Malware Analysis Report

2025-01-02 11:12

Sample ID 240311-rmt9nacg8z
Target file.exe
SHA256 c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067
Tags
dcrat djvu glupteba smokeloader socks5systemz stealc vidar pub1 backdoor botnet discovery dropper evasion infostealer loader persistence ransomware rat spyware stealer trojan upx zgrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

dcrat djvu glupteba smokeloader socks5systemz stealc vidar pub1 backdoor botnet discovery dropper evasion infostealer loader persistence ransomware rat spyware stealer trojan upx zgrat

Djvu Ransomware

Glupteba payload

DcRat

Detect ZGRat V1

Socks5Systemz

SmokeLoader

Detect Vidar Stealer

Detected Djvu ransomware

Windows security bypass

Stealc

ZGRat

Vidar

Glupteba

Modifies boot configuration data using bcdedit

Possible attempt to disable PatchGuard

Modifies Windows Firewall

Downloads MZ/PE file

Executes dropped EXE

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Modifies file permissions

Drops startup file

Unexpected DNS network traffic destination

Windows security modification

Loads dropped DLL

UPX packed file

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Adds Run key to start application

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Enumerates physical storage devices

Program crash

NSIS installer

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Creates scheduled task(s)

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-11 14:19

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-11 14:19

Reported

2024-03-11 14:21

Platform

win7-20240221-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t4tl6jHO4SIWczGsNZGRqcUj.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\w4ZTapxD7GemwzqzaklQjmjK.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bVUutufBdKDmV3ISoEdc5Dw1.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\m3sZcd0RM0fRh4ZiJbzIYFsP.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AokHxFzZ7ruItC2LLQYtbas1.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Socks5Systemz

botnet socks5systemz

Stealc

stealer stealc

Vidar

stealer vidar

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\uX2AX2axOKzXlZbjtglSBcKC.exe = "0" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t4tl6jHO4SIWczGsNZGRqcUj.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AokHxFzZ7ruItC2LLQYtbas1.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\w4ZTapxD7GemwzqzaklQjmjK.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bVUutufBdKDmV3ISoEdc5Dw1.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\m3sZcd0RM0fRh4ZiJbzIYFsP.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\O6JqCT0Z6MKi8cdeTIACEL8D.exe N/A
N/A N/A C:\Users\Admin\Pictures\vVMs8bK0OxOyrdIQ5z3you1B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-CEMOA.tmp\vVMs8bK0OxOyrdIQ5z3you1B.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe N/A
N/A N/A C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
N/A N/A C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\Pictures\29ivEA8uYF3e8k5EmsJA9WDz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D663.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D663.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\jsjihsv N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D663.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D663.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\6358fba2-a625-4349-87d5-eb01341bc10f\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\6358fba2-a625-4349-87d5-eb01341bc10f\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\6358fba2-a625-4349-87d5-eb01341bc10f\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\6358fba2-a625-4349-87d5-eb01341bc10f\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
N/A N/A C:\Users\Admin\Pictures\vVMs8bK0OxOyrdIQ5z3you1B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-CEMOA.tmp\vVMs8bK0OxOyrdIQ5z3you1B.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-CEMOA.tmp\vVMs8bK0OxOyrdIQ5z3you1B.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-CEMOA.tmp\vVMs8bK0OxOyrdIQ5z3you1B.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-CEMOA.tmp\vVMs8bK0OxOyrdIQ5z3you1B.tmp N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
N/A N/A C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
N/A N/A C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
N/A N/A C:\Users\Admin\Pictures\29ivEA8uYF3e8k5EmsJA9WDz.exe N/A
N/A N/A C:\Users\Admin\Pictures\29ivEA8uYF3e8k5EmsJA9WDz.exe N/A
N/A N/A C:\Users\Admin\Pictures\29ivEA8uYF3e8k5EmsJA9WDz.exe N/A
N/A N/A C:\Users\Admin\Pictures\29ivEA8uYF3e8k5EmsJA9WDz.exe N/A
N/A N/A C:\Users\Admin\Pictures\29ivEA8uYF3e8k5EmsJA9WDz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D663.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D663.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D663.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D663.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D663.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D663.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\6358fba2-a625-4349-87d5-eb01341bc10f\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D663.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D663.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 152.89.198.214 N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\uX2AX2axOKzXlZbjtglSBcKC.exe = "0" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\44fa3a3d-4775-4760-bbfe-779fdb5d41b8\\D663.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\D663.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20240311141921.cab C:\Windows\system32\makecab.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Pictures\O6JqCT0Z6MKi8cdeTIACEL8D.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Pictures\O6JqCT0Z6MKi8cdeTIACEL8D.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Pictures\O6JqCT0Z6MKi8cdeTIACEL8D.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\jsjihsv N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\jsjihsv N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\jsjihsv N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\6358fba2-a625-4349-87d5-eb01341bc10f\build2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\6358fba2-a625-4349-87d5-eb01341bc10f\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\6358fba2-a625-4349-87d5-eb01341bc10f\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\O6JqCT0Z6MKi8cdeTIACEL8D.exe N/A
N/A N/A C:\Users\Admin\Pictures\O6JqCT0Z6MKi8cdeTIACEL8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-CEMOA.tmp\vVMs8bK0OxOyrdIQ5z3you1B.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-CEMOA.tmp\vVMs8bK0OxOyrdIQ5z3you1B.tmp N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
N/A N/A C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
N/A N/A C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
N/A N/A C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
N/A N/A C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\O6JqCT0Z6MKi8cdeTIACEL8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\jsjihsv N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-CEMOA.tmp\vVMs8bK0OxOyrdIQ5z3you1B.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2856 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2856 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2856 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2856 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2856 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2856 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2856 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2856 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2856 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2752 wrote to memory of 1692 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\O6JqCT0Z6MKi8cdeTIACEL8D.exe
PID 2752 wrote to memory of 1692 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\O6JqCT0Z6MKi8cdeTIACEL8D.exe
PID 2752 wrote to memory of 1692 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\O6JqCT0Z6MKi8cdeTIACEL8D.exe
PID 2752 wrote to memory of 1692 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\O6JqCT0Z6MKi8cdeTIACEL8D.exe
PID 2752 wrote to memory of 1156 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\vVMs8bK0OxOyrdIQ5z3you1B.exe
PID 2752 wrote to memory of 1156 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\vVMs8bK0OxOyrdIQ5z3you1B.exe
PID 2752 wrote to memory of 1156 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\vVMs8bK0OxOyrdIQ5z3you1B.exe
PID 2752 wrote to memory of 1156 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\vVMs8bK0OxOyrdIQ5z3you1B.exe
PID 2752 wrote to memory of 1156 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\vVMs8bK0OxOyrdIQ5z3you1B.exe
PID 2752 wrote to memory of 1156 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\vVMs8bK0OxOyrdIQ5z3you1B.exe
PID 2752 wrote to memory of 1156 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\vVMs8bK0OxOyrdIQ5z3you1B.exe
PID 1156 wrote to memory of 2868 N/A C:\Users\Admin\Pictures\vVMs8bK0OxOyrdIQ5z3you1B.exe C:\Users\Admin\AppData\Local\Temp\is-CEMOA.tmp\vVMs8bK0OxOyrdIQ5z3you1B.tmp
PID 1156 wrote to memory of 2868 N/A C:\Users\Admin\Pictures\vVMs8bK0OxOyrdIQ5z3you1B.exe C:\Users\Admin\AppData\Local\Temp\is-CEMOA.tmp\vVMs8bK0OxOyrdIQ5z3you1B.tmp
PID 1156 wrote to memory of 2868 N/A C:\Users\Admin\Pictures\vVMs8bK0OxOyrdIQ5z3you1B.exe C:\Users\Admin\AppData\Local\Temp\is-CEMOA.tmp\vVMs8bK0OxOyrdIQ5z3you1B.tmp
PID 1156 wrote to memory of 2868 N/A C:\Users\Admin\Pictures\vVMs8bK0OxOyrdIQ5z3you1B.exe C:\Users\Admin\AppData\Local\Temp\is-CEMOA.tmp\vVMs8bK0OxOyrdIQ5z3you1B.tmp
PID 1156 wrote to memory of 2868 N/A C:\Users\Admin\Pictures\vVMs8bK0OxOyrdIQ5z3you1B.exe C:\Users\Admin\AppData\Local\Temp\is-CEMOA.tmp\vVMs8bK0OxOyrdIQ5z3you1B.tmp
PID 1156 wrote to memory of 2868 N/A C:\Users\Admin\Pictures\vVMs8bK0OxOyrdIQ5z3you1B.exe C:\Users\Admin\AppData\Local\Temp\is-CEMOA.tmp\vVMs8bK0OxOyrdIQ5z3you1B.tmp
PID 1156 wrote to memory of 2868 N/A C:\Users\Admin\Pictures\vVMs8bK0OxOyrdIQ5z3you1B.exe C:\Users\Admin\AppData\Local\Temp\is-CEMOA.tmp\vVMs8bK0OxOyrdIQ5z3you1B.tmp
PID 2868 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\is-CEMOA.tmp\vVMs8bK0OxOyrdIQ5z3you1B.tmp C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe
PID 2868 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\is-CEMOA.tmp\vVMs8bK0OxOyrdIQ5z3you1B.tmp C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe
PID 2868 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\is-CEMOA.tmp\vVMs8bK0OxOyrdIQ5z3you1B.tmp C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe
PID 2868 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\is-CEMOA.tmp\vVMs8bK0OxOyrdIQ5z3you1B.tmp C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe
PID 2868 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\is-CEMOA.tmp\vVMs8bK0OxOyrdIQ5z3you1B.tmp C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe
PID 2868 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\is-CEMOA.tmp\vVMs8bK0OxOyrdIQ5z3you1B.tmp C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe
PID 2868 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\is-CEMOA.tmp\vVMs8bK0OxOyrdIQ5z3you1B.tmp C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe
PID 2868 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\is-CEMOA.tmp\vVMs8bK0OxOyrdIQ5z3you1B.tmp C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe
PID 2752 wrote to memory of 1896 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe
PID 2752 wrote to memory of 1896 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe
PID 2752 wrote to memory of 1896 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe
PID 2752 wrote to memory of 1896 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe
PID 2524 wrote to memory of 2652 N/A C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe C:\Windows\system32\cmd.exe
PID 2524 wrote to memory of 2652 N/A C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe C:\Windows\system32\cmd.exe
PID 2524 wrote to memory of 2652 N/A C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe C:\Windows\system32\cmd.exe
PID 2524 wrote to memory of 2652 N/A C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe C:\Windows\system32\cmd.exe
PID 2652 wrote to memory of 2284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2652 wrote to memory of 2284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2652 wrote to memory of 2284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2524 wrote to memory of 2496 N/A C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe C:\Windows\rss\csrss.exe
PID 2524 wrote to memory of 2496 N/A C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe C:\Windows\rss\csrss.exe
PID 2524 wrote to memory of 2496 N/A C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe C:\Windows\rss\csrss.exe
PID 2524 wrote to memory of 2496 N/A C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe C:\Windows\rss\csrss.exe
PID 2496 wrote to memory of 2032 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2496 wrote to memory of 2032 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2496 wrote to memory of 2032 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2496 wrote to memory of 2032 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2752 wrote to memory of 2488 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\29ivEA8uYF3e8k5EmsJA9WDz.exe
PID 2752 wrote to memory of 2488 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\29ivEA8uYF3e8k5EmsJA9WDz.exe
PID 2752 wrote to memory of 2488 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\29ivEA8uYF3e8k5EmsJA9WDz.exe
PID 2752 wrote to memory of 2488 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\29ivEA8uYF3e8k5EmsJA9WDz.exe
PID 2488 wrote to memory of 2604 N/A C:\Users\Admin\Pictures\29ivEA8uYF3e8k5EmsJA9WDz.exe C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
PID 2488 wrote to memory of 2604 N/A C:\Users\Admin\Pictures\29ivEA8uYF3e8k5EmsJA9WDz.exe C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
PID 2488 wrote to memory of 2604 N/A C:\Users\Admin\Pictures\29ivEA8uYF3e8k5EmsJA9WDz.exe C:\Users\Admin\AppData\Local\Temp\syncUpd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"

