Analysis Overview
SHA256
c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067
Threat Level: Known bad
The file file.exe was found to be: Known bad.
Malicious Activity Summary
Djvu Ransomware
Glupteba payload
DcRat
Detect ZGRat V1
Socks5Systemz
SmokeLoader
Detect Vidar Stealer
Detected Djvu ransomware
Windows security bypass
Stealc
ZGRat
Vidar
Glupteba
Modifies boot configuration data using bcdedit
Possible attempt to disable PatchGuard
Modifies Windows Firewall
Downloads MZ/PE file
Executes dropped EXE
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Modifies file permissions
Drops startup file
Unexpected DNS network traffic destination
Windows security modification
Loads dropped DLL
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Adds Run key to start application
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Windows directory
Checks for VirtualBox DLLs, possible anti-VM trick
Launches sc.exe
Enumerates physical storage devices
Program crash
NSIS installer
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Uses Task Scheduler COM API
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Creates scheduled task(s)
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Modifies system certificate store
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-11 14:19
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-11 14:19
Reported
2024-03-11 14:21
Platform
win7-20240221-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t4tl6jHO4SIWczGsNZGRqcUj.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\w4ZTapxD7GemwzqzaklQjmjK.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bVUutufBdKDmV3ISoEdc5Dw1.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\m3sZcd0RM0fRh4ZiJbzIYFsP.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AokHxFzZ7ruItC2LLQYtbas1.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Socks5Systemz
Stealc
Vidar
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\uX2AX2axOKzXlZbjtglSBcKC.exe = "0" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Possible attempt to disable PatchGuard
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t4tl6jHO4SIWczGsNZGRqcUj.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AokHxFzZ7ruItC2LLQYtbas1.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\w4ZTapxD7GemwzqzaklQjmjK.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bVUutufBdKDmV3ISoEdc5Dw1.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\m3sZcd0RM0fRh4ZiJbzIYFsP.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 152.89.198.214 | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\uX2AX2axOKzXlZbjtglSBcKC.exe = "0" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\44fa3a3d-4775-4760-bbfe-779fdb5d41b8\\D663.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\D663.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2856 set thread context of 2752 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe |
| PID 1640 set thread context of 1852 | N/A | C:\Users\Admin\AppData\Local\Temp\D663.exe | C:\Users\Admin\AppData\Local\Temp\D663.exe |
| PID 1076 set thread context of 2896 | N/A | C:\Users\Admin\AppData\Local\Temp\D663.exe | C:\Users\Admin\AppData\Local\Temp\D663.exe |
| PID 2436 set thread context of 1908 | N/A | C:\Users\Admin\AppData\Local\6358fba2-a625-4349-87d5-eb01341bc10f\build2.exe | C:\Users\Admin\AppData\Local\6358fba2-a625-4349-87d5-eb01341bc10f\build2.exe |
| PID 2612 set thread context of 1076 | N/A | C:\Users\Admin\AppData\Local\6358fba2-a625-4349-87d5-eb01341bc10f\build3.exe | C:\Users\Admin\AppData\Local\6358fba2-a625-4349-87d5-eb01341bc10f\build3.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| File created | C:\Windows\Logs\CBS\CbsPersist_20240311141921.cab | C:\Windows\system32\makecab.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\6358fba2-a625-4349-87d5-eb01341bc10f\build2.exe |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Pictures\O6JqCT0Z6MKi8cdeTIACEL8D.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Pictures\O6JqCT0Z6MKi8cdeTIACEL8D.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Pictures\O6JqCT0Z6MKi8cdeTIACEL8D.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\jsjihsv | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\jsjihsv | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\jsjihsv | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\syncUpd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\syncUpd.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\6358fba2-a625-4349-87d5-eb01341bc10f\build2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\6358fba2-a625-4349-87d5-eb01341bc10f\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\6358fba2-a625-4349-87d5-eb01341bc10f\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\O6JqCT0Z6MKi8cdeTIACEL8D.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\O6JqCT0Z6MKi8cdeTIACEL8D.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-CEMOA.tmp\vVMs8bK0OxOyrdIQ5z3you1B.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-CEMOA.tmp\vVMs8bK0OxOyrdIQ5z3you1B.tmp | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Pictures\O6JqCT0Z6MKi8cdeTIACEL8D.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\jsjihsv | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\rss\csrss.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-CEMOA.tmp\vVMs8bK0OxOyrdIQ5z3you1B.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
C:\Users\Admin\Pictures\O6JqCT0Z6MKi8cdeTIACEL8D.exe
"C:\Users\Admin\Pictures\O6JqCT0Z6MKi8cdeTIACEL8D.exe"
C:\Users\Admin\Pictures\vVMs8bK0OxOyrdIQ5z3you1B.exe
"C:\Users\Admin\Pictures\vVMs8bK0OxOyrdIQ5z3you1B.exe"
C:\Users\Admin\AppData\Local\Temp\is-CEMOA.tmp\vVMs8bK0OxOyrdIQ5z3you1B.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CEMOA.tmp\vVMs8bK0OxOyrdIQ5z3you1B.tmp" /SL5="$50186,1518993,56832,C:\Users\Admin\Pictures\vVMs8bK0OxOyrdIQ5z3you1B.exe"
C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe
"C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe" -i
C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe
"C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe" -s
C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe
"C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240311141921.log C:\Windows\Logs\CBS\CbsPersist_20240311141921.cab
C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe
"C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Users\Admin\Pictures\29ivEA8uYF3e8k5EmsJA9WDz.exe
"C:\Users\Admin\Pictures\29ivEA8uYF3e8k5EmsJA9WDz.exe"
C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\80E3.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Users\Admin\AppData\Local\Temp\D663.exe
C:\Users\Admin\AppData\Local\Temp\D663.exe
C:\Users\Admin\AppData\Local\Temp\D663.exe
C:\Users\Admin\AppData\Local\Temp\D663.exe
C:\Windows\system32\taskeng.exe
taskeng.exe {34F8806D-0F9B-4957-93E8-DCE9229BF71C} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\jsjihsv
C:\Users\Admin\AppData\Roaming\jsjihsv
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\44fa3a3d-4775-4760-bbfe-779fdb5d41b8" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\D663.exe
"C:\Users\Admin\AppData\Local\Temp\D663.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\D663.exe
"C:\Users\Admin\AppData\Local\Temp\D663.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\6358fba2-a625-4349-87d5-eb01341bc10f\build2.exe
"C:\Users\Admin\AppData\Local\6358fba2-a625-4349-87d5-eb01341bc10f\build2.exe"
C:\Users\Admin\AppData\Local\6358fba2-a625-4349-87d5-eb01341bc10f\build2.exe
"C:\Users\Admin\AppData\Local\6358fba2-a625-4349-87d5-eb01341bc10f\build2.exe"
C:\Users\Admin\AppData\Local\6358fba2-a625-4349-87d5-eb01341bc10f\build3.exe
"C:\Users\Admin\AppData\Local\6358fba2-a625-4349-87d5-eb01341bc10f\build3.exe"
C:\Users\Admin\AppData\Local\6358fba2-a625-4349-87d5-eb01341bc10f\build3.exe
