Malware Analysis Report

2025-01-02 11:08

Sample ID 240311-sqx1dsab38
Target New.exe
SHA256 c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067
Tags
dcrat djvu glupteba smokeloader stealc vidar 7462cf1e49890509e46ee7ab1b511527 pub1 backdoor discovery dropper evasion infostealer loader persistence ransomware rat spyware stealer trojan upx lumma rootkit
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067

Threat Level: Known bad

The file New.exe was found to be: Known bad.

Malicious Activity Summary

dcrat djvu glupteba smokeloader stealc vidar 7462cf1e49890509e46ee7ab1b511527 pub1 backdoor discovery dropper evasion infostealer loader persistence ransomware rat spyware stealer trojan upx lumma rootkit

Stealc

Windows security bypass

Detect Vidar Stealer

Glupteba payload

SmokeLoader

Vidar

DcRat

Lumma Stealer

Detected Djvu ransomware

Djvu Ransomware

Glupteba

Downloads MZ/PE file

Modifies Windows Firewall

Reads data files stored by FTP clients

Windows security modification

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

UPX packed file

Drops startup file

Modifies file permissions

Legitimate hosting services abused for malware hosting/C2

Manipulates WinMonFS driver.

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Looks up external IP address via web service

Enumerates connected drives

Checks installed software on the system

Suspicious use of SetThreadContext

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Enumerates physical storage devices

Program crash

NSIS installer

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious use of SetWindowsHookEx

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Modifies system certificate store

Suspicious use of UnmapMainImage

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-11 15:20

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-11 15:20

Reported

2024-03-11 15:22

Platform

win7-20240221-en

Max time kernel

129s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New.exe"

Signatures

DcRat

rat infostealer dcrat

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

Vidar

stealer vidar

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\cSbFgdAsvOucWRwa7E5jY4KX.exe = "0" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZHUcEn2x7LjA371ZeB5oAV36.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fFOPRxb8bYFYkRmfjoDrEK25.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1mt9PShhIERJPYMI6YPDfxFl.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SVSQ7xgUPK1xZstKJqVu6ywP.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jmH4wzlgnihpPX3uEV9uOp9h.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Users\Admin\Pictures\8gDbYZV0PwziwgGtmCC7oc3f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-95FKR.tmp\8gDbYZV0PwziwgGtmCC7oc3f.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-95FKR.tmp\8gDbYZV0PwziwgGtmCC7oc3f.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-95FKR.tmp\8gDbYZV0PwziwgGtmCC7oc3f.tmp N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Users\Admin\Pictures\GMIn4QlsVgYVXxrtavxMhQka.exe N/A
N/A N/A C:\Users\Admin\Pictures\GMIn4QlsVgYVXxrtavxMhQka.exe N/A
N/A N/A C:\Users\Admin\Pictures\GMIn4QlsVgYVXxrtavxMhQka.exe N/A
N/A N/A C:\Users\Admin\Pictures\GMIn4QlsVgYVXxrtavxMhQka.exe N/A
N/A N/A C:\Users\Admin\Pictures\GMIn4QlsVgYVXxrtavxMhQka.exe N/A
N/A N/A C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
N/A N/A C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8029.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8029.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8029.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8029.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8029.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8029.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\cSbFgdAsvOucWRwa7E5jY4KX.exe = "0" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ca2c8eec-2f22-42a2-a00a-33fbc1f3fe6c\\8029.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\8029.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20240311152054.cab C:\Windows\system32\makecab.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Pictures\n7KBRy0nP6u33SG4vO0RESsA.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Pictures\n7KBRy0nP6u33SG4vO0RESsA.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Pictures\n7KBRy0nP6u33SG4vO0RESsA.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" C:\Windows\system32\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\n7KBRy0nP6u33SG4vO0RESsA.exe N/A
N/A N/A C:\Users\Admin\Pictures\n7KBRy0nP6u33SG4vO0RESsA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-95FKR.tmp\8gDbYZV0PwziwgGtmCC7oc3f.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-95FKR.tmp\8gDbYZV0PwziwgGtmCC7oc3f.tmp N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
N/A N/A C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
N/A N/A C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
N/A N/A C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
N/A N/A C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\n7KBRy0nP6u33SG4vO0RESsA.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-95FKR.tmp\8gDbYZV0PwziwgGtmCC7oc3f.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 848 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\New.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 848 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\New.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 848 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\New.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 848 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\New.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 848 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\New.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 848 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\New.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 848 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\New.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 848 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\New.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 848 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\New.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 848 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\New.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 848 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\New.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 848 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\New.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2980 wrote to memory of 2656 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe
PID 2980 wrote to memory of 2656 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe
PID 2980 wrote to memory of 2656 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe
PID 2980 wrote to memory of 2656 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe
PID 2980 wrote to memory of 2668 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\n7KBRy0nP6u33SG4vO0RESsA.exe
PID 2980 wrote to memory of 2668 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\n7KBRy0nP6u33SG4vO0RESsA.exe
PID 2980 wrote to memory of 2668 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\n7KBRy0nP6u33SG4vO0RESsA.exe
PID 2980 wrote to memory of 2668 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\n7KBRy0nP6u33SG4vO0RESsA.exe
PID 2980 wrote to memory of 2548 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\8gDbYZV0PwziwgGtmCC7oc3f.exe
PID 2980 wrote to memory of 2548 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\8gDbYZV0PwziwgGtmCC7oc3f.exe
PID 2980 wrote to memory of 2548 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\8gDbYZV0PwziwgGtmCC7oc3f.exe
PID 2980 wrote to memory of 2548 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\8gDbYZV0PwziwgGtmCC7oc3f.exe
PID 2980 wrote to memory of 2548 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\8gDbYZV0PwziwgGtmCC7oc3f.exe
PID 2980 wrote to memory of 2548 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\8gDbYZV0PwziwgGtmCC7oc3f.exe
PID 2980 wrote to memory of 2548 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\8gDbYZV0PwziwgGtmCC7oc3f.exe
PID 2548 wrote to memory of 1208 N/A C:\Users\Admin\Pictures\8gDbYZV0PwziwgGtmCC7oc3f.exe C:\Users\Admin\AppData\Local\Temp\is-95FKR.tmp\8gDbYZV0PwziwgGtmCC7oc3f.tmp
PID 2548 wrote to memory of 1208 N/A C:\Users\Admin\Pictures\8gDbYZV0PwziwgGtmCC7oc3f.exe C:\Users\Admin\AppData\Local\Temp\is-95FKR.tmp\8gDbYZV0PwziwgGtmCC7oc3f.tmp
PID 2548 wrote to memory of 1208 N/A C:\Users\Admin\Pictures\8gDbYZV0PwziwgGtmCC7oc3f.exe C:\Users\Admin\AppData\Local\Temp\is-95FKR.tmp\8gDbYZV0PwziwgGtmCC7oc3f.tmp
PID 2548 wrote to memory of 1208 N/A C:\Users\Admin\Pictures\8gDbYZV0PwziwgGtmCC7oc3f.exe C:\Users\Admin\AppData\Local\Temp\is-95FKR.tmp\8gDbYZV0PwziwgGtmCC7oc3f.tmp
PID 2548 wrote to memory of 1208 N/A C:\Users\Admin\Pictures\8gDbYZV0PwziwgGtmCC7oc3f.exe C:\Users\Admin\AppData\Local\Temp\is-95FKR.tmp\8gDbYZV0PwziwgGtmCC7oc3f.tmp
PID 2548 wrote to memory of 1208 N/A C:\Users\Admin\Pictures\8gDbYZV0PwziwgGtmCC7oc3f.exe C:\Users\Admin\AppData\Local\Temp\is-95FKR.tmp\8gDbYZV0PwziwgGtmCC7oc3f.tmp
PID 2548 wrote to memory of 1208 N/A C:\Users\Admin\Pictures\8gDbYZV0PwziwgGtmCC7oc3f.exe C:\Users\Admin\AppData\Local\Temp\is-95FKR.tmp\8gDbYZV0PwziwgGtmCC7oc3f.tmp
PID 2980 wrote to memory of 2784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\GMIn4QlsVgYVXxrtavxMhQka.exe
PID 2980 wrote to memory of 2784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\GMIn4QlsVgYVXxrtavxMhQka.exe
PID 2980 wrote to memory of 2784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\GMIn4QlsVgYVXxrtavxMhQka.exe
PID 2980 wrote to memory of 2784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\GMIn4QlsVgYVXxrtavxMhQka.exe
PID 768 wrote to memory of 524 N/A C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe C:\Windows\system32\cmd.exe
PID 768 wrote to memory of 524 N/A C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe C:\Windows\system32\cmd.exe
PID 768 wrote to memory of 524 N/A C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe C:\Windows\system32\cmd.exe
PID 768 wrote to memory of 524 N/A C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe C:\Windows\system32\cmd.exe
PID 524 wrote to memory of 1708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 524 wrote to memory of 1708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 524 wrote to memory of 1708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2784 wrote to memory of 1684 N/A C:\Users\Admin\Pictures\GMIn4QlsVgYVXxrtavxMhQka.exe C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
PID 2784 wrote to memory of 1684 N/A C:\Users\Admin\Pictures\GMIn4QlsVgYVXxrtavxMhQka.exe C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
PID 2784 wrote to memory of 1684 N/A C:\Users\Admin\Pictures\GMIn4QlsVgYVXxrtavxMhQka.exe C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
PID 2784 wrote to memory of 1684 N/A C:\Users\Admin\Pictures\GMIn4QlsVgYVXxrtavxMhQka.exe C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
PID 2784 wrote to memory of 2568 N/A C:\Users\Admin\Pictures\GMIn4QlsVgYVXxrtavxMhQka.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2784 wrote to memory of 2568 N/A C:\Users\Admin\Pictures\GMIn4QlsVgYVXxrtavxMhQka.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2784 wrote to memory of 2568 N/A C:\Users\Admin\Pictures\GMIn4QlsVgYVXxrtavxMhQka.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2784 wrote to memory of 2568 N/A C:\Users\Admin\Pictures\GMIn4QlsVgYVXxrtavxMhQka.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2784 wrote to memory of 2568 N/A C:\Users\Admin\Pictures\GMIn4QlsVgYVXxrtavxMhQka.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2784 wrote to memory of 2568 N/A C:\Users\Admin\Pictures\GMIn4QlsVgYVXxrtavxMhQka.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2784 wrote to memory of 2568 N/A C:\Users\Admin\Pictures\GMIn4QlsVgYVXxrtavxMhQka.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 768 wrote to memory of 2740 N/A C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe C:\Windows\rss\csrss.exe
PID 768 wrote to memory of 2740 N/A C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe C:\Windows\rss\csrss.exe
PID 768 wrote to memory of 2740 N/A C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe C:\Windows\rss\csrss.exe
PID 768 wrote to memory of 2740 N/A C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe C:\Windows\rss\csrss.exe
PID 2740 wrote to memory of 568 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2740 wrote to memory of 568 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2740 wrote to memory of 568 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2740 wrote to memory of 568 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\New.exe