C:\Users\Admin\Pictures\O6JqCT0Z6MKi8cdeTIACEL8D.exe

"C:\Users\Admin\Pictures\O6JqCT0Z6MKi8cdeTIACEL8D.exe"

C:\Users\Admin\Pictures\vVMs8bK0OxOyrdIQ5z3you1B.exe

"C:\Users\Admin\Pictures\vVMs8bK0OxOyrdIQ5z3you1B.exe"

C:\Users\Admin\AppData\Local\Temp\is-CEMOA.tmp\vVMs8bK0OxOyrdIQ5z3you1B.tmp

"C:\Users\Admin\AppData\Local\Temp\is-CEMOA.tmp\vVMs8bK0OxOyrdIQ5z3you1B.tmp" /SL5="$50186,1518993,56832,C:\Users\Admin\Pictures\vVMs8bK0OxOyrdIQ5z3you1B.exe"

C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe

"C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe" -i

C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe

"C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe" -s

C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe

"C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240311141921.log C:\Windows\Logs\CBS\CbsPersist_20240311141921.cab

C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe

"C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\Pictures\29ivEA8uYF3e8k5EmsJA9WDz.exe

"C:\Users\Admin\Pictures\29ivEA8uYF3e8k5EmsJA9WDz.exe"

C:\Users\Admin\AppData\Local\Temp\syncUpd.exe

C:\Users\Admin\AppData\Local\Temp\syncUpd.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\80E3.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Users\Admin\AppData\Local\Temp\D663.exe

C:\Users\Admin\AppData\Local\Temp\D663.exe

C:\Users\Admin\AppData\Local\Temp\D663.exe

C:\Users\Admin\AppData\Local\Temp\D663.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {34F8806D-0F9B-4957-93E8-DCE9229BF71C} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\jsjihsv

C:\Users\Admin\AppData\Roaming\jsjihsv

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\44fa3a3d-4775-4760-bbfe-779fdb5d41b8" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\D663.exe

"C:\Users\Admin\AppData\Local\Temp\D663.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\D663.exe

"C:\Users\Admin\AppData\Local\Temp\D663.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\6358fba2-a625-4349-87d5-eb01341bc10f\build2.exe

"C:\Users\Admin\AppData\Local\6358fba2-a625-4349-87d5-eb01341bc10f\build2.exe"

C:\Users\Admin\AppData\Local\6358fba2-a625-4349-87d5-eb01341bc10f\build2.exe

"C:\Users\Admin\AppData\Local\6358fba2-a625-4349-87d5-eb01341bc10f\build2.exe"

C:\Users\Admin\AppData\Local\6358fba2-a625-4349-87d5-eb01341bc10f\build3.exe

"C:\Users\Admin\AppData\Local\6358fba2-a625-4349-87d5-eb01341bc10f\build3.exe"

C:\Users\Admin\AppData\Local\6358fba2-a625-4349-87d5-eb01341bc10f\build3.exe

"C:\Users\Admin\AppData\Local\6358fba2-a625-4349-87d5-eb01341bc10f\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 1396

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 yip.su udp
US 172.67.34.170:443 pastebin.com tcp
US 188.114.97.2:443 yip.su tcp
US 8.8.8.8:53 galandskiyher5.com udp
US 8.8.8.8:53 midnight.bestsup.su udp
US 8.8.8.8:53 namecloudvideo.org udp
US 8.8.8.8:53 net.geo.opera.com udp
US 15.204.49.148:80 15.204.49.148 tcp
DE 185.172.128.126:80 185.172.128.126 tcp
US 104.21.65.148:443 namecloudvideo.org tcp
NL 185.26.182.112:80 net.geo.opera.com tcp
US 104.21.29.103:80 midnight.bestsup.su tcp
RU 194.87.206.12:80 galandskiyher5.com tcp
NL 185.26.182.112:443 net.geo.opera.com tcp
US 8.8.8.8:53 shipbank.org udp
US 104.21.10.217:443 shipbank.org tcp
US 8.8.8.8:53 be1cce57-96b8-4a76-9d21-557f96f2d401.uuid.filesdumpplace.org udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
DE 185.172.128.90:80 185.172.128.90 tcp
DE 185.172.128.145:80 185.172.128.145 tcp
DE 185.172.128.187:80 185.172.128.187 tcp
US 8.8.8.8:53 trad-einmyus.com udp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 8.8.8.8:53 sdfjhuz.com udp
KR 211.202.224.10:80 sdfjhuz.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 8.8.8.8:53 api.2ip.ua udp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 172.67.139.220:443 api.2ip.ua tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 172.67.139.220:443 api.2ip.ua tcp
KR 211.202.224.10:80 sdfjhuz.com tcp
US 8.8.8.8:53 sajdfue.com udp
AR 181.99.123.204:80 sajdfue.com tcp
AR 181.99.123.204:80 sajdfue.com tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.154.77:443 steamcommunity.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
DE 49.12.116.63:80 49.12.116.63 tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 8.8.8.8:53 bitbucket.org udp
AU 104.192.141.1:443 bitbucket.org tcp
AU 104.192.141.1:443 bitbucket.org tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard20.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard20.blob.core.windows.net tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
RU 152.89.198.214:53 cesdgqz.net udp
TR 195.16.74.230:80 cesdgqz.net tcp

Files

memory/2608-4-0x000000001B570000-0x000000001B852000-memory.dmp

memory/2608-5-0x0000000001C80000-0x0000000001C88000-memory.dmp

memory/2608-6-0x000007FEF59A0000-0x000007FEF633D000-memory.dmp

memory/2608-7-0x00000000028F0000-0x0000000002970000-memory.dmp

memory/2608-8-0x000007FEF59A0000-0x000007FEF633D000-memory.dmp

memory/2608-10-0x00000000028F0000-0x0000000002970000-memory.dmp

memory/2608-9-0x00000000028F0000-0x0000000002970000-memory.dmp

memory/2608-11-0x00000000028F0000-0x0000000002970000-memory.dmp

memory/2608-12-0x000007FEF59A0000-0x000007FEF633D000-memory.dmp

memory/2752-26-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2752-24-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2752-22-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2752-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2752-19-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2752-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2752-15-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2752-13-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2752-27-0x0000000074650000-0x0000000074D3E000-memory.dmp

memory/2752-28-0x0000000000430000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar1A4B.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Users\Admin\Pictures\O6JqCT0Z6MKi8cdeTIACEL8D.exe

MD5 e474dda04f6f90ba50ebff47395b19c9
SHA1 db1dc005639d232a25e074267239fd9e5fcbe6c7
SHA256 d5bb21fb44947ee712af26750d6a1df9e91e3baa3c5270eca5f88adbdf329bef
SHA512 aa906056618e239ab811a19492ea9b272b67b6b964f704a1679c68bf0ce1dbe1b574361d1d08901436a1d5faa888d0320dc56e84904421ad1134727090250055

memory/1692-104-0x00000000001B0000-0x00000000001BB000-memory.dmp

memory/1692-103-0x00000000002B0000-0x00000000003B0000-memory.dmp

memory/1692-105-0x0000000000400000-0x0000000001A34000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b38087a9f30ddbe0b644248d021b83dc
SHA1 ac395940b514a74445b5e1eccc78968d0598ca2c
SHA256 467dbb351da372e147275d5c8b8df3fc9b275f3a86b7d7c6747955210a71648a
SHA512 57244ed4e4a2f28e56956f28ac2f021a1dcaac946abb10c074a56d7a74706a3cc1414cf2b334f72189854d5d061a1fed6ee375952acdaf17a6ee0b0da205f568

\Users\Admin\Pictures\vVMs8bK0OxOyrdIQ5z3you1B.exe

MD5 3ca2f625386f7a3ca29376148974fa64
SHA1 646443709518ef699bae4755b262370ff6e7fbcc
SHA256 25749c401805a1d66f16db72ad533a807bcb56c4f2aef449341af1ca92ec66b4
SHA512 dbe638a9127d89854b2b36795c8842587b5419805df23404d9c110f4c6cfb29604e5136dd40da17cd8eb31ef56cf1b6bb0fb12e4cab999ad9e583ca4ebbffe79

memory/1156-209-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1156-213-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-CEMOA.tmp\vVMs8bK0OxOyrdIQ5z3you1B.tmp