"C:\Users\Admin\AppData\Local\6358fba2-a625-4349-87d5-eb01341bc10f\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 1396
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| US | 188.114.97.2:443 | yip.su | tcp |
| US | 8.8.8.8:53 | galandskiyher5.com | udp |
| US | 8.8.8.8:53 | midnight.bestsup.su | udp |
| US | 8.8.8.8:53 | namecloudvideo.org | udp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| US | 15.204.49.148:80 | 15.204.49.148 | tcp |
| DE | 185.172.128.126:80 | 185.172.128.126 | tcp |
| US | 104.21.65.148:443 | namecloudvideo.org | tcp |
| NL | 185.26.182.112:80 | net.geo.opera.com | tcp |
| US | 104.21.29.103:80 | midnight.bestsup.su | tcp |
| RU | 194.87.206.12:80 | galandskiyher5.com | tcp |
| NL | 185.26.182.112:443 | net.geo.opera.com | tcp |
| US | 8.8.8.8:53 | shipbank.org | udp |
| US | 104.21.10.217:443 | shipbank.org | tcp |
| US | 8.8.8.8:53 | be1cce57-96b8-4a76-9d21-557f96f2d401.uuid.filesdumpplace.org | udp |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| DE | 185.172.128.145:80 | 185.172.128.145 | tcp |
| DE | 185.172.128.187:80 | 185.172.128.187 | tcp |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 20.150.79.68:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | sdfjhuz.com | udp |
| KR | 211.202.224.10:80 | sdfjhuz.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| KR | 211.202.224.10:80 | sdfjhuz.com | tcp |
| US | 8.8.8.8:53 | sajdfue.com | udp |
| AR | 181.99.123.204:80 | sajdfue.com | tcp |
| AR | 181.99.123.204:80 | sajdfue.com | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.154.77:443 | steamcommunity.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| DE | 49.12.116.63:80 | 49.12.116.63 | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| AU | 104.192.141.1:443 | bitbucket.org | tcp |
| AU | 104.192.141.1:443 | bitbucket.org | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard20.blob.core.windows.net | udp |
| US | 20.150.70.36:443 | vsblobprodscussu5shard20.blob.core.windows.net | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| RU | 152.89.198.214:53 | cesdgqz.net | udp |
| TR | 195.16.74.230:80 | cesdgqz.net | tcp |
Files
memory/2608-4-0x000000001B570000-0x000000001B852000-memory.dmp
memory/2608-5-0x0000000001C80000-0x0000000001C88000-memory.dmp
memory/2608-6-0x000007FEF59A0000-0x000007FEF633D000-memory.dmp
memory/2608-7-0x00000000028F0000-0x0000000002970000-memory.dmp
memory/2608-8-0x000007FEF59A0000-0x000007FEF633D000-memory.dmp
memory/2608-10-0x00000000028F0000-0x0000000002970000-memory.dmp
memory/2608-9-0x00000000028F0000-0x0000000002970000-memory.dmp
memory/2608-11-0x00000000028F0000-0x0000000002970000-memory.dmp
memory/2608-12-0x000007FEF59A0000-0x000007FEF633D000-memory.dmp
memory/2752-26-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2752-24-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2752-22-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2752-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2752-19-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2752-17-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2752-15-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2752-13-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2752-27-0x0000000074650000-0x0000000074D3E000-memory.dmp
memory/2752-28-0x0000000000430000-0x0000000000470000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\Tar1A4B.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
C:\Users\Admin\Pictures\O6JqCT0Z6MKi8cdeTIACEL8D.exe
| MD5 | e474dda04f6f90ba50ebff47395b19c9 |
| SHA1 | db1dc005639d232a25e074267239fd9e5fcbe6c7 |
| SHA256 | d5bb21fb44947ee712af26750d6a1df9e91e3baa3c5270eca5f88adbdf329bef |
| SHA512 | aa906056618e239ab811a19492ea9b272b67b6b964f704a1679c68bf0ce1dbe1b574361d1d08901436a1d5faa888d0320dc56e84904421ad1134727090250055 |
memory/1692-104-0x00000000001B0000-0x00000000001BB000-memory.dmp
memory/1692-103-0x00000000002B0000-0x00000000003B0000-memory.dmp
memory/1692-105-0x0000000000400000-0x0000000001A34000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b38087a9f30ddbe0b644248d021b83dc |
| SHA1 | ac395940b514a74445b5e1eccc78968d0598ca2c |
| SHA256 | 467dbb351da372e147275d5c8b8df3fc9b275f3a86b7d7c6747955210a71648a |
| SHA512 | 57244ed4e4a2f28e56956f28ac2f021a1dcaac946abb10c074a56d7a74706a3cc1414cf2b334f72189854d5d061a1fed6ee375952acdaf17a6ee0b0da205f568 |
\Users\Admin\Pictures\vVMs8bK0OxOyrdIQ5z3you1B.exe
| MD5 | 3ca2f625386f7a3ca29376148974fa64 |
| SHA1 | 646443709518ef699bae4755b262370ff6e7fbcc |
| SHA256 | 25749c401805a1d66f16db72ad533a807bcb56c4f2aef449341af1ca92ec66b4 |
| SHA512 | dbe638a9127d89854b2b36795c8842587b5419805df23404d9c110f4c6cfb29604e5136dd40da17cd8eb31ef56cf1b6bb0fb12e4cab999ad9e583ca4ebbffe79 |
memory/1156-209-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1156-213-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-CEMOA.tmp\vVMs8bK0OxOyrdIQ5z3you1B.tmp
| MD5 | 150a46b9c3e09bc0ed8d581669fe605b |
| SHA1 | 760baa334e4e024e80f27f8e23b900600281a853 |
| SHA256 | 2d574caab0e532210a5541fa9a3d5187bf38bed3ef8809180462d929fd32637f |
| SHA512 | d40d747e57c7e4ea33df06ae1c14bea2bc44fcad862432265158a248c1c4a0e4aae5107a1a2db5257a22f0b5223ec6f19401f7491435988da8137c4150009805 |
memory/2868-218-0x00000000001D0000-0x00000000001D1000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-93EVG.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\AppData\Local\Temp\is-93EVG.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/2868-252-0x0000000003490000-0x000000000364B000-memory.dmp
C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe
| MD5 | 49fc5d878e59f728efd5427c905efbba |
| SHA1 | 35db9693fdd780fe3b4869dde52080dcd856d724 |
| SHA256 | fb04dbdeb681ff10f950aa2e225ae0168f165f9611e409f8b1eef1d45e13c2a8 |
| SHA512 | 1dece436bb60fca62f0bd07f78c6069e933cea87ff464c0444f57b2bae64f75bd5e0113a1465b32f933563cc13b5e20dbc47062c2db8add39314070afa2b4cca |
memory/1280-253-0x0000000000400000-0x00000000005BB000-memory.dmp
memory/1280-254-0x0000000000400000-0x00000000005BB000-memory.dmp
memory/1280-256-0x0000000000400000-0x00000000005BB000-memory.dmp
C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe
| MD5 | 0a6791a2ff80e4876383a2fa3f7493fe |
| SHA1 | bdaa74d716af8adbf01752597575b3ec6bb32e37 |
| SHA256 | e3d2126b727e9a8dc6c624f0f9ac777e941fa8bb42fa2b9a0adb825d6fb7f6a2 |
| SHA512 | affdfc53f442c0647285822627c8fea2d18c298d86c11c92ba7f413e3ef9936d117b8ec33b3c6d464415519ccf279ae95c60670fc9946ce7f1378c2be6d711b2 |
memory/1280-258-0x0000000000400000-0x00000000005BB000-memory.dmp
memory/672-260-0x0000000000400000-0x00000000005BB000-memory.dmp
memory/1184-261-0x0000000002500000-0x0000000002516000-memory.dmp
memory/1692-262-0x0000000000400000-0x0000000001A34000-memory.dmp
memory/2752-266-0x0000000074650000-0x0000000074D3E000-memory.dmp
memory/672-267-0x0000000000400000-0x00000000005BB000-memory.dmp
memory/2752-268-0x0000000000430000-0x0000000000470000-memory.dmp
\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe
| MD5 | 0b4cc942124b93aef88050e38874a6d5 |
| SHA1 | 5263dfd5adfd7cda506ea69ea307d2096b392ba0 |
| SHA256 | 2063b0353a8afc87fe18faed69f654ae21e294d45169f7dca377965e1d527cb3 |
| SHA512 | 2fb06a3bf5bf15759138d3cbc025fa94bb5beac782bf4df2891b1f28655d6becf37d50ce44175671c4f02a9ea8f708561388a223f0d0570c0722e4f10bf972e8 |
\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe
| MD5 | 7c800101dc4823fe1ae850f865937988 |
| SHA1 | 82a5788d4fee8b3aad20ff7a7aadfc47beb1afa6 |
| SHA256 | b8c9042050372a11fd996ad6bbe0349a1673a41956888799d9963c7d194cfad3 |
| SHA512 | 317b43b8ca34b4108355306bac32f58c1d2d8d4a348423b9061426405457e2e98b363c9fb2fa10c428ae8441686b960abbdc75957554c47adc95418319ea94f9 |
C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe
| MD5 | cb5dcf49a515829a80edd2bf236b3b25 |
| SHA1 | c65f02bd132da2ab23298f047a26de0028184ac6 |
| SHA256 | f3cb66abf138e3e16dde1dadb4262097d0529cacf688893db89ed356dce06631 |