"C:\Users\Admin\AppData\Local\Temp\New.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe

"C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe"

C:\Users\Admin\Pictures\n7KBRy0nP6u33SG4vO0RESsA.exe

"C:\Users\Admin\Pictures\n7KBRy0nP6u33SG4vO0RESsA.exe"

C:\Users\Admin\Pictures\8gDbYZV0PwziwgGtmCC7oc3f.exe

"C:\Users\Admin\Pictures\8gDbYZV0PwziwgGtmCC7oc3f.exe"

C:\Users\Admin\AppData\Local\Temp\is-95FKR.tmp\8gDbYZV0PwziwgGtmCC7oc3f.tmp

"C:\Users\Admin\AppData\Local\Temp\is-95FKR.tmp\8gDbYZV0PwziwgGtmCC7oc3f.tmp" /SL5="$900F4,1518993,56832,C:\Users\Admin\Pictures\8gDbYZV0PwziwgGtmCC7oc3f.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240311152054.log C:\Windows\Logs\CBS\CbsPersist_20240311152054.cab

C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe

"C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe"

C:\Users\Admin\Pictures\GMIn4QlsVgYVXxrtavxMhQka.exe

"C:\Users\Admin\Pictures\GMIn4QlsVgYVXxrtavxMhQka.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Users\Admin\AppData\Local\Temp\syncUpd.exe

C:\Users\Admin\AppData\Local\Temp\syncUpd.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\A9B.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Users\Admin\AppData\Local\Temp\8029.exe

C:\Users\Admin\AppData\Local\Temp\8029.exe

C:\Users\Admin\AppData\Local\Temp\8029.exe

C:\Users\Admin\AppData\Local\Temp\8029.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\ca2c8eec-2f22-42a2-a00a-33fbc1f3fe6c" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\8029.exe

"C:\Users\Admin\AppData\Local\Temp\8029.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\8029.exe

"C:\Users\Admin\AppData\Local\Temp\8029.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\96424831-b467-4015-b047-fc0605d71b31\build2.exe

"C:\Users\Admin\AppData\Local\96424831-b467-4015-b047-fc0605d71b31\build2.exe"

C:\Users\Admin\AppData\Local\96424831-b467-4015-b047-fc0605d71b31\build2.exe

"C:\Users\Admin\AppData\Local\96424831-b467-4015-b047-fc0605d71b31\build2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 1404

Network

Country Destination Domain Proto
US 8.8.8.8:53 yip.su udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
US 188.114.97.2:443 yip.su tcp
US 8.8.8.8:53 galandskiyher5.com udp
US 8.8.8.8:53 midnight.bestsup.su udp
US 8.8.8.8:53 namecloudvideo.org udp
US 8.8.8.8:53 net.geo.opera.com udp
US 15.204.49.148:80 15.204.49.148 tcp
DE 185.172.128.126:80 185.172.128.126 tcp
RU 194.87.206.12:80 galandskiyher5.com tcp
NL 185.26.182.112:80 net.geo.opera.com tcp
US 104.21.29.103:80 midnight.bestsup.su tcp
US 188.114.97.2:443 namecloudvideo.org tcp
US 8.8.8.8:53 shipbank.org udp
NL 185.26.182.112:443 net.geo.opera.com tcp
US 172.67.146.202:443 shipbank.org tcp
US 8.8.8.8:53 iplogger.com udp
US 104.21.76.57:443 iplogger.com tcp
DE 185.172.128.145:80 185.172.128.145 tcp
DE 185.172.128.90:80 185.172.128.90 tcp
DE 185.172.128.187:80 185.172.128.187 tcp
US 8.8.8.8:53 a889e364-2d97-4b93-af2c-719a71d91c72.uuid.filesdumpplace.org udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 trad-einmyus.com udp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 8.8.8.8:53 sdfjhuz.com udp
HN 138.204.181.135:80 sdfjhuz.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.97.2:443 api.2ip.ua tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 188.114.97.2:443 api.2ip.ua tcp
DE 185.172.128.145:80 185.172.128.145 tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 8.8.8.8:53 sajdfue.com udp
HN 138.204.181.135:80 sdfjhuz.com tcp
KR 123.213.233.131:80 sajdfue.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
KR 123.213.233.131:80 sajdfue.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.154.77:443 steamcommunity.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
DE 49.12.116.63:80 49.12.116.63 tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp

Files

memory/1648-4-0x000000001B290000-0x000000001B572000-memory.dmp

memory/1648-5-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

memory/1648-7-0x0000000002950000-0x00000000029D0000-memory.dmp

memory/1648-6-0x0000000002220000-0x0000000002228000-memory.dmp

memory/1648-8-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

memory/1648-9-0x0000000002950000-0x00000000029D0000-memory.dmp

memory/1648-10-0x0000000002950000-0x00000000029D0000-memory.dmp

memory/1648-11-0x0000000002950000-0x00000000029D0000-memory.dmp

memory/2980-12-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2980-13-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2980-14-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2980-15-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2980-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2980-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2980-19-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2980-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1648-22-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

memory/2980-23-0x0000000073FF0000-0x00000000746DE000-memory.dmp

memory/2980-24-0x0000000004E40000-0x0000000004E80000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar6F9C.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe

MD5 a7c452e26ea6b9763bfacfb7cf18b2d2
SHA1 6f31f449c4e3b8675cd27f89dc3c4fe411516d6c
SHA256 4078a5797759d89c833b29a9296a384aecb84bcab5137a3fb6b712ff112928f2
SHA512 1c9841cfd169dfc87ca3a6092b7b88d396220e740d92f2ab477e921e500c397638e8b3c6060b649d8cc4f1ddd28acc0af9b165736368e11943d110c0f0ac377b

\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe

MD5 6c1774b0b9043c398474db860f2e3afd
SHA1 d3a62839f69a324f9772abe55d07786425684e8c
SHA256 39e9219594ca9af1ce957cf7c98670ba55551bcd223588cf6ec42c29b546f305
SHA512 1360f00dab0780c5dc4c068f5f52c20164878964ca308e907746bdc12e3bb1b91b83c05cb33b6593b8341e722c8d39dab7ed2a0a88f62f9d3b8698eff1dc7382

memory/2656-162-0x0000000003650000-0x0000000003A48000-memory.dmp

\Users\Admin\Pictures\n7KBRy0nP6u33SG4vO0RESsA.exe

MD5 e474dda04f6f90ba50ebff47395b19c9
SHA1 db1dc005639d232a25e074267239fd9e5fcbe6c7
SHA256 d5bb21fb44947ee712af26750d6a1df9e91e3baa3c5270eca5f88adbdf329bef
SHA512 aa906056618e239ab811a19492ea9b272b67b6b964f704a1679c68bf0ce1dbe1b574361d1d08901436a1d5faa888d0320dc56e84904421ad1134727090250055

memory/2656-175-0x0000000003650000-0x0000000003A48000-memory.dmp

memory/2668-177-0x0000000000020000-0x000000000002B000-memory.dmp

memory/2668-176-0x0000000001B20000-0x0000000001C20000-memory.dmp

memory/2656-181-0x0000000003A50000-0x000000000433B000-memory.dmp

\Users\Admin\Pictures\8gDbYZV0PwziwgGtmCC7oc3f.exe

MD5 3ca2f625386f7a3ca29376148974fa64
SHA1 646443709518ef699bae4755b262370ff6e7fbcc
SHA256 25749c401805a1d66f16db72ad533a807bcb56c4f2aef449341af1ca92ec66b4
SHA512 dbe638a9127d89854b2b36795c8842587b5419805df23404d9c110f4c6cfb29604e5136dd40da17cd8eb31ef56cf1b6bb0fb12e4cab999ad9e583ca4ebbffe79

C:\Users\Admin\Pictures\8gDbYZV0PwziwgGtmCC7oc3f.exe

MD5 bfa341e061b5de22ac962a1bb4e0d28b
SHA1 3ddf2fb36064994fcc0d1fc5054506ad71f765fb
SHA256 53b9719601792e1abe8165dced070112f37e581a3eb34730e90eb33d2db31f49
SHA512 d329d555c2f58be4835aba008401c1ee39bf37c1530793612860884e11899120629c943458c93a6c91fc89a2d8846993d04a7e9b64a79fa3ab1f647f0200d313

memory/2548-187-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2668-189-0x0000000000400000-0x0000000001A34000-memory.dmp

memory/2656-191-0x0000000000400000-0x0000000001E16000-memory.dmp

memory/2548-192-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe

MD5 664b6d38762654f502b48c513ed59b3c
SHA1 f2627fea451e80772f8629a85bac61442d4c9d5b
SHA256 4900ee269a6c4163d012ca06d48c2fb3f6afcffafa87adf193f0388389a88e6b
SHA512 6208f7f16dc1efa1f690cbbe469bb129254fcdc9eaaa59446c69119e9d4588e2a0b6e1d49fe31720edb23355a3771fffd4b4faccb6a6898ca766abd967d0ce4e

\Users\Admin\AppData\Local\Temp\is-95FKR.tmp\8gDbYZV0PwziwgGtmCC7oc3f.tmp

MD5 150a46b9c3e09bc0ed8d581669fe605b
SHA1 760baa334e4e024e80f27f8e23b900600281a853
SHA256 2d574caab0e532210a5541fa9a3d5187bf38bed3ef8809180462d929fd32637f
SHA512 d40d747e57c7e4ea33df06ae1c14bea2bc44fcad862432265158a248c1c4a0e4aae5107a1a2db5257a22f0b5223ec6f19401f7491435988da8137c4150009805

memory/1272-199-0x0000000002A40000-0x0000000002A56000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-DTGEV.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2668-200-0x0000000000400000-0x0000000001A34000-memory.dmp

memory/1208-212-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2668-214-0x0000000000020000-0x000000000002B000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-DTGEV.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/2980-208-0x0000000073FF0000-0x00000000746DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-95FKR.tmp\8gDbYZV0PwziwgGtmCC7oc3f.tmp

MD5 af7fda7a10ef0b2e96d7dbd169f80110
SHA1 ab84331c89854b6730aa32be7518d14c371b44e1
SHA256 e3292a4334b611efb11aad718a3db3339b9790ee80c7b3ebb192312008a89759
SHA512 72a4c89e8c2fa682012df1fecb523449cd415b482c86f48f5cbb97f432b3e93fb0230b92c05d2c864380bcf0b05c2b7568daf9be42e10e5224a765e0bcf54656

C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe

MD5 1b5db3a14abeadec87533581be1ce2cf
SHA1 2522160144ecab17a9fe716595f43cb007a909a2
SHA256 c407fdfdf85ad02428199f989672c2f23d5e916c65341a461fb6071521305080
SHA512 4309323b6fa7414402919c3d2624ccd73167e6afb10a278120fa13803c97bd1c5b6808206419ad6949e727f25a5c9da8a650529ac5f3e43f86c7afe80160c98f

memory/768-225-0x0000000003720000-0x0000000003B18000-memory.dmp

memory/2656-226-0x0000000000400000-0x0000000001E16000-memory.dmp

memory/2656-232-0x0000000003A50000-0x000000000433B000-memory.dmp

memory/2548-233-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\Pictures\GMIn4QlsVgYVXxrtavxMhQka.exe

MD5 8472669d90d8905aad3e96f64d26f130
SHA1 277c1a882b0e18cb353f9c8f36498b0ef674e43e
SHA256 b3ad170e8acc99fbd5901d9c99cc7b2f8bfedb2a849512f90ea6fa24cf648e2a
SHA512 e33a23de1d06342edc49c263ea6f93b45b2b925e35e8ded85d18a79889a993d5a87ae1f531439e4991cfe2da84fc959d3a67b81a11e110d2d02cdce351754527

memory/768-234-0x0000000003720000-0x0000000003B18000-memory.dmp

memory/2656-239-0x0000000003650000-0x0000000003A48000-memory.dmp

C:\Users\Admin\Pictures\GMIn4QlsVgYVXxrtavxMhQka.exe

MD5 74fbc954435fb0b73ad76afa3fb1969e
SHA1 a9eeba2cace9e8a236cb4bcdf379d71832d7f163
SHA256 7fae036851b4231149ee8d331cea9f3cd2d641c14be522909d9c3152d59241ab
SHA512 a08710f95d7136cc411172a9ab7135f6f21abd7cf3393f8e71c62cba84cd2fb3d490aae2bc177bc40b6139152fe86a362d7bff28f3ea06920eb37b24a29204a6

memory/768-240-0x0000000000400000-0x0000000001E16000-memory.dmp

C:\Users\Admin\Pictures\GMIn4QlsVgYVXxrtavxMhQka.exe

MD5 ec1cfe227446950b198ce90831554404
SHA1 919fd2a7a4b65ee9eeac6becfcc0455e442e01ee
SHA256 5d6cc44ca6ea24e7feaffdef68b477262d5326b9bcbba73823400a2ae6c003df
SHA512 8b7f80c000c12c079efcfade605a3d276b2d2497649c1c24cc89815631288e72f68c5369338a41097e377551260c19ef98764013f82b0b2b45eff4882bce4f7a