MD5 150a46b9c3e09bc0ed8d581669fe605b
SHA1 760baa334e4e024e80f27f8e23b900600281a853
SHA256 2d574caab0e532210a5541fa9a3d5187bf38bed3ef8809180462d929fd32637f
SHA512 d40d747e57c7e4ea33df06ae1c14bea2bc44fcad862432265158a248c1c4a0e4aae5107a1a2db5257a22f0b5223ec6f19401f7491435988da8137c4150009805

memory/2868-218-0x00000000001D0000-0x00000000001D1000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-93EVG.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-93EVG.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/2868-252-0x0000000003490000-0x000000000364B000-memory.dmp

C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe

MD5 49fc5d878e59f728efd5427c905efbba
SHA1 35db9693fdd780fe3b4869dde52080dcd856d724
SHA256 fb04dbdeb681ff10f950aa2e225ae0168f165f9611e409f8b1eef1d45e13c2a8
SHA512 1dece436bb60fca62f0bd07f78c6069e933cea87ff464c0444f57b2bae64f75bd5e0113a1465b32f933563cc13b5e20dbc47062c2db8add39314070afa2b4cca

memory/1280-253-0x0000000000400000-0x00000000005BB000-memory.dmp

memory/1280-254-0x0000000000400000-0x00000000005BB000-memory.dmp

memory/1280-256-0x0000000000400000-0x00000000005BB000-memory.dmp

C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe

MD5 0a6791a2ff80e4876383a2fa3f7493fe
SHA1 bdaa74d716af8adbf01752597575b3ec6bb32e37
SHA256 e3d2126b727e9a8dc6c624f0f9ac777e941fa8bb42fa2b9a0adb825d6fb7f6a2
SHA512 affdfc53f442c0647285822627c8fea2d18c298d86c11c92ba7f413e3ef9936d117b8ec33b3c6d464415519ccf279ae95c60670fc9946ce7f1378c2be6d711b2

memory/1280-258-0x0000000000400000-0x00000000005BB000-memory.dmp

memory/672-260-0x0000000000400000-0x00000000005BB000-memory.dmp

memory/1184-261-0x0000000002500000-0x0000000002516000-memory.dmp

memory/1692-262-0x0000000000400000-0x0000000001A34000-memory.dmp

memory/2752-266-0x0000000074650000-0x0000000074D3E000-memory.dmp

memory/672-267-0x0000000000400000-0x00000000005BB000-memory.dmp

memory/2752-268-0x0000000000430000-0x0000000000470000-memory.dmp

\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe

MD5 0b4cc942124b93aef88050e38874a6d5
SHA1 5263dfd5adfd7cda506ea69ea307d2096b392ba0
SHA256 2063b0353a8afc87fe18faed69f654ae21e294d45169f7dca377965e1d527cb3
SHA512 2fb06a3bf5bf15759138d3cbc025fa94bb5beac782bf4df2891b1f28655d6becf37d50ce44175671c4f02a9ea8f708561388a223f0d0570c0722e4f10bf972e8

\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe

MD5 7c800101dc4823fe1ae850f865937988
SHA1 82a5788d4fee8b3aad20ff7a7aadfc47beb1afa6
SHA256 b8c9042050372a11fd996ad6bbe0349a1673a41956888799d9963c7d194cfad3
SHA512 317b43b8ca34b4108355306bac32f58c1d2d8d4a348423b9061426405457e2e98b363c9fb2fa10c428ae8441686b960abbdc75957554c47adc95418319ea94f9

C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe

MD5 cb5dcf49a515829a80edd2bf236b3b25
SHA1 c65f02bd132da2ab23298f047a26de0028184ac6
SHA256 f3cb66abf138e3e16dde1dadb4262097d0529cacf688893db89ed356dce06631
SHA512 a59cb612b8e68dc5a2d17cc6cf9253b4ea5c37277b2eba33885589457f31143496d1ddc74b83ea6af31084c4ad72b1809cdd6f084d72e4e1b848eb3a05d270de

C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe

MD5 14434816cf8d07a99282c5d5c08bd313
SHA1 ada21eb4aec83894df4d9b9f7a76a649eae7c071
SHA256 501a1920e502f5db7298f39f8f7a125e826f390b800f8316254e4fa84b58e5bc
SHA512 805cf29406c1f7727d5c6885e2301f72b15472efd67cc2f8c0c8f67fa2fccec0606cb591fc8dc19f0589e0a93686e16c165470c8af995362f105f80509416233

memory/1896-280-0x0000000003740000-0x0000000003B38000-memory.dmp

memory/1896-281-0x0000000003740000-0x0000000003B38000-memory.dmp

memory/1896-282-0x0000000003B40000-0x000000000442B000-memory.dmp

memory/1156-283-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe

MD5 d184e9f455a3fb4b66cda4f480e2ebf8
SHA1 1369492c1ce7ce4bd8cee7a9bde706b781fb9f46
SHA256 bbecbf128a00477ac026297bac7bd37e623bace32afdda18cd561a8ea5fa06ab
SHA512 c4d335b6325e1638cc24476d4248cb5fa45e75564561fdff10c889b6d269fab9bf798f115c3858e50b0a39328845189571a7d67d4318d004a9a5cc0af8afd97e

memory/1896-285-0x0000000000400000-0x0000000001E16000-memory.dmp

C:\Users\Admin\Pictures\uX2AX2axOKzXlZbjtglSBcKC.exe

MD5 d57cb10c5c1f1d23da05314901f5742a
SHA1 a9ab9014ba49617cc39c769fa977f6b905ab833c
SHA256 09f806e42e4300385d97ab72f42c34c1030d6f29c093e1201395180ca2970b5c
SHA512 392159ae26517ee9577965ae817b5376f76bc538f7ccf00d2d6721ddc230f02a3fbc81fc66c53b966deda742627aeb57eb417c7862d805ba20dd00b54c1e5ee3

memory/2524-288-0x00000000035B0000-0x00000000039A8000-memory.dmp

memory/2868-289-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2868-290-0x0000000003490000-0x000000000364B000-memory.dmp

memory/1896-287-0x0000000000400000-0x0000000001E16000-memory.dmp

memory/2524-291-0x00000000035B0000-0x00000000039A8000-memory.dmp

memory/2524-292-0x00000000039B0000-0x000000000429B000-memory.dmp

memory/2524-293-0x0000000000400000-0x0000000001E16000-memory.dmp

memory/1896-294-0x0000000003740000-0x0000000003B38000-memory.dmp

\Windows\rss\csrss.exe

MD5 1a17578c3cb57a2e2776c71978145c49
SHA1 cfdca7bfd1250cb3eb10c484d63c6e8a247ecf21
SHA256 6c4d2627a55366417b90ae139fed20758e920c62cce0d4eedce2c3f154bfc265
SHA512 017044a7f3bcc6c91a2eb26f929f8b35a8bde56fcc64560e95ff6c53fef3a5d6d774f325c88462a8e4801a95aff796a19df7ed68a609b1d18e4b9e98a75d807f

\Windows\rss\csrss.exe

MD5 549cefed369efe3a0b4ac42b2d2ca442
SHA1 23c0a9a5d6772c13dbb9844571a839177ca7c2ca
SHA256 5cba3c90e33c49ad8fb79b745d3ff4d1fd233a71e9900b86f4bf7d6452aae57c
SHA512 d7e4ee89caf1bc82a979d385c462d0127b74b85db2b00c5b2c717b48165c9644e258344ab582dd41bb55d68b5ad54ac5cd195ae99e444b3f9137faa23aa5060c

memory/2496-304-0x00000000036D0000-0x0000000003AC8000-memory.dmp

memory/2524-303-0x0000000000400000-0x0000000001E16000-memory.dmp

memory/2496-305-0x00000000036D0000-0x0000000003AC8000-memory.dmp

memory/672-307-0x0000000000400000-0x00000000005BB000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 f0120d35baa630b5d0bd88357c941c88
SHA1 3d6f658eafd4c7e7bfe1445c9b73f6af777a3e41
SHA256 5509fb8ed4fec88c683f35deb2303078270f6298ddac4882a36da8cef7751dba
SHA512 cedfbee2164ffb5a917777888deeb680ea0fa00e35c1aa21c801aedc155dcc35c289857fe2dd703dec897e18acf51bdba80a37cbcd2ca3ad145ca25c45a58ae3

memory/2496-308-0x0000000000400000-0x0000000001E16000-memory.dmp

memory/2868-310-0x0000000000400000-0x00000000004BC000-memory.dmp

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 13aaafe14eb60d6a718230e82c671d57
SHA1 e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256 f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512 ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

memory/1884-316-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 5c399d34d8dc01741269ff1f1aca7554
SHA1 e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256 e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA512 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 f0616fa8bc54ece07e3107057f74e4db
SHA1 b33995c4f9a004b7d806c4bb36040ee844781fca
SHA256 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026
SHA512 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 8fcc416ff8491b0012d1f885dc9818f8
SHA1 5998d978b8507ef43f65bad157d522afcb63196e
SHA256 31b96e596736e23c131d8b5e7f8f210b5612393fabcd91aa1b89a4b1ee32d892
SHA512 75bbec9b7ad07227bedcaedf2c6000c9376f10c640d92118a9d34b4f4c5860b8396c4235bb8dcea68b769e5f806130cdf2aaf148bf0b4c7483bfba48244a7ccd

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 cc05ed7d3025095d6ca6abb8a2942311
SHA1 ed0afe1de97de4e9a8f3338e64d96a62e7de4b4e
SHA256 2638b858c8f7e1a389ad76ef4475d45f04685249d49331abcb8837659bf7eb88
SHA512 52e3b9310704c8ccf01bda2d53a4cd4440b16e1621eb946edf0717909addecf61b8e2741c596dbc3416d60cfc3cec3ba4582182fb9fb56241609d006f50445ed

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 3d813879186f73515a65e994ed42ed6d
SHA1 8e316e2288222f8aa088f58f6a35de17e5d416cc
SHA256 caefadbd01c79b360bdc4b0a7e5a39f29bd8d3898cde324c9197960bdf01ad11
SHA512 1f0c938378d34b69c36d9e3429ce1c4088444a19e7d91525cda1448020826fd68908b222b2fbf5d635db20c1b2963efbb80bbdbcaeb53d6a47be75df25b32c77

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 bd198ae685d635a0cb0ac1729476bfac
SHA1 ef9b9e3541cda853da7b86a3065f44e27218a16e
SHA256 1362b3b957dad4a12f0a8319cbaeadda5bbd9bafdccd3ecd2b11c3f147eedab5
SHA512 5da3fd413dd3d2e989c5dcd3e07437b17a77f20ce2e14435c824277a89a27b7fcd8c98e80bd2aa0c377b3bef6e5cdddc7eb2353599fc31c6845613b43ac2847d

memory/1884-330-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\Pictures\29ivEA8uYF3e8k5EmsJA9WDz.exe