| SHA512 | a59cb612b8e68dc5a2d17cc6cf9253b4ea5c37277b2eba33885589457f31143496d1ddc74b83ea6af31084c4ad72b1809cdd6f084d72e4e1b848eb3a05d270de |
C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe
| MD5 | 14434816cf8d07a99282c5d5c08bd313 |
| SHA1 | ada21eb4aec83894df4d9b9f7a76a649eae7c071 |
| SHA256 | 501a1920e502f5db7298f39f8f7a125e826f390b800f8316254e4fa84b58e5bc |
| SHA512 | 805cf29406c1f7727d5c6885e2301f72b15472efd67cc2f8c0c8f67fa2fccec0606cb591fc8dc19f0589e0a93686e16c165470c8af995362f105f80509416233 |
memory/1896-280-0x0000000003740000-0x0000000003B38000-memory.dmp
memory/1896-281-0x0000000003740000-0x0000000003B38000-memory.dmp
memory/1896-282-0x0000000003B40000-0x000000000442B000-memory.dmp
memory/1156-283-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe
| MD5 | d184e9f455a3fb4b66cda4f480e2ebf8 |
| SHA1 | 1369492c1ce7ce4bd8cee7a9bde706b781fb9f46 |
| SHA256 | bbecbf128a00477ac026297bac7bd37e623bace32afdda18cd561a8ea5fa06ab |
| SHA512 | c4d335b6325e1638cc24476d4248cb5fa45e75564561fdff10c889b6d269fab9bf798f115c3858e50b0a39328845189571a7d67d4318d004a9a5cc0af8afd97e |
memory/1896-285-0x0000000000400000-0x0000000001E16000-memory.dmp
C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe
| MD5 | d57cb10c5c1f1d23da05314901f5742a |
| SHA1 | a9ab9014ba49617cc39c769fa977f6b905ab833c |
| SHA256 | 09f806e42e4300385d97ab72f42c34c1030d6f29c093e1201395180ca2970b5c |
| SHA512 | 392159ae26517ee9577965ae817b5376f76bc538f7ccf00d2d6721ddc230f02a3fbc81fc66c53b966deda742627aeb57eb417c7862d805ba20dd00b54c1e5ee3 |
memory/2524-288-0x00000000035B0000-0x00000000039A8000-memory.dmp
memory/2868-289-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/2868-290-0x0000000003490000-0x000000000364B000-memory.dmp
memory/1896-287-0x0000000000400000-0x0000000001E16000-memory.dmp
memory/2524-291-0x00000000035B0000-0x00000000039A8000-memory.dmp
memory/2524-292-0x00000000039B0000-0x000000000429B000-memory.dmp
memory/2524-293-0x0000000000400000-0x0000000001E16000-memory.dmp
memory/1896-294-0x0000000003740000-0x0000000003B38000-memory.dmp
\Windows\rss\csrss.exe
| MD5 | 1a17578c3cb57a2e2776c71978145c49 |
| SHA1 | cfdca7bfd1250cb3eb10c484d63c6e8a247ecf21 |
| SHA256 | 6c4d2627a55366417b90ae139fed20758e920c62cce0d4eedce2c3f154bfc265 |
| SHA512 | 017044a7f3bcc6c91a2eb26f929f8b35a8bde56fcc64560e95ff6c53fef3a5d6d774f325c88462a8e4801a95aff796a19df7ed68a609b1d18e4b9e98a75d807f |
\Windows\rss\csrss.exe
| MD5 | 549cefed369efe3a0b4ac42b2d2ca442 |
| SHA1 | 23c0a9a5d6772c13dbb9844571a839177ca7c2ca |
| SHA256 | 5cba3c90e33c49ad8fb79b745d3ff4d1fd233a71e9900b86f4bf7d6452aae57c |
| SHA512 | d7e4ee89caf1bc82a979d385c462d0127b74b85db2b00c5b2c717b48165c9644e258344ab582dd41bb55d68b5ad54ac5cd195ae99e444b3f9137faa23aa5060c |
memory/2496-304-0x00000000036D0000-0x0000000003AC8000-memory.dmp
memory/2524-303-0x0000000000400000-0x0000000001E16000-memory.dmp
memory/2496-305-0x00000000036D0000-0x0000000003AC8000-memory.dmp
memory/672-307-0x0000000000400000-0x00000000005BB000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | f0120d35baa630b5d0bd88357c941c88 |
| SHA1 | 3d6f658eafd4c7e7bfe1445c9b73f6af777a3e41 |
| SHA256 | 5509fb8ed4fec88c683f35deb2303078270f6298ddac4882a36da8cef7751dba |
| SHA512 | cedfbee2164ffb5a917777888deeb680ea0fa00e35c1aa21c801aedc155dcc35c289857fe2dd703dec897e18acf51bdba80a37cbcd2ca3ad145ca25c45a58ae3 |
memory/2496-308-0x0000000000400000-0x0000000001E16000-memory.dmp
memory/2868-310-0x0000000000400000-0x00000000004BC000-memory.dmp
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 13aaafe14eb60d6a718230e82c671d57 |
| SHA1 | e039dd924d12f264521b8e689426fb7ca95a0a7b |
| SHA256 | f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3 |
| SHA512 | ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3 |
memory/1884-316-0x0000000140000000-0x00000001405E8000-memory.dmp
\Users\Admin\AppData\Local\Temp\symsrv.dll
| MD5 | 5c399d34d8dc01741269ff1f1aca7554 |
| SHA1 | e0ceed500d3cef5558f3f55d33ba9c3a709e8f55 |
| SHA256 | e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f |
| SHA512 | 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d |
\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | f0616fa8bc54ece07e3107057f74e4db |
| SHA1 | b33995c4f9a004b7d806c4bb36040ee844781fca |
| SHA256 | 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026 |
| SHA512 | 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c |
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 8fcc416ff8491b0012d1f885dc9818f8 |
| SHA1 | 5998d978b8507ef43f65bad157d522afcb63196e |
| SHA256 | 31b96e596736e23c131d8b5e7f8f210b5612393fabcd91aa1b89a4b1ee32d892 |
| SHA512 | 75bbec9b7ad07227bedcaedf2c6000c9376f10c640d92118a9d34b4f4c5860b8396c4235bb8dcea68b769e5f806130cdf2aaf148bf0b4c7483bfba48244a7ccd |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | cc05ed7d3025095d6ca6abb8a2942311 |
| SHA1 | ed0afe1de97de4e9a8f3338e64d96a62e7de4b4e |
| SHA256 | 2638b858c8f7e1a389ad76ef4475d45f04685249d49331abcb8837659bf7eb88 |
| SHA512 | 52e3b9310704c8ccf01bda2d53a4cd4440b16e1621eb946edf0717909addecf61b8e2741c596dbc3416d60cfc3cec3ba4582182fb9fb56241609d006f50445ed |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 3d813879186f73515a65e994ed42ed6d |
| SHA1 | 8e316e2288222f8aa088f58f6a35de17e5d416cc |
| SHA256 | caefadbd01c79b360bdc4b0a7e5a39f29bd8d3898cde324c9197960bdf01ad11 |
| SHA512 | 1f0c938378d34b69c36d9e3429ce1c4088444a19e7d91525cda1448020826fd68908b222b2fbf5d635db20c1b2963efbb80bbdbcaeb53d6a47be75df25b32c77 |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | bd198ae685d635a0cb0ac1729476bfac |
| SHA1 | ef9b9e3541cda853da7b86a3065f44e27218a16e |
| SHA256 | 1362b3b957dad4a12f0a8319cbaeadda5bbd9bafdccd3ecd2b11c3f147eedab5 |
| SHA512 | 5da3fd413dd3d2e989c5dcd3e07437b17a77f20ce2e14435c824277a89a27b7fcd8c98e80bd2aa0c377b3bef6e5cdddc7eb2353599fc31c6845613b43ac2847d |
memory/1884-330-0x0000000140000000-0x00000001405E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\Users\Admin\Pictures\29ivEA8uYF3e8k5EmsJA9WDz.exe
| MD5 | 068db75101316d6596dfcac7d85a2a3f |
| SHA1 | da92a2110c04537ee26b310366e7edcb1a45565d |
| SHA256 | c05e91459daf1a52e713c813e875443667838094d7c03b04b6667642736aad74 |
| SHA512 | 0f23eccad06f9cacca36e27ac35129afda1497cfc0d1267c3f48ddafa652d7266bb44aed1255cc8d1f8118c7fc7a0077e7674dc613a9c74969ace9d7d6dfe821 |
\Users\Admin\AppData\Local\Temp\syncUpd.exe
| MD5 | 099d81985b4d1951c9a0448bdead2e31 |
| SHA1 | 3707f6971ecdd856999ca980a1b99b551bea5ff9 |
| SHA256 | 291e511eb00d5f658d345115de7fbd13e416e353bee19cdac8709b0b856da095 |
| SHA512 | f0a2f1c2542c3f898add88c6505a2fde764c5ff00835fee62ef0fe9523706d9dd617f539e80235c6307fe2af2440cb104465af1f9053dfb3743c2f675b1e71b2 |
\Users\Admin\AppData\Local\Temp\nst5BB9.tmp\INetC.dll
| MD5 | 2b342079303895c50af8040a91f30f71 |
| SHA1 | b11335e1cb8356d9c337cb89fe81d669a69de17e |
| SHA256 | 2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f |
| SHA512 | 550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47 |
memory/672-361-0x0000000000400000-0x00000000005BB000-memory.dmp
memory/2604-363-0x0000000000220000-0x0000000000247000-memory.dmp
memory/2604-362-0x0000000001BB0000-0x0000000001CB0000-memory.dmp
memory/2604-364-0x0000000000400000-0x0000000001A34000-memory.dmp
\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | eee5ddcffbed16222cac0a1b4e2e466e |
| SHA1 | 28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5 |
| SHA256 | 2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54 |
| SHA512 | 8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc |
memory/2488-377-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2488-379-0x00000000058C0000-0x0000000005DF0000-memory.dmp
memory/2388-380-0x0000000000400000-0x0000000000930000-memory.dmp
memory/2496-381-0x00000000036D0000-0x0000000003AC8000-memory.dmp
memory/2388-382-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/2496-389-0x0000000000400000-0x0000000001E16000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\80E3.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