C:\Users\Admin\AppData\Local\Temp\syncUpd.exe

MD5 694cea6208a828b323e8d4f51b40ba05
SHA1 35633d388a48ae02b2defdfc443d9f8ac4acdb99
SHA256 1b5e65ac9e3f4dd8dce9c8eebc5d3ba0a2ebd6b02b52aa901962d262edc4b0b3
SHA512 62429016b84e4b760b4557df7bcc31bb692f9e1356f15b9954e46fbbfe69d957bd8266f66f3ec3163323fcb6955caf924bb4e651b733456119ed1d98b3da7a9c

C:\Users\Admin\AppData\Local\Temp\syncUpd.exe

MD5 099d81985b4d1951c9a0448bdead2e31
SHA1 3707f6971ecdd856999ca980a1b99b551bea5ff9
SHA256 291e511eb00d5f658d345115de7fbd13e416e353bee19cdac8709b0b856da095
SHA512 f0a2f1c2542c3f898add88c6505a2fde764c5ff00835fee62ef0fe9523706d9dd617f539e80235c6307fe2af2440cb104465af1f9053dfb3743c2f675b1e71b2

memory/1684-257-0x0000000000220000-0x0000000000247000-memory.dmp

memory/1684-253-0x0000000001B90000-0x0000000001C90000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsoB1D4.tmp\INetC.dll

MD5 2b342079303895c50af8040a91f30f71
SHA1 b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA256 2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512 550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

memory/1684-258-0x0000000000400000-0x0000000001A34000-memory.dmp

\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 eee5ddcffbed16222cac0a1b4e2e466e
SHA1 28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5
SHA256 2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54
SHA512 8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc

memory/1208-270-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/2784-275-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2784-277-0x0000000004C90000-0x00000000051C0000-memory.dmp

memory/2568-278-0x0000000000400000-0x0000000000930000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 85fc35a88ae5479cbe485e780e90276e
SHA1 361a4841c0ea4db9f345148b374de9b377c5431a
SHA256 86634f2408b773572e139d90644cd65b25c3278cb478087b392d5c517de7b00c
SHA512 4b4ab8cc2e4b2042994f4117ad8e71f6bd5c7092cbc26a24a815b6832f0fba351b0f303de312836a487ab371d8eeb75b38643cfedaa934170ca61c483f80d078

memory/2740-286-0x00000000035E0000-0x00000000039D8000-memory.dmp

memory/1684-288-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/2568-292-0x0000000000240000-0x0000000000241000-memory.dmp

memory/768-287-0x0000000000400000-0x0000000001E16000-memory.dmp

memory/2740-313-0x00000000035E0000-0x00000000039D8000-memory.dmp

memory/2740-323-0x0000000000400000-0x0000000001E16000-memory.dmp

memory/1684-334-0x0000000000400000-0x0000000001A34000-memory.dmp

\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 db8c6e6ce1f8d4be351dccba21b0706f
SHA1 7ebb9c845b738d959dc125d69e6ad509978816ef
SHA256 32c2fe8a6eda1f6d6e02396fe3211a88d4cf5c83871697df10efe5c4799d3399
SHA512 d91ede154093db8b151a31c10734cca6290a590864f5a9913c72c6dbd4ca03f992dc755e76128c0a37028a9976871474a90ec25504c4f78739ab8812fc256c01

memory/2568-346-0x0000000000400000-0x0000000000930000-memory.dmp

memory/2740-350-0x0000000000400000-0x0000000001E16000-memory.dmp

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 f0616fa8bc54ece07e3107057f74e4db
SHA1 b33995c4f9a004b7d806c4bb36040ee844781fca
SHA256 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026
SHA512 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 5c399d34d8dc01741269ff1f1aca7554
SHA1 e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256 e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA512 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 73b1f002db75e894b53dac0c507a1064
SHA1 3196a961d35f836f8118728d696c264e233a617b
SHA256 56b5841db54c135a4e3775f4af1a73a37bca61750e6257914b3c8fdf2635d181
SHA512 af404beeeef948b6403bb2d4a06b7809b1cd1122b4e8e48adba6068cfe322448db348302602b744e9d04fa00a29c1e43081e749e6cc54165b23e61ac8f6118f6

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 7d891b7d6ccb50d11ac7ba48923ab6fc
SHA1 85ffd57cc4dacefc35cad7befc3cb1af2a4dd58a
SHA256 5afc1252e2d74592cea475ce2d59b8ce212b968cd79fb401fb79e0d68229fafb
SHA512 8df1b7eacc7e3536c362e7dcd74cb6f9f5715bf3e4b25a74ab47011771bca35c9e0e1564814a2ca11e6c9ee2300798c657bf72d30304501425a9988f977bb990

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 c6b8a197dcf908b0cd585f4f84e5b7e7
SHA1 6e0e33a20114e1f3261106760fe599eb41b12d7e
SHA256 3fa9520c9330fdde14c524cb37e44d8b8c886a4e08f582be579ef038d90abc32
SHA512 9b1554d138077477c4dba0c96d881d1e7bc91937f639b17722d55a11f620afe61429db4ba645dcb360fde36e21fe16fab3efdc97da0db5dc158fb377ec36f2b1

memory/1348-366-0x0000000000430000-0x0000000000A18000-memory.dmp

memory/1348-368-0x00000000005C0000-0x0000000000BA8000-memory.dmp

memory/1684-369-0x0000000001B90000-0x0000000001C90000-memory.dmp

memory/1684-370-0x0000000000400000-0x0000000001A34000-memory.dmp

memory/2784-371-0x0000000004C90000-0x00000000051C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A9B.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b3d1194e62cddb60ab48542b26e40251
SHA1 a6af30ed2bc5ca8de1cff7f294c23ba4474ff4ff
SHA256 b37742645c03522f49213bbad39713ac0c8c8b64d7355ddafb738d2624bf0498
SHA512 54f9308d82087555189e13a225eecb70b279914783fc4bfd4fa7c1a2755b4ed38e1374350a045ac88e33a84dc4059313b2c41c96cc8f6e3b399c6a8808b63a5f

memory/2568-404-0x0000000000400000-0x0000000000930000-memory.dmp

memory/2740-405-0x0000000000400000-0x0000000001E16000-memory.dmp

memory/2568-406-0x0000000000400000-0x0000000000930000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/2568-415-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2740-416-0x00000000035E0000-0x00000000039D8000-memory.dmp

memory/1684-422-0x0000000000400000-0x0000000001A34000-memory.dmp

memory/2568-429-0x0000000000400000-0x0000000000930000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2740-438-0x0000000000400000-0x0000000001E16000-memory.dmp

memory/2740-446-0x0000000000400000-0x0000000001E16000-memory.dmp

memory/1684-448-0x0000000000400000-0x0000000001A34000-memory.dmp

memory/2740-451-0x0000000000400000-0x0000000001E16000-memory.dmp

memory/1348-452-0x0000000000430000-0x0000000000A18000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8029.exe

MD5 51597fedbf769613eac193b679de833d
SHA1 77c1fbd676bbaf9ef3f235d6f3d41df8ad6b7945
SHA256 b0129dd6f2d2f5bd058cddda97e1f47eedcfaec86995c6d988226c305d50d92c
SHA512 7e424c8548ace542cdd51c23b31e3907b9d14a95784f8918f85deb2d263d5e6cec845300b1db25aba6c29d3f9ff2ad768731237ab98430a52b83ed00ff017b23

memory/2496-473-0x00000000033F0000-0x000000000350B000-memory.dmp

memory/2496-472-0x00000000002F0000-0x0000000000381000-memory.dmp

memory/2532-475-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d41bad24e85feecbb87060b006c750fd
SHA1 feb8698ec9cca3dd502bb2e2c1441be26746445c
SHA256 7091bbb957d5b8c177a2c1f7b3eedffe77d8523a4520e14a988bb0f4b17cdb1b
SHA512 ad236598b8813ab904ab47f044aedd2e32fdb07442e297cd44b093df51e8260e847ebd49533edf2f17e7b1d7054557d344ec9eba298712d137962ab416ae54ef