MD5 068db75101316d6596dfcac7d85a2a3f
SHA1 da92a2110c04537ee26b310366e7edcb1a45565d
SHA256 c05e91459daf1a52e713c813e875443667838094d7c03b04b6667642736aad74
SHA512 0f23eccad06f9cacca36e27ac35129afda1497cfc0d1267c3f48ddafa652d7266bb44aed1255cc8d1f8118c7fc7a0077e7674dc613a9c74969ace9d7d6dfe821

\Users\Admin\AppData\Local\Temp\syncUpd.exe

MD5 099d81985b4d1951c9a0448bdead2e31
SHA1 3707f6971ecdd856999ca980a1b99b551bea5ff9
SHA256 291e511eb00d5f658d345115de7fbd13e416e353bee19cdac8709b0b856da095
SHA512 f0a2f1c2542c3f898add88c6505a2fde764c5ff00835fee62ef0fe9523706d9dd617f539e80235c6307fe2af2440cb104465af1f9053dfb3743c2f675b1e71b2

\Users\Admin\AppData\Local\Temp\nst5BB9.tmp\INetC.dll

MD5 2b342079303895c50af8040a91f30f71
SHA1 b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA256 2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512 550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

memory/672-361-0x0000000000400000-0x00000000005BB000-memory.dmp

memory/2604-363-0x0000000000220000-0x0000000000247000-memory.dmp

memory/2604-362-0x0000000001BB0000-0x0000000001CB0000-memory.dmp

memory/2604-364-0x0000000000400000-0x0000000001A34000-memory.dmp

\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 eee5ddcffbed16222cac0a1b4e2e466e
SHA1 28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5
SHA256 2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54
SHA512 8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc

memory/2488-377-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2488-379-0x00000000058C0000-0x0000000005DF0000-memory.dmp

memory/2388-380-0x0000000000400000-0x0000000000930000-memory.dmp

memory/2496-381-0x00000000036D0000-0x0000000003AC8000-memory.dmp

memory/2388-382-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2496-389-0x0000000000400000-0x0000000001E16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\80E3.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

memory/672-410-0x0000000000400000-0x00000000005BB000-memory.dmp

memory/2604-411-0x0000000000400000-0x0000000001A34000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 333f6a499e6f8df0ec2909395a9839d7
SHA1 2585fa58daba69010eac0daffb716cbb3d05313b
SHA256 d4ec88db48a376d045df5d00ebc4caabdbd4428a14ffa32f88205daa98e65822
SHA512 71d1dc5b0508fa184e666649915476addbe0b6e9b1fa99834effdffe2cf80bc40102d8d832998c6a0b2fbc25a519dd15d8dd7db8c8c1d90fffa5612b6994fa49

memory/2496-434-0x0000000000400000-0x0000000001E16000-memory.dmp

memory/2388-435-0x0000000000400000-0x0000000000930000-memory.dmp

memory/2496-438-0x0000000000400000-0x0000000001E16000-memory.dmp

memory/2604-439-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/672-468-0x0000000000400000-0x00000000005BB000-memory.dmp

memory/2604-469-0x0000000000400000-0x0000000001A34000-memory.dmp

memory/2604-470-0x0000000001BB0000-0x0000000001CB0000-memory.dmp

memory/2604-471-0x0000000000400000-0x0000000001A34000-memory.dmp

memory/2488-472-0x00000000058C0000-0x0000000005DF0000-memory.dmp

memory/2388-484-0x00000000001D0000-0x00000000001D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D663.exe

MD5 51597fedbf769613eac193b679de833d
SHA1 77c1fbd676bbaf9ef3f235d6f3d41df8ad6b7945
SHA256 b0129dd6f2d2f5bd058cddda97e1f47eedcfaec86995c6d988226c305d50d92c
SHA512 7e424c8548ace542cdd51c23b31e3907b9d14a95784f8918f85deb2d263d5e6cec845300b1db25aba6c29d3f9ff2ad768731237ab98430a52b83ed00ff017b23

memory/1640-499-0x0000000001AB0000-0x0000000001B41000-memory.dmp

memory/1640-501-0x0000000003330000-0x000000000344B000-memory.dmp

memory/1852-506-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1420-510-0x00000000002B0000-0x00000000003B0000-memory.dmp

memory/1420-514-0x0000000000400000-0x0000000001A34000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e5bfc0186427d9e37d55e3397e3f0795
SHA1 8fdc24f67d5e3b258fd27581560327ace3b4054e
SHA256 9741d9e81a8a63b159711286a51bd6888f7003166424852e2e81ea0892b1edb3
SHA512 bf37ca2e58b1803005f57efb3e837d0ba43b26250f683006ef86bbb469e6b99c0d03f03ca6dba1656b88de223fb4e142c66a2c8cbc437c2a076a3a25bf98e1c5

memory/1852-538-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1076-551-0x0000000000250000-0x00000000002E1000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 1548103e1299490d7d08fffa07918630
SHA1 c07b8d6c63bfba93d0b61533dec131c9df13bdd7
SHA256 9d4c8ea2311df9881f7c6628b6a9fe101649cdf45e7f0f5cb1aef26801c99c34
SHA512 f309585e402638b3ff95e12b154bb0fe0babb8150f486b96124e9ca146c1a03b26d90402a2e6cefa5f701390547693329ef8814a49c7ac64e513f41d7d3caf39

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 779707a85b8d15b16610b90921516eac
SHA1 777fef31460c4d37ff3b05fbab6bfc67dd272996
SHA256 eb22591bb7c9c1386d23f96643301ddb465eb1d350a7320dfdf195cd7a4a63e8
SHA512 7c5f4ea13449ab0b5b19a4772be0b540b0a9ad3cc0ec6557b5ee4abca1a9bb4ad18680d0a6d4612ee1257f29cf4aa7adeb1107a8a9163f25da128b030b2116f3

C:\Users\Admin\AppData\Local\6358fba2-a625-4349-87d5-eb01341bc10f\build2.exe

MD5 88c5ca503e8fecbca8ee889a892b165c
SHA1 2ec61a72dc88584abda48f19fb8e4d2847264aed
SHA256 41f6207540f5197717e1c601b43c9c89a5109ff3aab98fe80f6645f0ebd2a153
SHA512 366035a481a439854094d13f8a0b9bf26e706dd43100421d92724baa1f9b1ceac74669e42e9331867a3c364f8e2f0c05d3387e5dea9d8669d29832614fa7b4b9

memory/2436-588-0x0000000001B97000-0x0000000001BB2000-memory.dmp

memory/2436-590-0x0000000000230000-0x0000000000261000-memory.dmp

C:\Users\Admin\AppData\Local\6358fba2-a625-4349-87d5-eb01341bc10f\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2612-671-0x0000000000992000-0x00000000009A3000-memory.dmp

memory/2612-673-0x0000000000220000-0x0000000000224000-memory.dmp

memory/1076-677-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 fafbf2197151d5ce947872a4b0bcbe16
SHA1 a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020
SHA256 feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71
SHA512 acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

memory/2604-708-0x0000000001BB0000-0x0000000001CB0000-memory.dmp

memory/2604-709-0x0000000000400000-0x0000000001A34000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-11 14:19

Reported

2024-03-11 14:21

Platform

win10v2004-20240226-en

Max time kernel

74s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zXE7BplJnOvLoBPuJgzWqDdd.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MrCh6LTxuAUYHkXUVPJUkWqj.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\acCvIQIZt1RlxaP49liPXtwA.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z7H8NHbFaHbruCtYhnWdBDJL.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TPPLqD6M1vwXzKOxY6sV2QJZ.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