memory/672-410-0x0000000000400000-0x00000000005BB000-memory.dmp
memory/2604-411-0x0000000000400000-0x0000000001A34000-memory.dmp
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 333f6a499e6f8df0ec2909395a9839d7 |
| SHA1 | 2585fa58daba69010eac0daffb716cbb3d05313b |
| SHA256 | d4ec88db48a376d045df5d00ebc4caabdbd4428a14ffa32f88205daa98e65822 |
| SHA512 | 71d1dc5b0508fa184e666649915476addbe0b6e9b1fa99834effdffe2cf80bc40102d8d832998c6a0b2fbc25a519dd15d8dd7db8c8c1d90fffa5612b6994fa49 |
memory/2496-434-0x0000000000400000-0x0000000001E16000-memory.dmp
memory/2388-435-0x0000000000400000-0x0000000000930000-memory.dmp
memory/2496-438-0x0000000000400000-0x0000000001E16000-memory.dmp
memory/2604-439-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/672-468-0x0000000000400000-0x00000000005BB000-memory.dmp
memory/2604-469-0x0000000000400000-0x0000000001A34000-memory.dmp
memory/2604-470-0x0000000001BB0000-0x0000000001CB0000-memory.dmp
memory/2604-471-0x0000000000400000-0x0000000001A34000-memory.dmp
memory/2488-472-0x00000000058C0000-0x0000000005DF0000-memory.dmp
memory/2388-484-0x00000000001D0000-0x00000000001D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D663.exe
| MD5 | 51597fedbf769613eac193b679de833d |
| SHA1 | 77c1fbd676bbaf9ef3f235d6f3d41df8ad6b7945 |
| SHA256 | b0129dd6f2d2f5bd058cddda97e1f47eedcfaec86995c6d988226c305d50d92c |
| SHA512 | 7e424c8548ace542cdd51c23b31e3907b9d14a95784f8918f85deb2d263d5e6cec845300b1db25aba6c29d3f9ff2ad768731237ab98430a52b83ed00ff017b23 |
memory/1640-499-0x0000000001AB0000-0x0000000001B41000-memory.dmp
memory/1640-501-0x0000000003330000-0x000000000344B000-memory.dmp
memory/1852-506-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1420-510-0x00000000002B0000-0x00000000003B0000-memory.dmp
memory/1420-514-0x0000000000400000-0x0000000001A34000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e5bfc0186427d9e37d55e3397e3f0795 |
| SHA1 | 8fdc24f67d5e3b258fd27581560327ace3b4054e |
| SHA256 | 9741d9e81a8a63b159711286a51bd6888f7003166424852e2e81ea0892b1edb3 |
| SHA512 | bf37ca2e58b1803005f57efb3e837d0ba43b26250f683006ef86bbb469e6b99c0d03f03ca6dba1656b88de223fb4e142c66a2c8cbc437c2a076a3a25bf98e1c5 |
memory/1852-538-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1076-551-0x0000000000250000-0x00000000002E1000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 1548103e1299490d7d08fffa07918630 |
| SHA1 | c07b8d6c63bfba93d0b61533dec131c9df13bdd7 |
| SHA256 | 9d4c8ea2311df9881f7c6628b6a9fe101649cdf45e7f0f5cb1aef26801c99c34 |
| SHA512 | f309585e402638b3ff95e12b154bb0fe0babb8150f486b96124e9ca146c1a03b26d90402a2e6cefa5f701390547693329ef8814a49c7ac64e513f41d7d3caf39 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 779707a85b8d15b16610b90921516eac |
| SHA1 | 777fef31460c4d37ff3b05fbab6bfc67dd272996 |
| SHA256 | eb22591bb7c9c1386d23f96643301ddb465eb1d350a7320dfdf195cd7a4a63e8 |
| SHA512 | 7c5f4ea13449ab0b5b19a4772be0b540b0a9ad3cc0ec6557b5ee4abca1a9bb4ad18680d0a6d4612ee1257f29cf4aa7adeb1107a8a9163f25da128b030b2116f3 |
C:\Users\Admin\AppData\Local\6358fba2-a625-4349-87d5-eb01341bc10f\build2.exe
| MD5 | 88c5ca503e8fecbca8ee889a892b165c |
| SHA1 | 2ec61a72dc88584abda48f19fb8e4d2847264aed |
| SHA256 | 41f6207540f5197717e1c601b43c9c89a5109ff3aab98fe80f6645f0ebd2a153 |
| SHA512 | 366035a481a439854094d13f8a0b9bf26e706dd43100421d92724baa1f9b1ceac74669e42e9331867a3c364f8e2f0c05d3387e5dea9d8669d29832614fa7b4b9 |
memory/2436-588-0x0000000001B97000-0x0000000001BB2000-memory.dmp
memory/2436-590-0x0000000000230000-0x0000000000261000-memory.dmp
C:\Users\Admin\AppData\Local\6358fba2-a625-4349-87d5-eb01341bc10f\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/2612-671-0x0000000000992000-0x00000000009A3000-memory.dmp
memory/2612-673-0x0000000000220000-0x0000000000224000-memory.dmp
memory/1076-677-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | e2f68dc7fbd6e0bf031ca3809a739346 |
| SHA1 | 9c35494898e65c8a62887f28e04c0359ab6f63f5 |
| SHA256 | b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4 |
| SHA512 | 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579 |
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
| MD5 | fafbf2197151d5ce947872a4b0bcbe16 |
| SHA1 | a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020 |
| SHA256 | feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71 |
| SHA512 | acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6 |
memory/2604-708-0x0000000001BB0000-0x0000000001CB0000-memory.dmp
memory/2604-709-0x0000000000400000-0x0000000001A34000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-11 14:19
Reported
2024-03-11 14:21
Platform
win10v2004-20240226-en
Max time kernel
74s
Max time network
159s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zXE7BplJnOvLoBPuJgzWqDdd.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MrCh6LTxuAUYHkXUVPJUkWqj.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\acCvIQIZt1RlxaP49liPXtwA.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z7H8NHbFaHbruCtYhnWdBDJL.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TPPLqD6M1vwXzKOxY6sV2QJZ.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Stealc
ZGRat
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TPPLqD6M1vwXzKOxY6sV2QJZ.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z7H8NHbFaHbruCtYhnWdBDJL.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zXE7BplJnOvLoBPuJgzWqDdd.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MrCh6LTxuAUYHkXUVPJUkWqj.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\acCvIQIZt1RlxaP49liPXtwA.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Pictures\pdlfWc1qvU3mR8y8YECekgzX.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-GJCT3.tmp\pdlfWc1qvU3mR8y8YECekgzX.tmp | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\j1QBZ2MSXVaisVyrSyNaaKIZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\syncUpd.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\aWmYJWP6LEVkakquUiWDAwDX.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-GJCT3.tmp\pdlfWc1qvU3mR8y8YECekgzX.tmp | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\j1QBZ2MSXVaisVyrSyNaaKIZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\j1QBZ2MSXVaisVyrSyNaaKIZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\syncUpd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\syncUpd.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 152.89.198.214 | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3080 set thread context of 2392 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\syncUpd.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1593.exe |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Pictures\aWmYJWP6LEVkakquUiWDAwDX.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Pictures\aWmYJWP6LEVkakquUiWDAwDX.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Pictures\aWmYJWP6LEVkakquUiWDAwDX.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\syncUpd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\syncUpd.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Pictures\aWmYJWP6LEVkakquUiWDAwDX.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-GJCT3.tmp\pdlfWc1qvU3mR8y8YECekgzX.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
C:\Users\Admin\Pictures\pdlfWc1qvU3mR8y8YECekgzX.exe
"C:\Users\Admin\Pictures\pdlfWc1qvU3mR8y8YECekgzX.exe"
C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe
"C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe"
C:\Users\Admin\AppData\Local\Temp\is-GJCT3.tmp\pdlfWc1qvU3mR8y8YECekgzX.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GJCT3.tmp\pdlfWc1qvU3mR8y8YECekgzX.tmp" /SL5="$80090,1518993,56832,C:\Users\Admin\Pictures\pdlfWc1qvU3mR8y8YECekgzX.exe"
C:\Users\Admin\Pictures\j1QBZ2MSXVaisVyrSyNaaKIZ.exe
"C:\Users\Admin\Pictures\j1QBZ2MSXVaisVyrSyNaaKIZ.exe"
C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