\Users\Admin\AppData\Local\Temp\8029.exe

MD5 b7f5ca0c9a089b19350d404f4d954749
SHA1 d407efd2c451d5cd3b9c4fd8d64627e222e1c925
SHA256 7f11ab4b84f397a1e533d56489a0cdeae0121c36621381c6f4026833e5208b15
SHA512 694eea50e3c08a156b909d83fd29a9e414690d3a10be484a887cb9e032b150af7bc2c1a2acd66e170df776c47ae3a07f02370457bfe30d281f20f59801898920

memory/2532-500-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1448-508-0x00000000002B0000-0x0000000000341000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 be295cc1dce65627d0ff7b42e79ad790
SHA1 613050a71398bffc4a5027f099138a57d404f426
SHA256 e4ff877adf628d7ada58e4c69f25548f42d7914f9b05599c18101a1e21f7a453
SHA512 f44fae10d5011e061597e31f20c1843887ac1660ac4062507c5e4cbd2a338ead082b45c3d433d9743a25b6636c3c706dfc2c58c7532d00f247de96897f0bb2ef

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 1548103e1299490d7d08fffa07918630
SHA1 c07b8d6c63bfba93d0b61533dec131c9df13bdd7
SHA256 9d4c8ea2311df9881f7c6628b6a9fe101649cdf45e7f0f5cb1aef26801c99c34
SHA512 f309585e402638b3ff95e12b154bb0fe0babb8150f486b96124e9ca146c1a03b26d90402a2e6cefa5f701390547693329ef8814a49c7ac64e513f41d7d3caf39

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 55cf600d372cc65439f35275e06e18d0
SHA1 9db69b0c9182baf5f6fda02a6da86d8ac22114e9
SHA256 71c0841eb56f545f9a4bd8abe77f83a9ddd34d4ae2be73e6abcf057078838494
SHA512 c64c4ad1f95d2d6e4c807a21ecffc64f39ac6e44cb242af000e2391a2e3e9bc9ccfefb96e10be5cf174f4f27e9a105191e12d9233aecedfa79e83b2f84d592ec

C:\Users\Admin\AppData\Local\96424831-b467-4015-b047-fc0605d71b31\build2.exe

MD5 88c5ca503e8fecbca8ee889a892b165c
SHA1 2ec61a72dc88584abda48f19fb8e4d2847264aed
SHA256 41f6207540f5197717e1c601b43c9c89a5109ff3aab98fe80f6645f0ebd2a153
SHA512 366035a481a439854094d13f8a0b9bf26e706dd43100421d92724baa1f9b1ceac74669e42e9331867a3c364f8e2f0c05d3387e5dea9d8669d29832614fa7b4b9

memory/1520-551-0x0000000000307000-0x0000000000322000-memory.dmp

memory/1520-553-0x00000000001C0000-0x00000000001F1000-memory.dmp

memory/1684-591-0x0000000001B90000-0x0000000001C90000-memory.dmp

memory/1684-592-0x0000000000400000-0x0000000001A34000-memory.dmp

memory/1316-596-0x0000000000400000-0x0000000000644000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-11 15:20

Reported

2024-03-11 15:22

Platform

win10v2004-20240226-en

Max time kernel

126s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New.exe"

Signatures

DcRat

rat infostealer dcrat

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\B6B9.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pQEHk30ZCMF08XA6daA7M7mV.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2Qbi460fuk6Day3HEHsDNBYs.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UALiPn0bEEMgv8iaZ5bhcts4.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TLnXuyKCBXc85u8ujglpVXLa.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qHjZKfbREOgWY8Ov407cinWj.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DcqKfeiXWi0YyYCA0mKO1MmI.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\B073aAZciSwTQAxr1ovu1jw3.exe N/A
N/A N/A C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4P5A4.tmp\B073aAZciSwTQAxr1ovu1jw3.tmp N/A
N/A N/A C:\Users\Admin\Pictures\riroEZURknx6pNzdF5Mq9Zec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe N/A
N/A N/A C:\Users\Admin\Pictures\8knxBMfGnop5OTwevXH2AlNE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A
N/A N/A C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe N/A
N/A N/A C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe N/A
N/A N/A C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\GQJk1dwoGxDl5nhQbEOSw2DU.exe N/A
N/A N/A C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe N/A
N/A N/A C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B6B9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B6B9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B6B9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B6B9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D639.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\b64cf3ea-884c-4ff1-a323-b7d4346eb5d6\\B6B9.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\B6B9.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Pictures\riroEZURknx6pNzdF5Mq9Zec.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Pictures\riroEZURknx6pNzdF5Mq9Zec.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Pictures\riroEZURknx6pNzdF5Mq9Zec.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-162 = "Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" C:\Windows\windefender.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4P5A4.tmp\B073aAZciSwTQAxr1ovu1jw3.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4P5A4.tmp\B073aAZciSwTQAxr1ovu1jw3.tmp N/A
N/A N/A C:\Users\Admin\Pictures\riroEZURknx6pNzdF5Mq9Zec.exe N/A
N/A N/A C:\Users\Admin\Pictures\riroEZURknx6pNzdF5Mq9Zec.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\riroEZURknx6pNzdF5Mq9Zec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4P5A4.tmp\B073aAZciSwTQAxr1ovu1jw3.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3672 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\New.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 3672 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\New.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 3672 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\New.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 3672 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\New.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 3672 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\New.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 3672 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\New.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 3672 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\New.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 3672 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\New.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 3672 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\New.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 3672 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\New.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2336 wrote to memory of 3720 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\B073aAZciSwTQAxr1ovu1jw3.exe
PID 2336 wrote to memory of 3720 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\B073aAZciSwTQAxr1ovu1jw3.exe
PID 2336 wrote to memory of 3720 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\B073aAZciSwTQAxr1ovu1jw3.exe
PID 2336 wrote to memory of 3528 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe
PID 2336 wrote to memory of 3528 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe
PID 2336 wrote to memory of 3528 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe
PID 3720 wrote to memory of 4744 N/A C:\Users\Admin\Pictures\B073aAZciSwTQAxr1ovu1jw3.exe C:\Users\Admin\AppData\Local\Temp\is-4P5A4.tmp\B073aAZciSwTQAxr1ovu1jw3.tmp
PID 3720 wrote to memory of 4744 N/A C:\Users\Admin\Pictures\B073aAZciSwTQAxr1ovu1jw3.exe C:\Users\Admin\AppData\Local\Temp\is-4P5A4.tmp\B073aAZciSwTQAxr1ovu1jw3.tmp
PID 3720 wrote to memory of 4744 N/A C:\Users\Admin\Pictures\B073aAZciSwTQAxr1ovu1jw3.exe C:\Users\Admin\AppData\Local\Temp\is-4P5A4.tmp\B073aAZciSwTQAxr1ovu1jw3.tmp
PID 2336 wrote to memory of 1188 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\riroEZURknx6pNzdF5Mq9Zec.exe
PID 2336 wrote to memory of 1188 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\riroEZURknx6pNzdF5Mq9Zec.exe
PID 2336 wrote to memory of 1188 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\riroEZURknx6pNzdF5Mq9Zec.exe
PID 4744 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\is-4P5A4.tmp\B073aAZciSwTQAxr1ovu1jw3.tmp C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe
PID 4744 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\is-4P5A4.tmp\B073aAZciSwTQAxr1ovu1jw3.tmp C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe
PID 4744 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\is-4P5A4.tmp\B073aAZciSwTQAxr1ovu1jw3.tmp C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe
PID 4744 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\is-4P5A4.tmp\B073aAZciSwTQAxr1ovu1jw3.tmp C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe
PID 4744 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\is-4P5A4.tmp\B073aAZciSwTQAxr1ovu1jw3.tmp C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe
PID 4744 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\is-4P5A4.tmp\B073aAZciSwTQAxr1ovu1jw3.tmp C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe
PID 2336 wrote to memory of 4832 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\8knxBMfGnop5OTwevXH2AlNE.exe
PID 2336 wrote to memory of 4832 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\8knxBMfGnop5OTwevXH2AlNE.exe
PID 2336 wrote to memory of 4832 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\8knxBMfGnop5OTwevXH2AlNE.exe
PID 4832 wrote to memory of 2460 N/A C:\Users\Admin\Pictures\8knxBMfGnop5OTwevXH2AlNE.exe C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
PID 4832 wrote to memory of 2460 N/A C:\Users\Admin\Pictures\8knxBMfGnop5OTwevXH2AlNE.exe C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
PID 4832 wrote to memory of 2460 N/A C:\Users\Admin\Pictures\8knxBMfGnop5OTwevXH2AlNE.exe C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
PID 3528 wrote to memory of 380 N/A C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3528 wrote to memory of 380 N/A C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3528 wrote to memory of 380 N/A C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4832 wrote to memory of 2284 N/A C:\Users\Admin\Pictures\8knxBMfGnop5OTwevXH2AlNE.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 4832 wrote to memory of 2284 N/A C:\Users\Admin\Pictures\8knxBMfGnop5OTwevXH2AlNE.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 4832 wrote to memory of 2284 N/A C:\Users\Admin\Pictures\8knxBMfGnop5OTwevXH2AlNE.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2284 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 2284 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 2284 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3948 wrote to memory of 224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3948 wrote to memory of 224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3948 wrote to memory of 224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3948 wrote to memory of 3128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3948 wrote to memory of 3128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3948 wrote to memory of 3128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2980 wrote to memory of 3972 N/A C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2980 wrote to memory of 3972 N/A C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2980 wrote to memory of 3972 N/A C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2336 wrote to memory of 1224 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe
PID 2336 wrote to memory of 1224 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe
PID 2336 wrote to memory of 1224 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe
PID 1224 wrote to memory of 4876 N/A C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe
PID 1224 wrote to memory of 4876 N/A C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe
PID 1224 wrote to memory of 4876 N/A C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe
PID 1224 wrote to memory of 1244 N/A C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe C:\Windows\system32\BackgroundTransferHost.exe
PID 1224 wrote to memory of 1244 N/A C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe C:\Windows\system32\BackgroundTransferHost.exe
PID 1224 wrote to memory of 1244 N/A C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe C:\Windows\system32\BackgroundTransferHost.exe
PID 1224 wrote to memory of 4712 N/A C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe
PID 1224 wrote to memory of 4712 N/A C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe
PID 1224 wrote to memory of 4712 N/A C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\New.exe