ZGRat

rat zgrat

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TPPLqD6M1vwXzKOxY6sV2QJZ.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z7H8NHbFaHbruCtYhnWdBDJL.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zXE7BplJnOvLoBPuJgzWqDdd.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MrCh6LTxuAUYHkXUVPJUkWqj.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\acCvIQIZt1RlxaP49liPXtwA.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 152.89.198.214 N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3080 set thread context of 2392 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Pictures\aWmYJWP6LEVkakquUiWDAwDX.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Pictures\aWmYJWP6LEVkakquUiWDAwDX.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Pictures\aWmYJWP6LEVkakquUiWDAwDX.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GJCT3.tmp\pdlfWc1qvU3mR8y8YECekgzX.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GJCT3.tmp\pdlfWc1qvU3mR8y8YECekgzX.tmp N/A
N/A N/A C:\Users\Admin\Pictures\aWmYJWP6LEVkakquUiWDAwDX.exe N/A
N/A N/A C:\Users\Admin\Pictures\aWmYJWP6LEVkakquUiWDAwDX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\aWmYJWP6LEVkakquUiWDAwDX.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GJCT3.tmp\pdlfWc1qvU3mR8y8YECekgzX.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3080 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 3080 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 3080 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 3080 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 3080 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 3080 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 3080 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 3080 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 3080 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 3080 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2392 wrote to memory of 3612 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\pdlfWc1qvU3mR8y8YECekgzX.exe
PID 2392 wrote to memory of 3612 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\pdlfWc1qvU3mR8y8YECekgzX.exe
PID 2392 wrote to memory of 3612 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\pdlfWc1qvU3mR8y8YECekgzX.exe
PID 2392 wrote to memory of 4024 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe
PID 2392 wrote to memory of 4024 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe
PID 2392 wrote to memory of 4024 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe
PID 3612 wrote to memory of 1988 N/A C:\Users\Admin\Pictures\pdlfWc1qvU3mR8y8YECekgzX.exe C:\Users\Admin\AppData\Local\Temp\is-GJCT3.tmp\pdlfWc1qvU3mR8y8YECekgzX.tmp
PID 3612 wrote to memory of 1988 N/A C:\Users\Admin\Pictures\pdlfWc1qvU3mR8y8YECekgzX.exe C:\Users\Admin\AppData\Local\Temp\is-GJCT3.tmp\pdlfWc1qvU3mR8y8YECekgzX.tmp
PID 3612 wrote to memory of 1988 N/A C:\Users\Admin\Pictures\pdlfWc1qvU3mR8y8YECekgzX.exe C:\Users\Admin\AppData\Local\Temp\is-GJCT3.tmp\pdlfWc1qvU3mR8y8YECekgzX.tmp
PID 2392 wrote to memory of 4088 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\j1QBZ2MSXVaisVyrSyNaaKIZ.exe
PID 2392 wrote to memory of 4088 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\j1QBZ2MSXVaisVyrSyNaaKIZ.exe
PID 2392 wrote to memory of 4088 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\j1QBZ2MSXVaisVyrSyNaaKIZ.exe
PID 4088 wrote to memory of 4468 N/A C:\Users\Admin\Pictures\j1QBZ2MSXVaisVyrSyNaaKIZ.exe C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
PID 4088 wrote to memory of 4468 N/A C:\Users\Admin\Pictures\j1QBZ2MSXVaisVyrSyNaaKIZ.exe C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
PID 4088 wrote to memory of 4468 N/A C:\Users\Admin\Pictures\j1QBZ2MSXVaisVyrSyNaaKIZ.exe C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
PID 2392 wrote to memory of 3148 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\aWmYJWP6LEVkakquUiWDAwDX.exe
PID 2392 wrote to memory of 3148 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\aWmYJWP6LEVkakquUiWDAwDX.exe
PID 2392 wrote to memory of 3148 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\aWmYJWP6LEVkakquUiWDAwDX.exe
PID 1988 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\is-GJCT3.tmp\pdlfWc1qvU3mR8y8YECekgzX.tmp C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe
PID 1988 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\is-GJCT3.tmp\pdlfWc1qvU3mR8y8YECekgzX.tmp C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe
PID 1988 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\is-GJCT3.tmp\pdlfWc1qvU3mR8y8YECekgzX.tmp C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe
PID 1988 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\is-GJCT3.tmp\pdlfWc1qvU3mR8y8YECekgzX.tmp C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe
PID 1988 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\is-GJCT3.tmp\pdlfWc1qvU3mR8y8YECekgzX.tmp C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe
PID 1988 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\is-GJCT3.tmp\pdlfWc1qvU3mR8y8YECekgzX.tmp C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe
PID 4088 wrote to memory of 692 N/A C:\Users\Admin\Pictures\j1QBZ2MSXVaisVyrSyNaaKIZ.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 4088 wrote to memory of 692 N/A C:\Users\Admin\Pictures\j1QBZ2MSXVaisVyrSyNaaKIZ.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 4088 wrote to memory of 692 N/A C:\Users\Admin\Pictures\j1QBZ2MSXVaisVyrSyNaaKIZ.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 4024 wrote to memory of 4732 N/A C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4024 wrote to memory of 4732 N/A C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4024 wrote to memory of 4732 N/A C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 692 wrote to memory of 5592 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 692 wrote to memory of 5592 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 692 wrote to memory of 5592 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 5592 wrote to memory of 5684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5592 wrote to memory of 5684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5592 wrote to memory of 5684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5592 wrote to memory of 5708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 5592 wrote to memory of 5708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 5592 wrote to memory of 5708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3372 wrote to memory of 968 N/A N/A C:\Windows\system32\cmd.exe
PID 3372 wrote to memory of 968 N/A N/A C:\Windows\system32\cmd.exe
PID 968 wrote to memory of 5448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 968 wrote to memory of 5448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 5324 wrote to memory of 5584 N/A C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5324 wrote to memory of 5584 N/A C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5324 wrote to memory of 5584 N/A C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5324 wrote to memory of 5812 N/A C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe C:\Windows\system32\cmd.exe
PID 5324 wrote to memory of 5812 N/A C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe C:\Windows\system32\cmd.exe
PID 5812 wrote to memory of 3960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5812 wrote to memory of 3960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5324 wrote to memory of 1300 N/A C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5324 wrote to memory of 1300 N/A C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5324 wrote to memory of 1300 N/A C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5324 wrote to memory of 5328 N/A C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"

C:\Users\Admin\Pictures\pdlfWc1qvU3mR8y8YECekgzX.exe

"C:\Users\Admin\Pictures\pdlfWc1qvU3mR8y8YECekgzX.exe"

C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe

"C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe"

C:\Users\Admin\AppData\Local\Temp\is-GJCT3.tmp\pdlfWc1qvU3mR8y8YECekgzX.tmp

"C:\Users\Admin\AppData\Local\Temp\is-GJCT3.tmp\pdlfWc1qvU3mR8y8YECekgzX.tmp" /SL5="$80090,1518993,56832,C:\Users\Admin\Pictures\pdlfWc1qvU3mR8y8YECekgzX.exe"

C:\Users\Admin\Pictures\j1QBZ2MSXVaisVyrSyNaaKIZ.exe

"C:\Users\Admin\Pictures\j1QBZ2MSXVaisVyrSyNaaKIZ.exe"

C:\Users\Admin\AppData\Local\Temp\syncUpd.exe

C:\Users\Admin\AppData\Local\Temp\syncUpd.exe

C:\Users\Admin\Pictures\aWmYJWP6LEVkakquUiWDAwDX.exe

"C:\Users\Admin\Pictures\aWmYJWP6LEVkakquUiWDAwDX.exe"

C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe

"C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe" -i

C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe

"C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe" -s

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:3

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe

"C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CA7F.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\1593.exe

C:\Users\Admin\AppData\Local\Temp\1593.exe

C:\Users\Admin\AppData\Local\Temp\1593.exe

C:\Users\Admin\AppData\Local\Temp\1593.exe

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4468 -ip 4468

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\b252c0fd-10e5-4d1b-8086-868448a9ca5f" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\1593.exe

"C:\Users\Admin\AppData\Local\Temp\1593.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 2372

C:\Users\Admin\AppData\Local\Temp\38AC.exe

C:\Users\Admin\AppData\Local\Temp\38AC.exe

C:\Users\Admin\AppData\Local\Temp\1593.exe

"C:\Users\Admin\AppData\Local\Temp\1593.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 776 -ip 776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 776 -s 568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe

"C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe" --silent --allusers=0

C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe

C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2f0,0x2f4,0x2f8,0x2cc,0x2fc,0x6e4121c8,0x6e4121d4,0x6e4121e0

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\S9bpWUSHmYnccwU6BrdZHNx5.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\S9bpWUSHmYnccwU6BrdZHNx5.exe" --version

C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe

"C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5888 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240311142110" --session-guid=e13e9559-45cb-4e14-84b3-b5fd697c8c06 --server-tracking-blob=YTk3NWNjZDc5YjQ4Yzk1OWRmNGVlNzQ1OWUwZmU0OTc0MmVmMTRiMTU0MDIyNDY3YWFkOThlMDcxNGEzMzU3MDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxMDE2Njc3Ny43MjIzIiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiI3NzE2MWZjOS0wMDI5LTQ0NzAtYWE1MC1hNzJiNmQ1MGNkY2MifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=9C05000000000000

C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe

C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2fc,0x300,0x304,0x2cc,0x308,0x6d9021c8,0x6d9021d4,0x6d9021e0

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0xc50040,0xc5004c,0xc50058

Network

Country Destination Domain Proto
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 172.217.169.74:443 tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 yip.su udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 172.67.34.170:443 pastebin.com tcp
US 188.114.97.2:443 yip.su tcp
US 8.8.8.8:53 2.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 170.34.67.172.in-addr.arpa udp
US 8.8.8.8:53 galandskiyher5.com udp
US 8.8.8.8:53 midnight.bestsup.su udp
US 8.8.8.8:53 net.geo.opera.com udp
US 8.8.8.8:53 namecloudvideo.org udp
DE 185.172.128.126:80 185.172.128.126 tcp
US 15.204.49.148:80 15.204.49.148 tcp
US 104.21.29.103:80 midnight.bestsup.su tcp
NL 185.26.182.111:80 net.geo.opera.com tcp
US 188.114.96.2:443 namecloudvideo.org tcp
RU 194.87.206.12:80 galandskiyher5.com tcp
US 8.8.8.8:53 148.49.204.15.in-addr.arpa udp
US 8.8.8.8:53 126.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 12.206.87.194.in-addr.arpa udp
NL 185.26.182.111:443 net.geo.opera.com tcp
US 8.8.8.8:53 shipbank.org udp
US 104.21.10.217:443 shipbank.org tcp
US 8.8.8.8:53 103.29.21.104.in-addr.arpa udp
US 8.8.8.8:53 2.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 111.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 217.10.21.104.in-addr.arpa udp
DE 185.172.128.90:80 185.172.128.90 tcp
DE 185.172.128.145:80 185.172.128.145 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 145.128.172.185.in-addr.arpa udp
DE 185.172.128.187:80 185.172.128.187 tcp
US 8.8.8.8:53 187.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 trad-einmyus.com udp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 8.8.8.8:53 sdfjhuz.com udp
MX 189.232.56.10:80 sdfjhuz.com tcp
US 8.8.8.8:53 10.56.232.189.in-addr.arpa udp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 8.8.8.8:53 api.2ip.ua udp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 104.21.65.24:443 api.2ip.ua tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 8.8.8.8:53 94.110.250.142.in-addr.arpa udp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 8.8.8.8:53 bitbucket.org udp
AU 104.192.141.1:443 bitbucket.org tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 1.141.192.104.in-addr.arpa udp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 8.8.8.8:53 superemeboxlogosites.pro udp
US 8.8.8.8:53 b70b9476-50b5-4f39-8ca3-3f6c0f9cb42d.uuid.filesdumpplace.org udp
US 188.114.97.2:443 superemeboxlogosites.pro tcp
US 8.8.8.8:53 wisemassiveharmonious.shop udp
US 188.114.97.2:443 wisemassiveharmonious.shop tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 8.8.8.8:53 colorfulequalugliess.shop udp
US 188.114.96.2:443 colorfulequalugliess.shop tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
US 8.8.8.8:53 80.232.23.103.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 relevantvoicelesskw.shop udp
US 104.21.33.178:443 relevantvoicelesskw.shop tcp
US 8.8.8.8:53 178.33.21.104.in-addr.arpa udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 8.8.8.8:53 associationokeo.shop udp
US 104.21.10.242:443 associationokeo.shop tcp
US 8.8.8.8:53 242.10.21.104.in-addr.arpa udp
US 8.8.8.8:53 server14.filesdumpplace.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun1.l.google.com udp
BG 185.82.216.96:443 server14.filesdumpplace.org tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
CH 172.217.210.127:19302 stun1.l.google.com udp
US 8.8.8.8:53 carsalessystem.com udp
US 8.8.8.8:53 127.210.217.172.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.96:443 server14.filesdumpplace.org tcp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
NL 185.26.182.123:443 autoupdate.geo.opera.com tcp
NL 185.26.182.123:443 autoupdate.geo.opera.com tcp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
US 8.8.8.8:53 123.182.26.185.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 features.opera-api2.com udp
US 8.8.8.8:53 download.opera.com udp
NL 82.145.216.15:443 features.opera-api2.com tcp
US 8.8.8.8:53 121.217.145.82.in-addr.arpa udp
US 8.8.8.8:53 15.216.145.82.in-addr.arpa udp
NL 82.145.216.24:443 download.opera.com tcp
US 8.8.8.8:53 24.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 download3.operacdn.com udp
GB 95.101.143.176:443 download3.operacdn.com tcp
US 8.8.8.8:53 176.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
BG 185.82.216.96:443 server14.filesdumpplace.org tcp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
RU 152.89.198.214:53 boignui.com udp
TR 195.16.74.230:80 boignui.com tcp
US 8.8.8.8:53 214.198.89.152.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ns1ilfts.tob.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1428-7-0x000001C53BF10000-0x000001C53BF32000-memory.dmp