C:\Users\Admin\Pictures\aWmYJWP6LEVkakquUiWDAwDX.exe
"C:\Users\Admin\Pictures\aWmYJWP6LEVkakquUiWDAwDX.exe"
C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe
"C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe" -i
C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe
"C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe" -s
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:3
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe
"C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CA7F.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\1593.exe
C:\Users\Admin\AppData\Local\Temp\1593.exe
C:\Users\Admin\AppData\Local\Temp\1593.exe
C:\Users\Admin\AppData\Local\Temp\1593.exe
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4468 -ip 4468
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\b252c0fd-10e5-4d1b-8086-868448a9ca5f" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\1593.exe
"C:\Users\Admin\AppData\Local\Temp\1593.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 2372
C:\Users\Admin\AppData\Local\Temp\38AC.exe
C:\Users\Admin\AppData\Local\Temp\38AC.exe
C:\Users\Admin\AppData\Local\Temp\1593.exe
"C:\Users\Admin\AppData\Local\Temp\1593.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 776 -ip 776
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 776 -s 568
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe
"C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe" --silent --allusers=0
C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe
C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2f0,0x2f4,0x2f8,0x2cc,0x2fc,0x6e4121c8,0x6e4121d4,0x6e4121e0
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\S9bpWUSHmYnccwU6BrdZHNx5.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\S9bpWUSHmYnccwU6BrdZHNx5.exe" --version
C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe
"C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5888 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240311142110" --session-guid=e13e9559-45cb-4e14-84b3-b5fd697c8c06 --server-tracking-blob=YTk3NWNjZDc5YjQ4Yzk1OWRmNGVlNzQ1OWUwZmU0OTc0MmVmMTRiMTU0MDIyNDY3YWFkOThlMDcxNGEzMzU3MDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxMDE2Njc3Ny43MjIzIiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiI3NzE2MWZjOS0wMDI5LTQ0NzAtYWE1MC1hNzJiNmQ1MGNkY2MifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=9C05000000000000
C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe
C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2fc,0x300,0x304,0x2cc,0x308,0x6d9021c8,0x6d9021d4,0x6d9021e0
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\assistant_installer.exe" --version
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0xc50040,0xc5004c,0xc50058
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 5.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| GB | 172.217.169.74:443 | tcp | |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| US | 188.114.97.2:443 | yip.su | tcp |
| US | 8.8.8.8:53 | 2.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.34.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | galandskiyher5.com | udp |
| US | 8.8.8.8:53 | midnight.bestsup.su | udp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| US | 8.8.8.8:53 | namecloudvideo.org | udp |
| DE | 185.172.128.126:80 | 185.172.128.126 | tcp |
| US | 15.204.49.148:80 | 15.204.49.148 | tcp |
| US | 104.21.29.103:80 | midnight.bestsup.su | tcp |
| NL | 185.26.182.111:80 | net.geo.opera.com | tcp |
| US | 188.114.96.2:443 | namecloudvideo.org | tcp |
| RU | 194.87.206.12:80 | galandskiyher5.com | tcp |
| US | 8.8.8.8:53 | 148.49.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.206.87.194.in-addr.arpa | udp |
| NL | 185.26.182.111:443 | net.geo.opera.com | tcp |
| US | 8.8.8.8:53 | shipbank.org | udp |
| US | 104.21.10.217:443 | shipbank.org | tcp |
| US | 8.8.8.8:53 | 103.29.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 111.182.26.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.10.21.104.in-addr.arpa | udp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| DE | 185.172.128.145:80 | 185.172.128.145 | tcp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.187:80 | 185.172.128.187 | tcp |
| US | 8.8.8.8:53 | 187.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | sdfjhuz.com | udp |
| MX | 189.232.56.10:80 | sdfjhuz.com | tcp |
| US | 8.8.8.8:53 | 10.56.232.189.in-addr.arpa | udp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 94.110.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.65.21.104.in-addr.arpa | udp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| AU | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.141.192.104.in-addr.arpa | udp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | superemeboxlogosites.pro | udp |
| US | 8.8.8.8:53 | b70b9476-50b5-4f39-8ca3-3f6c0f9cb42d.uuid.filesdumpplace.org | udp |
| US | 188.114.97.2:443 | superemeboxlogosites.pro | tcp |
| US | 8.8.8.8:53 | wisemassiveharmonious.shop | udp |
| US | 188.114.97.2:443 | wisemassiveharmonious.shop | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | colorfulequalugliess.shop | udp |
| US | 188.114.96.2:443 | colorfulequalugliess.shop | tcp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| US | 8.8.8.8:53 | 80.232.23.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | relevantvoicelesskw.shop | udp |
| US | 104.21.33.178:443 | relevantvoicelesskw.shop | tcp |
| US | 8.8.8.8:53 | 178.33.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | detectordiscusser.shop | udp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 8.8.8.8:53 | turkeyunlikelyofw.shop | udp |
| US | 8.8.8.8:53 | associationokeo.shop | udp |
| US | 104.21.10.242:443 | associationokeo.shop | tcp |
| US | 8.8.8.8:53 | 242.10.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | server14.filesdumpplace.org | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | stun1.l.google.com | udp |
| BG | 185.82.216.96:443 | server14.filesdumpplace.org | tcp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| CH | 172.217.210.127:19302 | stun1.l.google.com | udp |
| US | 8.8.8.8:53 | carsalessystem.com | udp |
| US | 8.8.8.8:53 | 127.210.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.216.82.185.in-addr.arpa | udp |
| US | 172.67.221.71:443 | carsalessystem.com | tcp |
| US | 8.8.8.8:53 | 71.221.67.172.in-addr.arpa | udp |
| BG | 185.82.216.96:443 | server14.filesdumpplace.org | tcp |
| US | 8.8.8.8:53 | autoupdate.geo.opera.com | udp |
| NL | 185.26.182.123:443 | autoupdate.geo.opera.com | tcp |
| NL | 185.26.182.123:443 | autoupdate.geo.opera.com | tcp |
| US | 8.8.8.8:53 | desktop-netinstaller-sub.osp.opera.software | udp |
| US | 8.8.8.8:53 | 123.182.26.185.in-addr.arpa | udp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | features.opera-api2.com | udp |
| US | 8.8.8.8:53 | download.opera.com | udp |
| NL | 82.145.216.15:443 | features.opera-api2.com | tcp |
| US | 8.8.8.8:53 | 121.217.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.216.145.82.in-addr.arpa | udp |
| NL | 82.145.216.24:443 | download.opera.com | tcp |
| US | 8.8.8.8:53 | 24.216.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | download3.operacdn.com | udp |
| GB | 95.101.143.176:443 | download3.operacdn.com | tcp |
| US | 8.8.8.8:53 | 176.143.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| BG | 185.82.216.96:443 | server14.filesdumpplace.org | tcp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| RU | 152.89.198.214:53 | boignui.com | udp |
| TR | 195.16.74.230:80 | boignui.com | tcp |
| US | 8.8.8.8:53 | 214.198.89.152.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ns1ilfts.tob.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1428-7-0x000001C53BF10000-0x000001C53BF32000-memory.dmp
memory/2392-10-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1428-11-0x00007FF82D7E0000-0x00007FF82E2A1000-memory.dmp