"C:\Users\Admin\AppData\Local\Temp\New.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"

C:\Users\Admin\Pictures\B073aAZciSwTQAxr1ovu1jw3.exe

"C:\Users\Admin\Pictures\B073aAZciSwTQAxr1ovu1jw3.exe"

C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe

"C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe"

C:\Users\Admin\AppData\Local\Temp\is-4P5A4.tmp\B073aAZciSwTQAxr1ovu1jw3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-4P5A4.tmp\B073aAZciSwTQAxr1ovu1jw3.tmp" /SL5="$801E2,1518993,56832,C:\Users\Admin\Pictures\B073aAZciSwTQAxr1ovu1jw3.exe"

C:\Users\Admin\Pictures\riroEZURknx6pNzdF5Mq9Zec.exe

"C:\Users\Admin\Pictures\riroEZURknx6pNzdF5Mq9Zec.exe"

C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe

"C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe" -i

C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe

"C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe" -s

C:\Users\Admin\Pictures\8knxBMfGnop5OTwevXH2AlNE.exe

"C:\Users\Admin\Pictures\8knxBMfGnop5OTwevXH2AlNE.exe"

C:\Users\Admin\AppData\Local\Temp\syncUpd.exe

C:\Users\Admin\AppData\Local\Temp\syncUpd.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe

"C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe

"C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe" --silent --allusers=0

C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe

C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2e0,0x2e4,0x2e8,0x2bc,0x2ec,0x6e6221c8,0x6e6221d4,0x6e6221e0

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\GQJk1dwoGxDl5nhQbEOSw2DU.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\GQJk1dwoGxDl5nhQbEOSw2DU.exe" --version

C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe

"C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=1224 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240311152112" --session-guid=208ae88d-0526-43b9-85ae-846938541081 --server-tracking-blob=MDI5OTQ3OWM3YzJkNWNhNDNmMDQ4NDRiNzAxZWMxMjgzOTMyMWU1YjlmY2MyODE3YzI2YmIwNjQzZGZjMDVmMzp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxMDE3MDQzOS44MjYwIiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiI4MTYxZTM1MC04OTgyLTQ3NmUtOThlYy1mMDg3YzAzOWFkMjcifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=5405000000000000

C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe

C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2c4,0x300,0x6db121c8,0x6db121d4,0x6db121e0

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2460 -ip 2460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 1984

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x600040,0x60004c,0x600058

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6E94.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\B6B9.exe

C:\Users\Admin\AppData\Local\Temp\B6B9.exe

C:\Users\Admin\AppData\Local\Temp\B6B9.exe

C:\Users\Admin\AppData\Local\Temp\B6B9.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\b64cf3ea-884c-4ff1-a323-b7d4346eb5d6" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\B6B9.exe

"C:\Users\Admin\AppData\Local\Temp\B6B9.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\B6B9.exe

"C:\Users\Admin\AppData\Local\Temp\B6B9.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 624 -ip 624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 568

C:\Users\Admin\AppData\Local\Temp\D639.exe

C:\Users\Admin\AppData\Local\Temp\D639.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 yip.su udp
US 104.20.68.143:443 pastebin.com tcp
US 188.114.96.2:443 yip.su tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 galandskiyher5.com udp
DE 185.172.128.126:80 185.172.128.126 tcp
US 8.8.8.8:53 midnight.bestsup.su udp
US 8.8.8.8:53 namecloudvideo.org udp
US 8.8.8.8:53 net.geo.opera.com udp
US 15.204.49.148:80 15.204.49.148 tcp
US 188.114.97.2:443 namecloudvideo.org tcp
NL 185.26.182.112:80 net.geo.opera.com tcp
US 172.67.171.112:80 midnight.bestsup.su tcp
NL 185.26.182.112:443 net.geo.opera.com tcp
US 8.8.8.8:53 shipbank.org udp
US 104.21.10.217:443 shipbank.org tcp
US 8.8.8.8:53 143.68.20.104.in-addr.arpa udp
US 8.8.8.8:53 2.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 126.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 2.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 112.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 112.171.67.172.in-addr.arpa udp
US 8.8.8.8:53 148.49.204.15.in-addr.arpa udp
US 8.8.8.8:53 217.10.21.104.in-addr.arpa udp
RU 194.87.206.12:80 galandskiyher5.com tcp
US 8.8.8.8:53 12.206.87.194.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
DE 185.172.128.90:80 185.172.128.90 tcp
DE 185.172.128.145:80 185.172.128.145 tcp
DE 185.172.128.187:80 185.172.128.187 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 145.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 187.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
NL 185.26.182.124:443 autoupdate.geo.opera.com tcp
NL 185.26.182.124:443 autoupdate.geo.opera.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 124.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 121.217.145.82.in-addr.arpa udp
US 8.8.8.8:53 features.opera-api2.com udp
US 8.8.8.8:53 download.opera.com udp
NL 82.145.216.24:443 download.opera.com tcp
NL 82.145.216.15:443 features.opera-api2.com tcp
US 8.8.8.8:53 download3.operacdn.com udp
GB 95.101.143.176:443 download3.operacdn.com tcp
US 8.8.8.8:53 24.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 15.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 176.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 trad-einmyus.com udp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 8.8.8.8:53 8f1be729-088d-4df7-a467-544ee60645df.uuid.filesdumpplace.org udp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 8.8.8.8:53 sdfjhuz.com udp
CO 186.147.159.149:80 sdfjhuz.com tcp
US 8.8.8.8:53 149.159.147.186.in-addr.arpa udp
US 8.8.8.8:53 server1.filesdumpplace.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun1.l.google.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server1.filesdumpplace.org tcp
CH 172.217.210.127:19302 stun1.l.google.com udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 127.210.217.172.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 8.8.8.8:53 api.2ip.ua udp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 172.67.139.220:443 api.2ip.ua tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
BG 185.82.216.96:443 server1.filesdumpplace.org tcp
US 8.8.8.8:53 bitbucket.org udp
AU 104.192.141.1:443 bitbucket.org tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 8.8.8.8:53 1.141.192.104.in-addr.arpa udp
US 8.8.8.8:53 superemeboxlogosites.pro udp
US 188.114.97.2:443 superemeboxlogosites.pro tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 8.8.8.8:53 wisemassiveharmonious.shop udp
US 104.21.80.130:443 wisemassiveharmonious.shop tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
US 8.8.8.8:53 colorfulequalugliess.shop udp
US 8.8.8.8:53 130.80.21.104.in-addr.arpa udp
US 188.114.97.2:443 colorfulequalugliess.shop tcp
US 8.8.8.8:53 relevantvoicelesskw.shop udp
US 172.67.147.173:443 relevantvoicelesskw.shop tcp
US 8.8.8.8:53 80.232.23.103.in-addr.arpa udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 8.8.8.8:53 associationokeo.shop udp
US 104.21.10.242:443 associationokeo.shop tcp
US 8.8.8.8:53 173.147.67.172.in-addr.arpa udp
US 8.8.8.8:53 242.10.21.104.in-addr.arpa udp

