2e8724ad6cb1c9eef29d328569667b3bd1859ba4efa0d3b25e5a2137a74a75768aa166f70d03

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\additional_file0.tmp

MD5 6964f8088a5e3f8d44021750b884476e
SHA1 6c525b6b3775c6851dea2228010edbf8847ec561
SHA256 d64e5b0d1b0ee3279043f2989bcecbf93c46aec44f8160dfa52c07ae0008214f
SHA512 7c6ec5e82b48d0ead3698125239ba64acc6fb9d5bf3f83c70afb5880f8fe9ab8acf16fcccc46b17c578aee7b5f59a03d305cf6c613c4f2b947f684f7a47bce17

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe

MD5 f9b7262e2c0a029f50822f47a8056366
SHA1 07799f321fe690a130cefca2b450bc3ab111b9eb
SHA256 cbf9df2ef664591ff70e68e477b50077b08fc451ac6c1b02c49187627725fe2f
SHA512 a88dcf1a417c79e4c12b8401aad31ec7ba6733150d71411ecffe7d948c374c4bb931afba76d40c06201b4776e0159ddc99adcaece97d979fe59923fffbe681d4

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe

MD5 325917771434da18bf8e162931acd842
SHA1 6b46cb61a49d1d7f36d13705c65f8e17e139608a
SHA256 da6fca3fb342be7ec974da072c62645177c4766d26749f7a17dd664eed141d38
SHA512 6f58ec52a3945358891f1217bf7fd19f4753434b658ab7aff5b470669d58a2ce8c8d5c6f9ef20623e325821b90a6e3755b2000f4f7c3ab2ae51409d232f18442

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\dbghelp.dll

MD5 8f01c833b571970575ba12ffa9f55526
SHA1 e36754fed61f58f6480ac7b731b7360bbc51c0c4
SHA256 331d06e13e24adda6b4ef0a451e01a211d1ea88d6e697ffd7b9487fff006ebc3
SHA512 5919bc7a89d47b3aa6702c522c3240c2c272becd462e34f08c9cc8f318cfee2fc89beff3bb0577aefaeadaef9e408933f6daa8c27958089af101c9af32bde151

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\dbgcore.dll

MD5 8b6f64e5d3a608b434079e50a1277913
SHA1 03f431fabf1c99a48b449099455c1575893d9f32
SHA256 926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2
SHA512 c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\assistant_installer.exe

MD5 27e3fe47d8ba532f2aa8e8b50b116788
SHA1 c034cda1d80b531cd02acddaef6507e75f513825
SHA256 247bb9a3498635e6ef12c5abe53b5878eb5a2f6ca70fe72241548cb1dca59d8c
SHA512 ed9b855ccf2711b79f8b17a1d25ae4e4e44288a8754de726e57dbd8c4ea481681b1ee7a79d3002cd777fe5a03a853508a9acbdec10f1012e975cd926b1dc0305

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\dbghelp.dll

MD5 a05345eec5a0724c78550a102593a803
SHA1 e4a9777af26a150e92d75d730344db3e30d2f481
SHA256 4437f788b0feab37721eff4069cc42e3941e8d4e44b9d42480b9d0b3466494ac
SHA512 add11102feb2b60fca720a844c75d0e80a83dddb05764ef01b9132881680e94f876a5da3ae1a6063cec45929611dacf5507a7243571f6cff7334723bc2198fd7

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\assistant_installer.exe

MD5 97085a8535fedbdf70dc8d0f73e8221a
SHA1 8aa2f01467572810af012261e65d5d17dc72eb66
SHA256 3ca699ded1176b6ef25a94e3af5107604e23cc184cc08adec28181075a7c20a3
SHA512 240909582cf3f198c5b90ea5867ec95fb3946082a0a436e132e1bfc64a898aa4380b94a7a18c68d21bcaa3b3b01bc3bfc89bea604584a54659db1f30d818f9ac

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403101234431\assistant\dbghelp.dll

MD5 73b4b75e8ab57b4826ae37434ddc6e71
SHA1 038a1746a41a040bb8a1d66de6494a1e2e2cbb68
SHA256 bf3c7d4ce50f80f2a10076f32cf9310f70ab7a847ca3cd80030c71a092e80e0c
SHA512 f719714e92ccdc71ab24fe44629f3d2c95d629aa180191a67fe259c28026cce096011474361c56caad5c5f8bb4b26bcc9ec7b977e648ab16cf93b0286c62f23a

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b