memory/2392-10-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1428-11-0x00007FF82D7E0000-0x00007FF82E2A1000-memory.dmp

memory/1428-12-0x000001C5217D0000-0x000001C5217E0000-memory.dmp

memory/1428-13-0x000001C5217D0000-0x000001C5217E0000-memory.dmp

memory/1428-14-0x000001C5217D0000-0x000001C5217E0000-memory.dmp

memory/1428-15-0x000001C5217D0000-0x000001C5217E0000-memory.dmp

memory/1428-18-0x00007FF82D7E0000-0x00007FF82E2A1000-memory.dmp

memory/2392-19-0x0000000074870000-0x0000000075020000-memory.dmp

memory/2392-20-0x0000000005450000-0x0000000005460000-memory.dmp

C:\Users\Admin\Pictures\BOc48RVTxeqcTLguN4DB85xV.exe

MD5 5b423612b36cde7f2745455c5dd82577
SHA1 0187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256 e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512 c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

C:\Users\Admin\Pictures\pdlfWc1qvU3mR8y8YECekgzX.exe

MD5 3ca2f625386f7a3ca29376148974fa64
SHA1 646443709518ef699bae4755b262370ff6e7fbcc
SHA256 25749c401805a1d66f16db72ad533a807bcb56c4f2aef449341af1ca92ec66b4
SHA512 dbe638a9127d89854b2b36795c8842587b5419805df23404d9c110f4c6cfb29604e5136dd40da17cd8eb31ef56cf1b6bb0fb12e4cab999ad9e583ca4ebbffe79

memory/3612-50-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe

MD5 367438b39d3e6e775036497c69c6246c
SHA1 b73461e5bdd466af00d57d07c22728bac322f65f
SHA256 125fd354ae4cd5b545c35bb75997189131fdffc0b46f4e9ece0a2c2075dc14bb
SHA512 57cf4a855dc32e9a1b83ef81ffb26e3ad4e6f09f79c0208cdead01188c40cb3e3e87199f9edd0c3aec383b79178cf67fc8f11786209e75b8e9af2878fd90d0b7

C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe

MD5 0dd818d2fb073230a3a72333c61f9902
SHA1 5dcb3563d887ce28bacab5a7027fe055e20a82cd
SHA256 f901cec6bc29e552107f4a5ba735187681bc2cae56750f6b555956e486383f33
SHA512 9d1f60f8d83f7912707baa5593f6f8113f2b0cc293143ee5ab793d3b5c26ca342bb1eb5861912497c06932866f79593c4d829900d2ce68371acf9726eb0fc786

C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe

MD5 e3fb8c6bc14ba6d7691d6510c4a1cc8e
SHA1 552144000009654622cbb405d4b956fbed05bd28
SHA256 3976e258a5c5151ae1ebe1af80ca58be4631f982007351e2c01bb261b01308c6
SHA512 95e2fe3c3a5f88cafe75710c35773730fd97863b84bda2b4dc4a808ea9960b353549f075d94b066d43512533fba947e3c8628c79936d1a0d33ebb490b6753df2

C:\Users\Admin\AppData\Local\Temp\is-GJCT3.tmp\pdlfWc1qvU3mR8y8YECekgzX.tmp

MD5 150a46b9c3e09bc0ed8d581669fe605b
SHA1 760baa334e4e024e80f27f8e23b900600281a853
SHA256 2d574caab0e532210a5541fa9a3d5187bf38bed3ef8809180462d929fd32637f
SHA512 d40d747e57c7e4ea33df06ae1c14bea2bc44fcad862432265158a248c1c4a0e4aae5107a1a2db5257a22f0b5223ec6f19401f7491435988da8137c4150009805

memory/4024-62-0x0000000003A80000-0x0000000003E79000-memory.dmp

memory/4024-63-0x0000000003E80000-0x000000000476B000-memory.dmp

memory/1988-68-0x0000000002100000-0x0000000002101000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-09FPA.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/4024-73-0x0000000000400000-0x0000000001E16000-memory.dmp

C:\Users\Admin\Pictures\j1QBZ2MSXVaisVyrSyNaaKIZ.exe

MD5 068db75101316d6596dfcac7d85a2a3f
SHA1 da92a2110c04537ee26b310366e7edcb1a45565d
SHA256 c05e91459daf1a52e713c813e875443667838094d7c03b04b6667642736aad74
SHA512 0f23eccad06f9cacca36e27ac35129afda1497cfc0d1267c3f48ddafa652d7266bb44aed1255cc8d1f8118c7fc7a0077e7674dc613a9c74969ace9d7d6dfe821

C:\Users\Admin\AppData\Local\Temp\syncUpd.exe

MD5 099d81985b4d1951c9a0448bdead2e31
SHA1 3707f6971ecdd856999ca980a1b99b551bea5ff9
SHA256 291e511eb00d5f658d345115de7fbd13e416e353bee19cdac8709b0b856da095
SHA512 f0a2f1c2542c3f898add88c6505a2fde764c5ff00835fee62ef0fe9523706d9dd617f539e80235c6307fe2af2440cb104465af1f9053dfb3743c2f675b1e71b2

C:\Users\Admin\AppData\Local\Temp\nsl53F9.tmp\INetC.dll

MD5 2b342079303895c50af8040a91f30f71
SHA1 b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA256 2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512 550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

C:\Users\Admin\Pictures\aWmYJWP6LEVkakquUiWDAwDX.exe

MD5 e474dda04f6f90ba50ebff47395b19c9
SHA1 db1dc005639d232a25e074267239fd9e5fcbe6c7
SHA256 d5bb21fb44947ee712af26750d6a1df9e91e3baa3c5270eca5f88adbdf329bef
SHA512 aa906056618e239ab811a19492ea9b272b67b6b964f704a1679c68bf0ce1dbe1b574361d1d08901436a1d5faa888d0320dc56e84904421ad1134727090250055

memory/2392-119-0x0000000074870000-0x0000000075020000-memory.dmp

C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe

MD5 49fc5d878e59f728efd5427c905efbba
SHA1 35db9693fdd780fe3b4869dde52080dcd856d724
SHA256 fb04dbdeb681ff10f950aa2e225ae0168f165f9611e409f8b1eef1d45e13c2a8
SHA512 1dece436bb60fca62f0bd07f78c6069e933cea87ff464c0444f57b2bae64f75bd5e0113a1465b32f933563cc13b5e20dbc47062c2db8add39314070afa2b4cca

memory/4468-129-0x0000000001D50000-0x0000000001E50000-memory.dmp

memory/4468-130-0x0000000001CA0000-0x0000000001CC7000-memory.dmp

memory/736-131-0x0000000000400000-0x00000000005BB000-memory.dmp

C:\ProgramData\DirectSoundDriver 2.36.198.67\DirectSoundDriver 2.36.198.67.exe

MD5 c50f8ffa8a216c19442b1e68daf3713a
SHA1 7d249939b1c04db72e57091499b52fb3dfbd6586
SHA256 031c6e90cf7280afa0819560e1e882aa62d53ef3930b67fd36951bcd484a3016
SHA512 478a68fd49676130ce9ecf511354a0223b8e2fd84e181c00f4ed48bf240e2e9b504de13232a0376d086f5b1f09db25c00255185c9c86e87e1e52be6aed62d0de

memory/736-135-0x0000000000400000-0x00000000005BB000-memory.dmp

memory/4468-134-0x0000000000400000-0x0000000001A34000-memory.dmp

memory/3148-137-0x0000000001B50000-0x0000000001B5B000-memory.dmp

memory/3148-136-0x0000000001C20000-0x0000000001D20000-memory.dmp

memory/3148-140-0x0000000000400000-0x0000000001A34000-memory.dmp

memory/5016-141-0x0000000000400000-0x00000000005BB000-memory.dmp

memory/2392-142-0x0000000005450000-0x0000000005460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 eee5ddcffbed16222cac0a1b4e2e466e
SHA1 28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5
SHA256 2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54
SHA512 8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc

memory/4088-154-0x0000000000400000-0x000000000043D000-memory.dmp

memory/692-155-0x0000000000400000-0x0000000000930000-memory.dmp

memory/3612-156-0x0000000000400000-0x0000000000414000-memory.dmp

memory/692-157-0x00000000027E0000-0x00000000027E1000-memory.dmp

memory/4024-158-0x0000000003A80000-0x0000000003E79000-memory.dmp

memory/3372-159-0x0000000002F80000-0x0000000002F96000-memory.dmp

memory/4024-160-0x0000000003E80000-0x000000000476B000-memory.dmp

memory/4468-166-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/4024-161-0x0000000000400000-0x0000000001E16000-memory.dmp

memory/1988-168-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/4732-165-0x0000000002870000-0x00000000028A6000-memory.dmp

memory/3148-163-0x0000000000400000-0x0000000001A34000-memory.dmp

memory/4732-172-0x0000000074870000-0x0000000075020000-memory.dmp

memory/4732-175-0x0000000002940000-0x0000000002950000-memory.dmp

memory/4732-176-0x0000000002940000-0x0000000002950000-memory.dmp

memory/4732-180-0x0000000005010000-0x0000000005638000-memory.dmp

memory/4468-210-0x0000000000400000-0x0000000001A34000-memory.dmp

memory/1988-211-0x0000000002100000-0x0000000002101000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\9b7eef56-73eb-4b37-8132-86faba443da9.tmp