Files

memory/3192-2-0x00000165B9860000-0x00000165B9882000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zsvgfn3f.v5v.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3192-10-0x00007FFEEED70000-0x00007FFEEF831000-memory.dmp

memory/3192-11-0x00000165B9850000-0x00000165B9860000-memory.dmp

memory/3192-12-0x00000165B9850000-0x00000165B9860000-memory.dmp

memory/2336-13-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3192-14-0x00000165B9850000-0x00000165B9860000-memory.dmp

memory/3192-17-0x00007FFEEED70000-0x00007FFEEF831000-memory.dmp

memory/2336-18-0x00000000750A0000-0x0000000075850000-memory.dmp

memory/2336-19-0x00000000059F0000-0x0000000005A00000-memory.dmp

C:\Users\Admin\Pictures\7EiCwzdezozWvWhtgnDpecT7.exe

MD5 5b423612b36cde7f2745455c5dd82577
SHA1 0187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256 e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512 c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

C:\Users\Admin\Pictures\B073aAZciSwTQAxr1ovu1jw3.exe

MD5 3ca2f625386f7a3ca29376148974fa64
SHA1 646443709518ef699bae4755b262370ff6e7fbcc
SHA256 25749c401805a1d66f16db72ad533a807bcb56c4f2aef449341af1ca92ec66b4
SHA512 dbe638a9127d89854b2b36795c8842587b5419805df23404d9c110f4c6cfb29604e5136dd40da17cd8eb31ef56cf1b6bb0fb12e4cab999ad9e583ca4ebbffe79

memory/3720-52-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe

MD5 d184e9f455a3fb4b66cda4f480e2ebf8
SHA1 1369492c1ce7ce4bd8cee7a9bde706b781fb9f46
SHA256 bbecbf128a00477ac026297bac7bd37e623bace32afdda18cd561a8ea5fa06ab
SHA512 c4d335b6325e1638cc24476d4248cb5fa45e75564561fdff10c889b6d269fab9bf798f115c3858e50b0a39328845189571a7d67d4318d004a9a5cc0af8afd97e

C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe

MD5 1b5db3a14abeadec87533581be1ce2cf
SHA1 2522160144ecab17a9fe716595f43cb007a909a2
SHA256 c407fdfdf85ad02428199f989672c2f23d5e916c65341a461fb6071521305080
SHA512 4309323b6fa7414402919c3d2624ccd73167e6afb10a278120fa13803c97bd1c5b6808206419ad6949e727f25a5c9da8a650529ac5f3e43f86c7afe80160c98f

C:\Users\Admin\AppData\Local\Temp\is-4P5A4.tmp\B073aAZciSwTQAxr1ovu1jw3.tmp

MD5 150a46b9c3e09bc0ed8d581669fe605b
SHA1 760baa334e4e024e80f27f8e23b900600281a853
SHA256 2d574caab0e532210a5541fa9a3d5187bf38bed3ef8809180462d929fd32637f
SHA512 d40d747e57c7e4ea33df06ae1c14bea2bc44fcad862432265158a248c1c4a0e4aae5107a1a2db5257a22f0b5223ec6f19401f7491435988da8137c4150009805

memory/4744-62-0x0000000000610000-0x0000000000611000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-E924I.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\Pictures\riroEZURknx6pNzdF5Mq9Zec.exe

MD5 e474dda04f6f90ba50ebff47395b19c9
SHA1 db1dc005639d232a25e074267239fd9e5fcbe6c7
SHA256 d5bb21fb44947ee712af26750d6a1df9e91e3baa3c5270eca5f88adbdf329bef
SHA512 aa906056618e239ab811a19492ea9b272b67b6b964f704a1679c68bf0ce1dbe1b574361d1d08901436a1d5faa888d0320dc56e84904421ad1134727090250055

memory/1188-100-0x0000000001B90000-0x0000000001B9B000-memory.dmp

memory/1188-97-0x0000000001D30000-0x0000000001E30000-memory.dmp

C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe

MD5 c472ca448e146d814ab657cc95fb0a12
SHA1 28c1c8dc0f593622a25d2fb3bfcb7c685b0145f8
SHA256 7769f42e9600973ec055bde949de805a7d30793ba12cf7d0a5bd80abf1a3409c
SHA512 bfa704c1ba79f3e9f1e5f39e2a59bacce28fdbff65028278c7b573179b203d92598ee0b08513341965cfce041074952a3bb9b83afe7e376beb257eb5bd8b279e

memory/1580-105-0x0000000000400000-0x00000000005BB000-memory.dmp

C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe

MD5 1f30bb1d3121cbf566cb63e8c06776ee
SHA1 988c9f2d7e8e1453d03d79562e0917fa541377e7
SHA256 e9e9019a47cf606755f12e46f46913a4957c7f77c1585f71c2d9164ecad15a87
SHA512 7278b759e73e88e4cb99811fb9d67e9f9107085c0c42a1baa83072ed59b0da3e39f89e561888edc8fd14dc1244f00f2852d4b3605927c5728ff582d6db39fc6e

memory/1188-108-0x0000000000400000-0x0000000001A34000-memory.dmp

memory/1580-109-0x0000000000400000-0x00000000005BB000-memory.dmp

memory/3528-110-0x0000000003A20000-0x0000000003E22000-memory.dmp

C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe

MD5 ad60bd5c56e08f463cb1f9d5fde642cd
SHA1 e71df8a16862f186bc6793d5d5e448bee018f041
SHA256 9b1db8d4b15d7a25ff7296cab3f618de825e7e4f5b054adc7534abab93132693
SHA512 54954a4ad9477ec61964e362a0b9293dc5915241bfc9f723cd6574360c04285c517798fbf121de7211e30b5a0fe3856cb5e12fcc5107bff815c3476a0ab3d7a9

memory/3528-113-0x0000000003E30000-0x000000000471B000-memory.dmp

memory/3528-114-0x0000000000400000-0x0000000001E16000-memory.dmp

memory/1984-115-0x0000000000400000-0x00000000005BB000-memory.dmp

C:\Users\Admin\Pictures\8knxBMfGnop5OTwevXH2AlNE.exe

MD5 74fbc954435fb0b73ad76afa3fb1969e
SHA1 a9eeba2cace9e8a236cb4bcdf379d71832d7f163
SHA256 7fae036851b4231149ee8d331cea9f3cd2d641c14be522909d9c3152d59241ab
SHA512 a08710f95d7136cc411172a9ab7135f6f21abd7cf3393f8e71c62cba84cd2fb3d490aae2bc177bc40b6139152fe86a362d7bff28f3ea06920eb37b24a29204a6

memory/3428-126-0x0000000003170000-0x0000000003186000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\syncUpd.exe