memory/1428-12-0x000001C5217D0000-0x000001C5217E0000-memory.dmp
memory/1428-13-0x000001C5217D0000-0x000001C5217E0000-memory.dmp
memory/1428-14-0x000001C5217D0000-0x000001C5217E0000-memory.dmp
memory/1428-15-0x000001C5217D0000-0x000001C5217E0000-memory.dmp
memory/1428-18-0x00007FF82D7E0000-0x00007FF82E2A1000-memory.dmp
memory/2392-19-0x0000000074870000-0x0000000075020000-memory.dmp
memory/2392-20-0x0000000005450000-0x0000000005460000-memory.dmp
C:\Users\Admin\Pictures\BOc48RVTxeqcTLguN4DB85xV.exe
| MD5 | 5b423612b36cde7f2745455c5dd82577 |
| SHA1 | 0187c7c80743b44e9e0c193e993294e3b969cc3d |
| SHA256 | e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09 |
| SHA512 | c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c |
C:\Users\Admin\Pictures\pdlfWc1qvU3mR8y8YECekgzX.exe
| MD5 | 3ca2f625386f7a3ca29376148974fa64 |
| SHA1 | 646443709518ef699bae4755b262370ff6e7fbcc |
| SHA256 | 25749c401805a1d66f16db72ad533a807bcb56c4f2aef449341af1ca92ec66b4 |
| SHA512 | dbe638a9127d89854b2b36795c8842587b5419805df23404d9c110f4c6cfb29604e5136dd40da17cd8eb31ef56cf1b6bb0fb12e4cab999ad9e583ca4ebbffe79 |
memory/3612-50-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe
| MD5 | 367438b39d3e6e775036497c69c6246c |
| SHA1 | b73461e5bdd466af00d57d07c22728bac322f65f |
| SHA256 | 125fd354ae4cd5b545c35bb75997189131fdffc0b46f4e9ece0a2c2075dc14bb |
| SHA512 | 57cf4a855dc32e9a1b83ef81ffb26e3ad4e6f09f79c0208cdead01188c40cb3e3e87199f9edd0c3aec383b79178cf67fc8f11786209e75b8e9af2878fd90d0b7 |
C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe
| MD5 | 0dd818d2fb073230a3a72333c61f9902 |
| SHA1 | 5dcb3563d887ce28bacab5a7027fe055e20a82cd |
| SHA256 | f901cec6bc29e552107f4a5ba735187681bc2cae56750f6b555956e486383f33 |
| SHA512 | 9d1f60f8d83f7912707baa5593f6f8113f2b0cc293143ee5ab793d3b5c26ca342bb1eb5861912497c06932866f79593c4d829900d2ce68371acf9726eb0fc786 |
C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe
| MD5 | e3fb8c6bc14ba6d7691d6510c4a1cc8e |
| SHA1 | 552144000009654622cbb405d4b956fbed05bd28 |
| SHA256 | 3976e258a5c5151ae1ebe1af80ca58be4631f982007351e2c01bb261b01308c6 |
| SHA512 | 95e2fe3c3a5f88cafe75710c35773730fd97863b84bda2b4dc4a808ea9960b353549f075d94b066d43512533fba947e3c8628c79936d1a0d33ebb490b6753df2 |
C:\Users\Admin\AppData\Local\Temp\is-GJCT3.tmp\pdlfWc1qvU3mR8y8YECekgzX.tmp
| MD5 | 150a46b9c3e09bc0ed8d581669fe605b |
| SHA1 | 760baa334e4e024e80f27f8e23b900600281a853 |
| SHA256 | 2d574caab0e532210a5541fa9a3d5187bf38bed3ef8809180462d929fd32637f |
| SHA512 | d40d747e57c7e4ea33df06ae1c14bea2bc44fcad862432265158a248c1c4a0e4aae5107a1a2db5257a22f0b5223ec6f19401f7491435988da8137c4150009805 |
memory/4024-62-0x0000000003A80000-0x0000000003E79000-memory.dmp
memory/4024-63-0x0000000003E80000-0x000000000476B000-memory.dmp
memory/1988-68-0x0000000002100000-0x0000000002101000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-09FPA.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/4024-73-0x0000000000400000-0x0000000001E16000-memory.dmp
C:\Users\Admin\Pictures\j1QBZ2MSXVaisVyrSyNaaKIZ.exe
| MD5 | 068db75101316d6596dfcac7d85a2a3f |
| SHA1 | da92a2110c04537ee26b310366e7edcb1a45565d |
| SHA256 | c05e91459daf1a52e713c813e875443667838094d7c03b04b6667642736aad74 |
| SHA512 | 0f23eccad06f9cacca36e27ac35129afda1497cfc0d1267c3f48ddafa652d7266bb44aed1255cc8d1f8118c7fc7a0077e7674dc613a9c74969ace9d7d6dfe821 |
C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
| MD5 | 099d81985b4d1951c9a0448bdead2e31 |
| SHA1 | 3707f6971ecdd856999ca980a1b99b551bea5ff9 |
| SHA256 | 291e511eb00d5f658d345115de7fbd13e416e353bee19cdac8709b0b856da095 |
| SHA512 | f0a2f1c2542c3f898add88c6505a2fde764c5ff00835fee62ef0fe9523706d9dd617f539e80235c6307fe2af2440cb104465af1f9053dfb3743c2f675b1e71b2 |
C:\Users\Admin\AppData\Local\Temp\nsl53F9.tmp\INetC.dll
| MD5 | 2b342079303895c50af8040a91f30f71 |
| SHA1 | b11335e1cb8356d9c337cb89fe81d669a69de17e |
| SHA256 | 2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f |
| SHA512 | 550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47 |
C:\Users\Admin\Pictures\aWmYJWP6LEVkakquUiWDAwDX.exe
| MD5 | e474dda04f6f90ba50ebff47395b19c9 |
| SHA1 | db1dc005639d232a25e074267239fd9e5fcbe6c7 |
| SHA256 | d5bb21fb44947ee712af26750d6a1df9e91e3baa3c5270eca5f88adbdf329bef |
| SHA512 | aa906056618e239ab811a19492ea9b272b67b6b964f704a1679c68bf0ce1dbe1b574361d1d08901436a1d5faa888d0320dc56e84904421ad1134727090250055 |
memory/2392-119-0x0000000074870000-0x0000000075020000-memory.dmp
C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe
| MD5 | 49fc5d878e59f728efd5427c905efbba |
| SHA1 | 35db9693fdd780fe3b4869dde52080dcd856d724 |
| SHA256 | fb04dbdeb681ff10f950aa2e225ae0168f165f9611e409f8b1eef1d45e13c2a8 |
| SHA512 | 1dece436bb60fca62f0bd07f78c6069e933cea87ff464c0444f57b2bae64f75bd5e0113a1465b32f933563cc13b5e20dbc47062c2db8add39314070afa2b4cca |
memory/4468-129-0x0000000001D50000-0x0000000001E50000-memory.dmp
memory/4468-130-0x0000000001CA0000-0x0000000001CC7000-memory.dmp
memory/736-131-0x0000000000400000-0x00000000005BB000-memory.dmp
C:\ProgramData\DirectSoundDriver 2.36.198.67\DirectSoundDriver 2.36.198.67.exe
| MD5 | c50f8ffa8a216c19442b1e68daf3713a |
| SHA1 | 7d249939b1c04db72e57091499b52fb3dfbd6586 |
| SHA256 | 031c6e90cf7280afa0819560e1e882aa62d53ef3930b67fd36951bcd484a3016 |
| SHA512 | 478a68fd49676130ce9ecf511354a0223b8e2fd84e181c00f4ed48bf240e2e9b504de13232a0376d086f5b1f09db25c00255185c9c86e87e1e52be6aed62d0de |
memory/736-135-0x0000000000400000-0x00000000005BB000-memory.dmp
memory/4468-134-0x0000000000400000-0x0000000001A34000-memory.dmp
memory/3148-137-0x0000000001B50000-0x0000000001B5B000-memory.dmp
memory/3148-136-0x0000000001C20000-0x0000000001D20000-memory.dmp
memory/3148-140-0x0000000000400000-0x0000000001A34000-memory.dmp
memory/5016-141-0x0000000000400000-0x00000000005BB000-memory.dmp
memory/2392-142-0x0000000005450000-0x0000000005460000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | eee5ddcffbed16222cac0a1b4e2e466e |
| SHA1 | 28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5 |
| SHA256 | 2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54 |
| SHA512 | 8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc |
memory/4088-154-0x0000000000400000-0x000000000043D000-memory.dmp
memory/692-155-0x0000000000400000-0x0000000000930000-memory.dmp
memory/3612-156-0x0000000000400000-0x0000000000414000-memory.dmp
memory/692-157-0x00000000027E0000-0x00000000027E1000-memory.dmp
memory/4024-158-0x0000000003A80000-0x0000000003E79000-memory.dmp
memory/3372-159-0x0000000002F80000-0x0000000002F96000-memory.dmp
memory/4024-160-0x0000000003E80000-0x000000000476B000-memory.dmp
memory/4468-166-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/4024-161-0x0000000000400000-0x0000000001E16000-memory.dmp
memory/1988-168-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/4732-165-0x0000000002870000-0x00000000028A6000-memory.dmp
memory/3148-163-0x0000000000400000-0x0000000001A34000-memory.dmp
memory/4732-172-0x0000000074870000-0x0000000075020000-memory.dmp
memory/4732-175-0x0000000002940000-0x0000000002950000-memory.dmp
memory/4732-176-0x0000000002940000-0x0000000002950000-memory.dmp
memory/4732-180-0x0000000005010000-0x0000000005638000-memory.dmp
memory/4468-210-0x0000000000400000-0x0000000001A34000-memory.dmp
memory/1988-211-0x0000000002100000-0x0000000002101000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\9b7eef56-73eb-4b37-8132-86faba443da9.tmp
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
memory/4732-218-0x0000000004D90000-0x0000000004DB2000-memory.dmp
memory/4732-219-0x0000000004E30000-0x0000000004E96000-memory.dmp
memory/4732-220-0x0000000004FA0000-0x0000000005006000-memory.dmp
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
memory/4732-233-0x0000000005970000-0x0000000005CC4000-memory.dmp
memory/5016-234-0x0000000000400000-0x00000000005BB000-memory.dmp
memory/4732-235-0x0000000005EE0000-0x0000000005EFE000-memory.dmp