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/4732-218-0x0000000004D90000-0x0000000004DB2000-memory.dmp

memory/4732-219-0x0000000004E30000-0x0000000004E96000-memory.dmp

memory/4732-220-0x0000000004FA0000-0x0000000005006000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/4732-233-0x0000000005970000-0x0000000005CC4000-memory.dmp

memory/5016-234-0x0000000000400000-0x00000000005BB000-memory.dmp

memory/4732-235-0x0000000005EE0000-0x0000000005EFE000-memory.dmp

memory/4732-236-0x0000000005F90000-0x0000000005FDC000-memory.dmp

memory/692-243-0x0000000000400000-0x0000000000930000-memory.dmp

memory/4468-244-0x0000000001D50000-0x0000000001E50000-memory.dmp

memory/4732-245-0x00000000063C0000-0x0000000006404000-memory.dmp

memory/4732-246-0x0000000002940000-0x0000000002950000-memory.dmp

memory/4732-247-0x0000000007190000-0x0000000007206000-memory.dmp

memory/4732-248-0x0000000007910000-0x0000000007F8A000-memory.dmp

memory/4732-249-0x00000000072B0000-0x00000000072CA000-memory.dmp

memory/4468-250-0x0000000000400000-0x0000000001A34000-memory.dmp

memory/5016-251-0x0000000000400000-0x00000000005BB000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

MD5 20d4b8fa017a12a108c87f540836e250
SHA1 1ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA256 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

memory/5016-257-0x0000000000400000-0x00000000005BB000-memory.dmp

memory/5016-258-0x0000000000400000-0x00000000005BB000-memory.dmp

memory/4732-260-0x000000007F8F0000-0x000000007F900000-memory.dmp

memory/4732-261-0x0000000007480000-0x00000000074B2000-memory.dmp

memory/4732-263-0x000000006E230000-0x000000006E584000-memory.dmp

memory/4732-262-0x000000006F0D0000-0x000000006F11C000-memory.dmp

memory/4732-273-0x0000000007460000-0x000000000747E000-memory.dmp

memory/4732-274-0x00000000074C0000-0x0000000007563000-memory.dmp

memory/4732-275-0x00000000075B0000-0x00000000075BA000-memory.dmp

memory/4732-276-0x0000000007670000-0x0000000007706000-memory.dmp

memory/4732-277-0x00000000075D0000-0x00000000075E1000-memory.dmp

memory/4024-279-0x0000000000400000-0x0000000001E16000-memory.dmp

memory/692-281-0x00000000027E0000-0x00000000027E1000-memory.dmp

memory/4732-285-0x0000000007610000-0x000000000761E000-memory.dmp

memory/4732-286-0x0000000007620000-0x0000000007634000-memory.dmp

memory/4732-287-0x0000000007710000-0x000000000772A000-memory.dmp

memory/4732-288-0x0000000007660000-0x0000000007668000-memory.dmp

memory/4732-294-0x0000000074870000-0x0000000075020000-memory.dmp

memory/4732-295-0x0000000074870000-0x0000000075020000-memory.dmp

C:\Users\Admin\Pictures\VDOzkYNnEOAD6NUHUIHRJhTN.exe

MD5 662b7d9316e9ece81c1bb758ef1fcaba
SHA1 a24c80f9cd7dd4e6215defb640abd0a26f14e4de
SHA256 7f500246aec0fadc2a1b98c03ef9c51ad7a982f40d250be02e226c0186e59220
SHA512 ce4d4edc36d0f2cf19f944f205dbfc84264b9a7663d352e3b1b9e97ce692c53a5c9ef587fb56936887919e9b229070d5fd3fe00375c87db42914b2e841763e37

memory/4024-297-0x0000000000400000-0x0000000001E16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CA7F.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

memory/4468-306-0x0000000000400000-0x0000000001A34000-memory.dmp

memory/5324-307-0x0000000003AE0000-0x0000000003EE6000-memory.dmp

memory/5324-308-0x0000000000400000-0x0000000001E16000-memory.dmp

memory/5016-309-0x0000000000400000-0x00000000005BB000-memory.dmp

memory/5324-347-0x0000000000400000-0x0000000001E16000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/5016-352-0x0000000000400000-0x00000000005BB000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 611cb8ccde253e4f3bc65d2f322905b3
SHA1 fe4df19cc69115cdafe40898c22628e4b2810f68
SHA256 3d88bd0dbae70f6267c653f0713672d28d52914b022783741b2a539405117cc1
SHA512 f9cc4ea1d109f779b71c1a3b31b5f00570f024d1cb0cb0dbd51e5b8b6a0abff2a9d9bee627d2a7a69e05e375ad83116d0bbdc81a4385f5920bbe2b1cde267885

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e14c0ab26986712248a8cbf2a55e0323
SHA1 1112de76af4b0f5f9e4374ca45f2d016470581c3
SHA256 1c787fb2b6264c7f6be3c9899690c0ea6de5632df8c0f36c73996104c8a09521
SHA512 78d9003fc4e6bb1811822045d119b45ba928c4e451f269ac1e03f4ac07a7a3d8061e9e297a09f2a60e17ecb8e0e8ed043eb0d71d3e00b03b4e45315045c4ab82

C:\Users\Admin\AppData\Local\Temp\1593.exe

MD5 2f89637e05e9e78d7e98c8ee34da535e
SHA1 31f005ef288cfef2b5ac9e4f246bc9d22098c479
SHA256 3f44b8b747480bc28c43bff52e49ae9a38e635a014ce6de51cef9810ce46c2da
SHA512 87a15db9dd58f168495e21b02f068c39e6be69b5b033dbb909ca3f067ab7f7241368a24e931c0f1a317bf8a927bcd1162c4f6666ab6633bdbfe45d9aaaee435b

C:\Users\Admin\AppData\Local\Temp\1593.exe

MD5 51597fedbf769613eac193b679de833d
SHA1 77c1fbd676bbaf9ef3f235d6f3d41df8ad6b7945
SHA256 b0129dd6f2d2f5bd058cddda97e1f47eedcfaec86995c6d988226c305d50d92c
SHA512 7e424c8548ace542cdd51c23b31e3907b9d14a95784f8918f85deb2d263d5e6cec845300b1db25aba6c29d3f9ff2ad768731237ab98430a52b83ed00ff017b23

memory/552-444-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5324-433-0x0000000000400000-0x0000000001E16000-memory.dmp

memory/552-446-0x0000000000400000-0x0000000000537000-memory.dmp

memory/552-450-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4468-449-0x0000000000400000-0x0000000001A34000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 b3624bc72696cead56ccc0b86e4bdda6
SHA1 d49d39705a3f8bd836b084acd72eee974c62d4f4
SHA256 e9b30abe493a9ff8b87e0c15b99fd0322736ca6f54fe13d453b6e416d8454fca
SHA512 abff8f4bfab43d951629cfd30cced1a5caccb54e5ca895474bcccff49359773e54e81185d2da5b4b9f8c72073be056d228613727fe0b7bd41d3c356b2c35caea

memory/5324-457-0x0000000000400000-0x0000000001E16000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 25c7b4c4349aa1d805e400a11a4806f9
SHA1 424f4329b643e3cc08a2153db5bedf9a13b56fd5
SHA256 8e3786c788981fc42e788744715d67e86e2c87acbe00a6e4831935c4de701861
SHA512 b40286933d8b1ab7f08c5731455fd44dcd2eac006a4528b6a20e047925b5e308d61162f1221e6e5ccefe41490ef2ceda01b42b0ffee033205aa6f8d1900fdaf1

memory/5016-460-0x0000000000400000-0x00000000005BB000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7b4d837fa82a59db9afc06a80b157deb
SHA1 3f7446a730059ea0d50d71e458bf1c74384416b1
SHA256 60c56e075d91b33bb92310aa483466ac038ddaaf92a12e0e1691722db6d3146f
SHA512 2f09e293e1deb2c8d15f240c797102bec134c5eec7e21d475f7cde605102193c82c53e1deb36cb6e7c0bbc283fbceaa37dbb6f2d8d572292897506a94bee1002

C:\Users\Admin\AppData\Local\Temp\38AC.exe

MD5 756931963ef47d8261e3090770710355
SHA1 074e49a53dc0dea819a2ce9b487982f0ac114d86
SHA256 6a103e31e7c1990a5f21e6ad483805b01fdbabe9fd9454f42aab0eda9b5d67cf
SHA512 231458212051567f7549a7d24d0d956219e33480fbba3428b2259d571265802aa9b8727998f6c5bf62e30c1ec673619506b5cb9d1220c738af0685be2ec397ce

C:\Users\Admin\AppData\Local\Temp\38AC.exe

MD5 aeb2c8333650e3e57fe5109330c1435a
SHA1 e529dcf82531151201d08e9eea8cb54ada7cce9c
SHA256 eb7e8e099214c01040756833d3ec9c724d7e0242a79b67c92471836e7eab1245
SHA512 3a66f34e6de7a24c3f45cdf9e422feca8d06686c8e8588f5220aabdfe66d41868f1db415afd10288e953590b21d01752b65567ea2e4838d424962a1a23725614

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e93b5f6f5dcd769f05557f9453930640
SHA1 52d8ca01f7b4b0a1a993153f5c0ac33604ea858e
SHA256 7f489e52e5e6fe7ab6afd55d49fc90716010f313008d4a7deb21d0678c1dee2e
SHA512 d9a6a986204df8f64bbe6cf4af416f36259303bfc9edf5142def4719aea121c22d3ee25822d9b6fd6302d41234599899a70ae4de5a7d7065a3645abf6316f846

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 46c6d160fe941ee526213b55931f0e91
SHA1 b6d3553cc4528e942131105d19d0d2a714581e58
SHA256 152bcf977016bf079e47f20e716057fb7f4e772015802dd00d3eee7b1874f7c0
SHA512 2f695fc1a146f5fa64db746bc7cf81155cd78399d575576e07af9abcf3975e828ce0f2b6cc91b9f116eff034f2c5c4db4d9a1ea5cb0249753a572628c4db5766

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 7ca8d87366480bdee9964513a59627a9
SHA1 736db2077c4dd9097246964851f87f1a8dad39d1
SHA256 e3849569450d0409d855811fdf2cfd11dba45553ae7302711b42e06c342a05c3
SHA512 96fcb9c7854a4e03e875495ef3b4866513f0d8afddee5914a34851d3fd8d685ca73983a8503f33bf9033232795b34ddfc3aabeebe28ca53b4a44f0de23223e9b

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe

MD5 41150f0446da63df089d815ecaf253c4
SHA1 afc1d9578dbe7ab962c44a79daac108a9336e791
SHA256 b3d2c50e19cb90a661c586551f03ab9d6ec3b0bc6ab44e61415c0d5f1b838e05
SHA512 721bbad616231fff51000e2b2f1e8741b2bcbc0543896928ec1a5a77143756cbd93c55a9510a7780a88ebab7795641a9a128dc35eb4f68912c447b1f4959137a

C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403111421098545888.dll

MD5 99f28be37c48d4c06ff5baf21caf0747
SHA1 031ab5b90017e6ffab5d005e566813717592ef4f
SHA256 5a6f8fc1ba4dda4a971ed228b929e00338700bf02976150d8dd1bfc4f6c84f5d
SHA512 b68e65b9aebc4c872f874af6218523d9b4cdcb4b104678e75abc3f3e6262187674cb65ceb760ef981f61ad58e9e007f2a4711158ca9082eaff49a21bae97711d

C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe

MD5 2fbbf7bf54bc7501da0bf4256f510c3f
SHA1 31ce09b049432d902aa3c9c6356360bebe802749
SHA256 d8fc823ccd276ca09ba6b2388202b6627a64f6ff92d0cf47570c166020dacbc4
SHA512 556d4997306576cada90c5715e619a2527f40f7e424fde0efe181f6ec2698a5ead21bf5333a7a1e2eed95c43a5c442051d10d87ebb4046c9c6d592c0e7b38c99

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403111421100265268.dll

MD5 db74d30f6dc1e54664f7619e5bced29e
SHA1 b859c93690f3d6d963ce0283d15dd35c040432e1
SHA256 524e706265138addf45dee4dbe6298373f510d58ebd2de0ffa3d256f1fae86f5
SHA512 62919b6bd7313de293e4e5c0a0f3caef1b49087c81e0e45bfab56a486fa9fdfe0f2f5381c1f58715460e1758ab14275ad404835246c7815de62d72348a76bcb3

C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe

MD5 c05bb37077cb577f5e6db5fdbf52af7f
SHA1 7525115320e8b88c73ca2a314f3ff470a3d76499
SHA256 e23bb0af48141c2164d614fa351209b4e1e9941a9a613b117057a2e1fa1abd0d
SHA512 7564b20bf0ce0d1c5c0ac7eb688cd58116bced47a5c957087310a939debc4922bce27fc5d7ea056e49776a169ef2b2a87a611776cdcc373802ed97c18250edf3

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\S9bpWUSHmYnccwU6BrdZHNx5.exe

MD5 3a3b67404eb1d1300060b7e5884e2325
SHA1 eb8b2abfdfaaf80230c9d2db6297a428c1b11e73
SHA256 67c5b5e5e679c027dc4bd7f6796f5167fefd1303b78b12b8fcf85bf7b2309d3c
SHA512 793e4ca10f305f8719069414b6a9d5211da300ef11f80ddf98bc6876ff1e25fa8edfb311fad059ddc234ccc6c560dd3ebc9390628f13dba5f10e8088c9bc9dc3

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403111421103541476.dll

MD5 fe30c4340b7c7c05c5d81249881e3b7d
SHA1 24c7bb0ea94312d16194bc5757cbe22c96055b87
SHA256 129957b71bf2730ad183b33613bd1045d33937706b86c5e30052c2f1ef91277e
SHA512 16fa420979b1f1d15e77ea9b51aa47752bb8995c90438e232cb38d9730f5be8b63360507f9ce256612a2e5229e3c57ac7715d217af2a25544ca211115e672651

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403111421103541476.dll

MD5 b4039abd92499f0d7522c23a91990f59
SHA1 b03558ded00b283d3b614e21114c1191269fa1fe
SHA256 c6372da1a7e790561058fb4abfd8755c62662b894b08f55dcebd5ebe9288be71
SHA512 69db107c95d758203e02f6790281c079ba877811fc31bc2cebb586b1a434b8d2a7433d420edaa32c647241930f51c496cff8bffe14c721dfb7ca538e857662e9

C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe

MD5 f06607ed24891f735f809a8379f739f9
SHA1 988d58d8250945a5a29646d386bc1ad6d787a70b
SHA256 d61a6e24fb66d0f28d5c6892910d7aa66c5ee61dd84acff77ba1f143f1bd0105
SHA512 2429c5d193920455a92f160a1847a91237e2225b68a64dee301ed42230252b32b7a224511b7040611240ad6457e2a4b2c02e404a00aafcaa99a974f28962a41d

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403111421108001672.dll

MD5 b2934e8fe78e03093eeb61ba28fa872c
SHA1 6f59af6a62931a237dd6f1aa01d580458fa335aa
SHA256 0623a94a65aad33351ecea5671827b340e6de19ee615cb38c380a39a670b1bb3
SHA512 c23713f9ae5ee5e50cf86441f07608ad888a46df82e015420325130c1a44238300f25501ea83c11647206493404c3707a4b0259086cce05ec32e4a1621992604

C:\Users\Admin\Pictures\S9bpWUSHmYnccwU6BrdZHNx5.exe

MD5 b1fdbcc8f7e1323b1ae74cc79e7b24b3
SHA1 03b12f34b8fcf39fa2c7f5610f8012991c28654c
SHA256 6c690ccdbf9fb013c9c4baae363c7ae397ea821fbab667a1a26dde0bc6f7f59c
SHA512 d91df905e36f2fc9a0990490ae1793dc6bf5896e4df5fa06d5c24c9a07028621a7ae123a04a98f0e2d36a10d1fdde98b4307f4cd15642174651405e2acfb63df

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403111421113465376.dll

MD5 4e09e841c58ecf306e78feea83cea8e1
SHA1 2b419d945d46a6b255328080135bdd3058c8dc03
SHA256 b632441531b193e315ff276c17af62f8e61bd93e880b108ee9b8d917870455d6
SHA512 61a946287dedb5ccedb47cf808ff4cf1d7b371ca8041062ca812977ce9f29d7188cedadbb57d140270e16f57c6bc3c87d270a99d707b9608b0ac4a52ed8b4706

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 92a4a8eff29af16c824751c951006034
SHA1 7ab76569685eb09444039794d66ba02a5eee0781
SHA256 fea1afd3a05138180be400ad188944037fe5a351de8eb7d54c9c69323f35c839
SHA512 126146f1bb0fa8e0c6429681d62ceb96e16a33c994bdf502a34af5a66160904f5af907b819458e4005ca550d05ed1f34eacc10a73caa801897669f326865d09e

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\opera_package

MD5 b11a82be27ba5ec5a6d6fd7ff20e8ab0
SHA1 9f074f5a86c0aae449f2bc445748ae870a996010
SHA256 27fadf5046749f37dce63d901f7085a63ce637c06430bd62af6bf3ab3fa2082e
SHA512 f58e217e234915aee0e80e364a84f086f1744d0b795318aff66b3e165dba5736f371a3bd798a53b0bf57006ce8356f5500769340a84a58dc09d18ffdf139a891

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe

MD5 20d293b9bf23403179ca48086ba88867
SHA1 dedf311108f607a387d486d812514a2defbd1b9e
SHA256 fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348
SHA512 5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe

MD5 954d8eaf098bfb9609509bf09c201374
SHA1 02cb116621285a4640048822da6f01d6b16e6d4d
SHA256 4f49c4b52ec28b4a6b3e5435a906be8652a4d16c04345050d60f942849612b0c
SHA512 167e8465dd9fc345d53ee93afb08c8be74ab4b3a29c178490502eee6dc3f9413a3a68e873de63728bbd768bd5a3710d3a8c0d0a9fbc266006fd5dcef610825bd

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\assistant_installer.exe

MD5 720b7591615ada96ef3f92dbd6bb7315
SHA1 5dc09adfd221f65143404c84357efb6f05b1991f
SHA256 4ebd8dca718391f84771350af13f6b4db22f8d533ae6deb9a4f2edfe778d60b7
SHA512 81cf27d5c969001f43571ed9398a6e001c13e98065ba6bf4588a71ad9bf00f6605af60801b6ef0439104bd87fc294b65d82f5cee119aab754f1ce78defa6f8c7

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\dbghelp.dll

MD5 a2e2c6d725dea1c49eb40b0e7b134e1b
SHA1 c425999011065bc87c40806e4adf39c006350fe1
SHA256 b345407859596eec3f014f1f3e47aaba9bd63fe20be26e3125e2762bb207778d
SHA512 10ce4fcde83f478579e99156842d46109a96e5d1c93ec9cb066df5606545f8b5c1b5013cec472691daba97a97842c05fb25f1582df8fbb03317c4f4079580042

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\dbgcore.DLL

MD5 fa8d56546648d8c0acf1c17c540fd543
SHA1 7c58b6b7388ab12ef3035d63a5e3830f763e5a6a
SHA256 a82101ba4ec593aaf627af7db83ab6aa88e99f170b6a1163677ef3e0a57c158a
SHA512 e278a2a1d12b49b98ab5334d46018a434c28ace3da27af50dd5092bd68a8cc6b559f0be0fbe277df7d5b51ccc702d03071620735d66828b2b700c40ded687ff7

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\dbgcore.dll

MD5 202e9e27500f1419bb023c5ac54618a8
SHA1 836082a6139de74a623730bd98797c78da7234dd
SHA256 3f775c5caf649aaf03825cdf6cf29eddaf881c6a0552d0da12ff4ba875aef4f2
SHA512 5fbd6b74b42e090cb6089a94293a4a80390a64a18fd58affabd31a0c18d30bbc5f5bcba7d932c6f8394c17a37319ad8386d26ff1f7f93ffdd93fe918904852b0

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111421101\assistant\dbghelp.dll

MD5 f4bf4aabbf848470e96c109867fc0b66
SHA1 1cc1e36db5fd9730984d7bb33f5ef177400185b5
SHA256 a80804664d4389c02754d4f8c8ce8fa506f386c45a9597b5298cc5c636c91359
SHA512 73882ae42faed532fa550e4aa1a426a6b87e0716d71482cac53fa957ee3a595a7c88430cf3c8e8950cc455119f42cfdf0c206c6f4f66a01e792215762c1edb47