memory/4732-236-0x0000000005F90000-0x0000000005FDC000-memory.dmp
memory/692-243-0x0000000000400000-0x0000000000930000-memory.dmp
memory/4468-244-0x0000000001D50000-0x0000000001E50000-memory.dmp
memory/4732-245-0x00000000063C0000-0x0000000006404000-memory.dmp
memory/4732-246-0x0000000002940000-0x0000000002950000-memory.dmp
memory/4732-247-0x0000000007190000-0x0000000007206000-memory.dmp
memory/4732-248-0x0000000007910000-0x0000000007F8A000-memory.dmp
memory/4732-249-0x00000000072B0000-0x00000000072CA000-memory.dmp
memory/4468-250-0x0000000000400000-0x0000000001A34000-memory.dmp
memory/5016-251-0x0000000000400000-0x00000000005BB000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
| MD5 | 20d4b8fa017a12a108c87f540836e250 |
| SHA1 | 1ac617fac131262b6d3ce1f52f5907e31d5f6f00 |
| SHA256 | 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d |
| SHA512 | 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856 |
memory/5016-257-0x0000000000400000-0x00000000005BB000-memory.dmp
memory/5016-258-0x0000000000400000-0x00000000005BB000-memory.dmp
memory/4732-260-0x000000007F8F0000-0x000000007F900000-memory.dmp
memory/4732-261-0x0000000007480000-0x00000000074B2000-memory.dmp
memory/4732-263-0x000000006E230000-0x000000006E584000-memory.dmp
memory/4732-262-0x000000006F0D0000-0x000000006F11C000-memory.dmp
memory/4732-273-0x0000000007460000-0x000000000747E000-memory.dmp
memory/4732-274-0x00000000074C0000-0x0000000007563000-memory.dmp
memory/4732-275-0x00000000075B0000-0x00000000075BA000-memory.dmp
memory/4732-276-0x0000000007670000-0x0000000007706000-memory.dmp
memory/4732-277-0x00000000075D0000-0x00000000075E1000-memory.dmp
memory/4024-279-0x0000000000400000-0x0000000001E16000-memory.dmp
memory/692-281-0x00000000027E0000-0x00000000027E1000-memory.dmp
memory/4732-285-0x0000000007610000-0x000000000761E000-memory.dmp
memory/4732-286-0x0000000007620000-0x0000000007634000-memory.dmp
memory/4732-287-0x0000000007710000-0x000000000772A000-memory.dmp
memory/4732-288-0x0000000007660000-0x0000000007668000-memory.dmp
memory/4732-294-0x0000000074870000-0x0000000075020000-memory.dmp
memory/4732-295-0x0000000074870000-0x0000000075020000-memory.dmp
C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe
| MD5 | 662b7d9316e9ece81c1bb758ef1fcaba |
| SHA1 | a24c80f9cd7dd4e6215defb640abd0a26f14e4de |
| SHA256 | 7f500246aec0fadc2a1b98c03ef9c51ad7a982f40d250be02e226c0186e59220 |
| SHA512 | ce4d4edc36d0f2cf19f944f205dbfc84264b9a7663d352e3b1b9e97ce692c53a5c9ef587fb56936887919e9b229070d5fd3fe00375c87db42914b2e841763e37 |
memory/4024-297-0x0000000000400000-0x0000000001E16000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CA7F.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
memory/4468-306-0x0000000000400000-0x0000000001A34000-memory.dmp
memory/5324-307-0x0000000003AE0000-0x0000000003EE6000-memory.dmp
memory/5324-308-0x0000000000400000-0x0000000001E16000-memory.dmp
memory/5016-309-0x0000000000400000-0x00000000005BB000-memory.dmp
memory/5324-347-0x0000000000400000-0x0000000001E16000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
memory/5016-352-0x0000000000400000-0x00000000005BB000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 611cb8ccde253e4f3bc65d2f322905b3 |
| SHA1 | fe4df19cc69115cdafe40898c22628e4b2810f68 |
| SHA256 | 3d88bd0dbae70f6267c653f0713672d28d52914b022783741b2a539405117cc1 |
| SHA512 | f9cc4ea1d109f779b71c1a3b31b5f00570f024d1cb0cb0dbd51e5b8b6a0abff2a9d9bee627d2a7a69e05e375ad83116d0bbdc81a4385f5920bbe2b1cde267885 |
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | e14c0ab26986712248a8cbf2a55e0323 |
| SHA1 | 1112de76af4b0f5f9e4374ca45f2d016470581c3 |
| SHA256 | 1c787fb2b6264c7f6be3c9899690c0ea6de5632df8c0f36c73996104c8a09521 |
| SHA512 | 78d9003fc4e6bb1811822045d119b45ba928c4e451f269ac1e03f4ac07a7a3d8061e9e297a09f2a60e17ecb8e0e8ed043eb0d71d3e00b03b4e45315045c4ab82 |
C:\Users\Admin\AppData\Local\Temp\1593.exe
| MD5 | 2f89637e05e9e78d7e98c8ee34da535e |
| SHA1 | 31f005ef288cfef2b5ac9e4f246bc9d22098c479 |
| SHA256 | 3f44b8b747480bc28c43bff52e49ae9a38e635a014ce6de51cef9810ce46c2da |
| SHA512 | 87a15db9dd58f168495e21b02f068c39e6be69b5b033dbb909ca3f067ab7f7241368a24e931c0f1a317bf8a927bcd1162c4f6666ab6633bdbfe45d9aaaee435b |
C:\Users\Admin\AppData\Local\Temp\1593.exe
| MD5 | 51597fedbf769613eac193b679de833d |
| SHA1 | 77c1fbd676bbaf9ef3f235d6f3d41df8ad6b7945 |
| SHA256 | b0129dd6f2d2f5bd058cddda97e1f47eedcfaec86995c6d988226c305d50d92c |
| SHA512 | 7e424c8548ace542cdd51c23b31e3907b9d14a95784f8918f85deb2d263d5e6cec845300b1db25aba6c29d3f9ff2ad768731237ab98430a52b83ed00ff017b23 |
memory/552-444-0x0000000000400000-0x0000000000537000-memory.dmp
memory/5324-433-0x0000000000400000-0x0000000001E16000-memory.dmp
memory/552-446-0x0000000000400000-0x0000000000537000-memory.dmp
memory/552-450-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4468-449-0x0000000000400000-0x0000000001A34000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | b3624bc72696cead56ccc0b86e4bdda6 |
| SHA1 | d49d39705a3f8bd836b084acd72eee974c62d4f4 |
| SHA256 | e9b30abe493a9ff8b87e0c15b99fd0322736ca6f54fe13d453b6e416d8454fca |
| SHA512 | abff8f4bfab43d951629cfd30cced1a5caccb54e5ca895474bcccff49359773e54e81185d2da5b4b9f8c72073be056d228613727fe0b7bd41d3c356b2c35caea |
memory/5324-457-0x0000000000400000-0x0000000001E16000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 25c7b4c4349aa1d805e400a11a4806f9 |
| SHA1 | 424f4329b643e3cc08a2153db5bedf9a13b56fd5 |
| SHA256 | 8e3786c788981fc42e788744715d67e86e2c87acbe00a6e4831935c4de701861 |
| SHA512 | b40286933d8b1ab7f08c5731455fd44dcd2eac006a4528b6a20e047925b5e308d61162f1221e6e5ccefe41490ef2ceda01b42b0ffee033205aa6f8d1900fdaf1 |
memory/5016-460-0x0000000000400000-0x00000000005BB000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 7b4d837fa82a59db9afc06a80b157deb |
| SHA1 | 3f7446a730059ea0d50d71e458bf1c74384416b1 |
| SHA256 | 60c56e075d91b33bb92310aa483466ac038ddaaf92a12e0e1691722db6d3146f |
| SHA512 | 2f09e293e1deb2c8d15f240c797102bec134c5eec7e21d475f7cde605102193c82c53e1deb36cb6e7c0bbc283fbceaa37dbb6f2d8d572292897506a94bee1002 |
C:\Users\Admin\AppData\Local\Temp\38AC.exe
| MD5 | 756931963ef47d8261e3090770710355 |
| SHA1 | 074e49a53dc0dea819a2ce9b487982f0ac114d86 |
| SHA256 | 6a103e31e7c1990a5f21e6ad483805b01fdbabe9fd9454f42aab0eda9b5d67cf |
| SHA512 | 231458212051567f7549a7d24d0d956219e33480fbba3428b2259d571265802aa9b8727998f6c5bf62e30c1ec673619506b5cb9d1220c738af0685be2ec397ce |
C:\Users\Admin\AppData\Local\Temp\38AC.exe
| MD5 | aeb2c8333650e3e57fe5109330c1435a |
| SHA1 | e529dcf82531151201d08e9eea8cb54ada7cce9c |
| SHA256 | eb7e8e099214c01040756833d3ec9c724d7e0242a79b67c92471836e7eab1245 |
| SHA512 | 3a66f34e6de7a24c3f45cdf9e422feca8d06686c8e8588f5220aabdfe66d41868f1db415afd10288e953590b21d01752b65567ea2e4838d424962a1a23725614 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | e93b5f6f5dcd769f05557f9453930640 |
| SHA1 | 52d8ca01f7b4b0a1a993153f5c0ac33604ea858e |
| SHA256 | 7f489e52e5e6fe7ab6afd55d49fc90716010f313008d4a7deb21d0678c1dee2e |
| SHA512 | d9a6a986204df8f64bbe6cf4af416f36259303bfc9edf5142def4719aea121c22d3ee25822d9b6fd6302d41234599899a70ae4de5a7d7065a3645abf6316f846 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 46c6d160fe941ee526213b55931f0e91 |
| SHA1 | b6d3553cc4528e942131105d19d0d2a714581e58 |
| SHA256 | 152bcf977016bf079e47f20e716057fb7f4e772015802dd00d3eee7b1874f7c0 |
| SHA512 | 2f695fc1a146f5fa64db746bc7cf81155cd78399d575576e07af9abcf3975e828ce0f2b6cc91b9f116eff034f2c5c4db4d9a1ea5cb0249753a572628c4db5766 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\Windows\windefender.exe
| MD5 | 7ca8d87366480bdee9964513a59627a9 |
| SHA1 | 736db2077c4dd9097246964851f87f1a8dad39d1 |
| SHA256 | e3849569450d0409d855811fdf2cfd11dba45553ae7302711b42e06c342a05c3 |
| SHA512 | 96fcb9c7854a4e03e875495ef3b4866513f0d8afddee5914a34851d3fd8d685ca73983a8503f33bf9033232795b34ddfc3aabeebe28ca53b4a44f0de23223e9b |
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe
| MD5 | 41150f0446da63df089d815ecaf253c4 |
| SHA1 | afc1d9578dbe7ab962c44a79daac108a9336e791 |
| SHA256 | b3d2c50e19cb90a661c586551f03ab9d6ec3b0bc6ab44e61415c0d5f1b838e05 |
| SHA512 | 721bbad616231fff51000e2b2f1e8741b2bcbc0543896928ec1a5a77143756cbd93c55a9510a7780a88ebab7795641a9a128dc35eb4f68912c447b1f4959137a |
C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403111421098545888.dll
| MD5 | 99f28be37c48d4c06ff5baf21caf0747 |
| SHA1 | 031ab5b90017e6ffab5d005e566813717592ef4f |
| SHA256 | 5a6f8fc1ba4dda4a971ed228b929e00338700bf02976150d8dd1bfc4f6c84f5d |
| SHA512 | b68e65b9aebc4c872f874af6218523d9b4cdcb4b104678e75abc3f3e6262187674cb65ceb760ef981f61ad58e9e007f2a4711158ca9082eaff49a21bae97711d |
C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe
| MD5 | 2fbbf7bf54bc7501da0bf4256f510c3f |
| SHA1 | 31ce09b049432d902aa3c9c6356360bebe802749 |
| SHA256 | d8fc823ccd276ca09ba6b2388202b6627a64f6ff92d0cf47570c166020dacbc4 |
| SHA512 | 556d4997306576cada90c5715e619a2527f40f7e424fde0efe181f6ec2698a5ead21bf5333a7a1e2eed95c43a5c442051d10d87ebb4046c9c6d592c0e7b38c99 |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403111421100265268.dll
| MD5 | db74d30f6dc1e54664f7619e5bced29e |
| SHA1 | b859c93690f3d6d963ce0283d15dd35c040432e1 |
| SHA256 | 524e706265138addf45dee4dbe6298373f510d58ebd2de0ffa3d256f1fae86f5 |
| SHA512 | 62919b6bd7313de293e4e5c0a0f3caef1b49087c81e0e45bfab56a486fa9fdfe0f2f5381c1f58715460e1758ab14275ad404835246c7815de62d72348a76bcb3 |
C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe
| MD5 | c05bb37077cb577f5e6db5fdbf52af7f |
| SHA1 | 7525115320e8b88c73ca2a314f3ff470a3d76499 |
| SHA256 | e23bb0af48141c2164d614fa351209b4e1e9941a9a613b117057a2e1fa1abd0d |
| SHA512 | 7564b20bf0ce0d1c5c0ac7eb688cd58116bced47a5c957087310a939debc4922bce27fc5d7ea056e49776a169ef2b2a87a611776cdcc373802ed97c18250edf3 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\S9bpWUSHmYnccwU6BrdZHNx5.exe
| MD5 | 3a3b67404eb1d1300060b7e5884e2325 |
| SHA1 | eb8b2abfdfaaf80230c9d2db6297a428c1b11e73 |
| SHA256 | 67c5b5e5e679c027dc4bd7f6796f5167fefd1303b78b12b8fcf85bf7b2309d3c |
| SHA512 | 793e4ca10f305f8719069414b6a9d5211da300ef11f80ddf98bc6876ff1e25fa8edfb311fad059ddc234ccc6c560dd3ebc9390628f13dba5f10e8088c9bc9dc3 |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403111421103541476.dll
| MD5 | fe30c4340b7c7c05c5d81249881e3b7d |
| SHA1 | 24c7bb0ea94312d16194bc5757cbe22c96055b87 |
| SHA256 | 129957b71bf2730ad183b33613bd1045d33937706b86c5e30052c2f1ef91277e |
| SHA512 | 16fa420979b1f1d15e77ea9b51aa47752bb8995c90438e232cb38d9730f5be8b63360507f9ce256612a2e5229e3c57ac7715d217af2a25544ca211115e672651 |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403111421103541476.dll
| MD5 | b4039abd92499f0d7522c23a91990f59 |
| SHA1 | b03558ded00b283d3b614e21114c1191269fa1fe |
| SHA256 | c6372da1a7e790561058fb4abfd8755c62662b894b08f55dcebd5ebe9288be71 |
| SHA512 | 69db107c95d758203e02f6790281c079ba877811fc31bc2cebb586b1a434b8d2a7433d420edaa32c647241930f51c496cff8bffe14c721dfb7ca538e857662e9 |
C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe
| MD5 | f06607ed24891f735f809a8379f739f9 |
| SHA1 | 988d58d8250945a5a29646d386bc1ad6d787a70b |
| SHA256 | d61a6e24fb66d0f28d5c6892910d7aa66c5ee61dd84acff77ba1f143f1bd0105 |
| SHA512 | 2429c5d193920455a92f160a1847a91237e2225b68a64dee301ed42230252b32b7a224511b7040611240ad6457e2a4b2c02e404a00aafcaa99a974f28962a41d |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403111421108001672.dll
| MD5 | b2934e8fe78e03093eeb61ba28fa872c |
| SHA1 | 6f59af6a62931a237dd6f1aa01d580458fa335aa |
| SHA256 | 0623a94a65aad33351ecea5671827b340e6de19ee615cb38c380a39a670b1bb3 |
| SHA512 | c23713f9ae5ee5e50cf86441f07608ad888a46df82e015420325130c1a44238300f25501ea83c11647206493404c3707a4b0259086cce05ec32e4a1621992604 |
C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe
| MD5 | b1fdbcc8f7e1323b1ae74cc79e7b24b3 |
| SHA1 | 03b12f34b8fcf39fa2c7f5610f8012991c28654c |
| SHA256 | 6c690ccdbf9fb013c9c4baae363c7ae397ea821fbab667a1a26dde0bc6f7f59c |
| SHA512 | d91df905e36f2fc9a0990490ae1793dc6bf5896e4df5fa06d5c24c9a07028621a7ae123a04a98f0e2d36a10d1fdde98b4307f4cd15642174651405e2acfb63df |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403111421113465376.dll
| MD5 | 4e09e841c58ecf306e78feea83cea8e1 |
| SHA1 | 2b419d945d46a6b255328080135bdd3058c8dc03 |
| SHA256 | b632441531b193e315ff276c17af62f8e61bd93e880b108ee9b8d917870455d6 |
| SHA512 | 61a946287dedb5ccedb47cf808ff4cf1d7b371ca8041062ca812977ce9f29d7188cedadbb57d140270e16f57c6bc3c87d270a99d707b9608b0ac4a52ed8b4706 |
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
| MD5 | 92a4a8eff29af16c824751c951006034 |
| SHA1 | 7ab76569685eb09444039794d66ba02a5eee0781 |
| SHA256 | fea1afd3a05138180be400ad188944037fe5a351de8eb7d54c9c69323f35c839 |
| SHA512 | 126146f1bb0fa8e0c6429681d62ceb96e16a33c994bdf502a34af5a66160904f5af907b819458e4005ca550d05ed1f34eacc10a73caa801897669f326865d09e |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\opera_package
| MD5 | b11a82be27ba5ec5a6d6fd7ff20e8ab0 |
| SHA1 | 9f074f5a86c0aae449f2bc445748ae870a996010 |
| SHA256 | 27fadf5046749f37dce63d901f7085a63ce637c06430bd62af6bf3ab3fa2082e |
| SHA512 | f58e217e234915aee0e80e364a84f086f1744d0b795318aff66b3e165dba5736f371a3bd798a53b0bf57006ce8356f5500769340a84a58dc09d18ffdf139a891 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
| MD5 | 20d293b9bf23403179ca48086ba88867 |
| SHA1 | dedf311108f607a387d486d812514a2defbd1b9e |
| SHA256 | fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348 |
| SHA512 | 5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
| MD5 | 954d8eaf098bfb9609509bf09c201374 |
| SHA1 | 02cb116621285a4640048822da6f01d6b16e6d4d |
| SHA256 | 4f49c4b52ec28b4a6b3e5435a906be8652a4d16c04345050d60f942849612b0c |
| SHA512 | 167e8465dd9fc345d53ee93afb08c8be74ab4b3a29c178490502eee6dc3f9413a3a68e873de63728bbd768bd5a3710d3a8c0d0a9fbc266006fd5dcef610825bd |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\assistant_installer.exe
| MD5 | 720b7591615ada96ef3f92dbd6bb7315 |
| SHA1 | 5dc09adfd221f65143404c84357efb6f05b1991f |
| SHA256 | 4ebd8dca718391f84771350af13f6b4db22f8d533ae6deb9a4f2edfe778d60b7 |
| SHA512 | 81cf27d5c969001f43571ed9398a6e001c13e98065ba6bf4588a71ad9bf00f6605af60801b6ef0439104bd87fc294b65d82f5cee119aab754f1ce78defa6f8c7 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\dbghelp.dll
| MD5 | a2e2c6d725dea1c49eb40b0e7b134e1b |
| SHA1 | c425999011065bc87c40806e4adf39c006350fe1 |
| SHA256 | b345407859596eec3f014f1f3e47aaba9bd63fe20be26e3125e2762bb207778d |
| SHA512 | 10ce4fcde83f478579e99156842d46109a96e5d1c93ec9cb066df5606545f8b5c1b5013cec472691daba97a97842c05fb25f1582df8fbb03317c4f4079580042 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\dbgcore.DLL
| MD5 | fa8d56546648d8c0acf1c17c540fd543 |
| SHA1 | 7c58b6b7388ab12ef3035d63a5e3830f763e5a6a |
| SHA256 | a82101ba4ec593aaf627af7db83ab6aa88e99f170b6a1163677ef3e0a57c158a |
| SHA512 | e278a2a1d12b49b98ab5334d46018a434c28ace3da27af50dd5092bd68a8cc6b559f0be0fbe277df7d5b51ccc702d03071620735d66828b2b700c40ded687ff7 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\dbgcore.dll
| MD5 | 202e9e27500f1419bb023c5ac54618a8 |
| SHA1 | 836082a6139de74a623730bd98797c78da7234dd |
| SHA256 | 3f775c5caf649aaf03825cdf6cf29eddaf881c6a0552d0da12ff4ba875aef4f2 |
| SHA512 | 5fbd6b74b42e090cb6089a94293a4a80390a64a18fd58affabd31a0c18d30bbc5f5bcba7d932c6f8394c17a37319ad8386d26ff1f7f93ffdd93fe918904852b0 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\dbghelp.dll
| MD5 | f4bf4aabbf848470e96c109867fc0b66 |
| SHA1 | 1cc1e36db5fd9730984d7bb33f5ef177400185b5 |
| SHA256 | a80804664d4389c02754d4f8c8ce8fa506f386c45a9597b5298cc5c636c91359 |
| SHA512 | 73882ae42faed532fa550e4aa1a426a6b87e0716d71482cac53fa957ee3a595a7c88430cf3c8e8950cc455119f42cfdf0c206c6f4f66a01e792215762c1edb47 |