MD5 099d81985b4d1951c9a0448bdead2e31
SHA1 3707f6971ecdd856999ca980a1b99b551bea5ff9
SHA256 291e511eb00d5f658d345115de7fbd13e416e353bee19cdac8709b0b856da095
SHA512 f0a2f1c2542c3f898add88c6505a2fde764c5ff00835fee62ef0fe9523706d9dd617f539e80235c6307fe2af2440cb104465af1f9053dfb3743c2f675b1e71b2

C:\Users\Admin\AppData\Local\Temp\nst8E77.tmp\INetC.dll

MD5 2b342079303895c50af8040a91f30f71
SHA1 b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA256 2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512 550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

memory/1188-127-0x0000000000400000-0x0000000001A34000-memory.dmp

memory/2460-142-0x0000000001C70000-0x0000000001D70000-memory.dmp

memory/2460-143-0x0000000003650000-0x0000000003677000-memory.dmp

memory/2460-144-0x0000000000400000-0x0000000001A34000-memory.dmp

memory/380-150-0x0000000002C20000-0x0000000002C56000-memory.dmp

memory/380-152-0x00000000750A0000-0x0000000075850000-memory.dmp

memory/4832-159-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 be1ac00f167db10466dd478c5fc84236
SHA1 88fdd87741500809227220714ebcdf6640ee12a5
SHA256 b2327156069cffc46a71de7796fa849247cb1be9e984baf38d3198aba6f0df84
SHA512 cf59ba95daaf312b504d5b86e222c9ff93f1b8b09dd0648bb3c712e61b83921bf3c00371c4aae0a9cbc81543a84d225dbc5e4803bd3486bbea2a0d537869a6bf

memory/2336-162-0x00000000750A0000-0x0000000075850000-memory.dmp

memory/380-161-0x00000000057E0000-0x0000000005E08000-memory.dmp

memory/2284-163-0x0000000000400000-0x0000000000930000-memory.dmp

memory/380-160-0x0000000003140000-0x0000000003150000-memory.dmp

memory/380-157-0x0000000003140000-0x0000000003150000-memory.dmp

memory/3720-164-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2284-165-0x0000000000C20000-0x0000000000C21000-memory.dmp

memory/380-167-0x0000000005720000-0x0000000005786000-memory.dmp

memory/380-173-0x0000000005E10000-0x0000000005E76000-memory.dmp

memory/380-166-0x0000000005680000-0x00000000056A2000-memory.dmp

memory/380-178-0x0000000006130000-0x0000000006484000-memory.dmp

memory/2460-179-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/380-185-0x0000000006560000-0x000000000657E000-memory.dmp

memory/380-187-0x00000000065A0000-0x00000000065EC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/380-217-0x0000000006AE0000-0x0000000006B24000-memory.dmp

memory/3528-224-0x0000000000400000-0x0000000001E16000-memory.dmp

memory/4744-225-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/1984-226-0x0000000000400000-0x00000000005BB000-memory.dmp

memory/2336-227-0x00000000059F0000-0x0000000005A00000-memory.dmp

memory/380-228-0x0000000007890000-0x0000000007906000-memory.dmp

memory/380-229-0x0000000007F90000-0x000000000860A000-memory.dmp

memory/380-230-0x0000000007930000-0x000000000794A000-memory.dmp

memory/2460-234-0x0000000000400000-0x0000000001A34000-memory.dmp

memory/380-235-0x0000000007B00000-0x0000000007B32000-memory.dmp

memory/380-236-0x000000006F420000-0x000000006F46C000-memory.dmp

memory/380-238-0x000000006EB00000-0x000000006EE54000-memory.dmp

memory/380-237-0x000000007F230000-0x000000007F240000-memory.dmp

memory/380-251-0x0000000007AE0000-0x0000000007AFE000-memory.dmp

memory/380-252-0x0000000007B40000-0x0000000007BE3000-memory.dmp

memory/380-253-0x0000000007C20000-0x0000000007C2A000-memory.dmp

memory/380-257-0x0000000007CE0000-0x0000000007D76000-memory.dmp

memory/380-258-0x0000000007C40000-0x0000000007C51000-memory.dmp

memory/380-259-0x0000000007C80000-0x0000000007C8E000-memory.dmp

memory/380-260-0x0000000007C90000-0x0000000007CA4000-memory.dmp

memory/380-261-0x0000000007D80000-0x0000000007D9A000-memory.dmp

memory/380-264-0x0000000007CC0000-0x0000000007CC8000-memory.dmp

memory/3528-263-0x0000000000400000-0x0000000001E16000-memory.dmp

memory/2284-266-0x0000000000400000-0x0000000000930000-memory.dmp

memory/1984-267-0x0000000000400000-0x00000000005BB000-memory.dmp

memory/4744-268-0x0000000000610000-0x0000000000611000-memory.dmp

memory/380-271-0x00000000750A0000-0x0000000075850000-memory.dmp

memory/3528-280-0x0000000003A20000-0x0000000003E22000-memory.dmp

memory/2980-281-0x0000000003AE0000-0x0000000003EE1000-memory.dmp

memory/1984-282-0x0000000000400000-0x00000000005BB000-memory.dmp

memory/2980-286-0x0000000000400000-0x0000000001E16000-memory.dmp

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

memory/2460-298-0x0000000000400000-0x0000000001A34000-memory.dmp

memory/2460-302-0x0000000001C70000-0x0000000001D70000-memory.dmp

memory/3972-303-0x0000000005DC0000-0x0000000006114000-memory.dmp

memory/2460-313-0x0000000000400000-0x0000000001A34000-memory.dmp

memory/3972-314-0x00000000750A0000-0x0000000075850000-memory.dmp

memory/3972-317-0x0000000002D20000-0x0000000002D30000-memory.dmp

memory/3972-315-0x0000000002D20000-0x0000000002D30000-memory.dmp

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe

MD5 6e2cba75e503c329503116801611b52f
SHA1 87fa56666fda240a3e2f0be5bb817d888d35b926
SHA256 88fcd287fbf95422454ccd263b0a0915cddaa92e4c86a426d3680b40fa0b29b6
SHA512 1dc8ccfc04d3a49d045233831b762f7122d2db000c5f663a50e9425991f3d51ce4d1fc2bf31aeefa5560553a12c25c9cbccc6a912c50fabea8c21776cc5b384b

C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe

MD5 177c38eb9eb7af5087cb80b4a68b1281
SHA1 a7d0620725792d41222d03bb8c4e2c31ead7847f
SHA256 801ae1fee7f3a78340ccedf787d1391930045ba39b1efe077fba0e746b6b1d0b
SHA512 a97bd903f361f65929e640075882e2e3d3565b60e968142bb86ae50e848c71ff2363d55ada1c101b98804c96f63b5f81eb254ad68b9dda9a6c07e20c52d87641

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403111521106541224.dll

MD5 dda78bf5a869f7b193163fd1a9c054da
SHA1 e5a0945ee6abc5be19cf42d3afc08bb2be419128
SHA256 6b3516adc6be5724707a7bb708f391765bc90cab33e5e144ece0b57ee8622524
SHA512 9e3e7b6e3cdb655b621b7c69d3569536005b0acfd7e10c4e7c8f82ff1a147b85eb54991d7c84bfc7ace739bdbc973f6b799b5b676eaeb3c41befd2c918f86f17

memory/3528-339-0x0000000000400000-0x0000000001E16000-memory.dmp

C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe

MD5 5614e2ea9f10d56d3199572664ab4abc
SHA1 d2e26e5ac239c00e561d7d92357e27bfbc5e16b3
SHA256 94d2ef9e71ef2ce604877a354562e1b367d11dc337b8db3a75fae1bc4354075b
SHA512 51fef200adbe6f1b167f68e9810beaf5a429b6a68ec4a756b6aca594889919f6773a57fc177e999a1a75979f1c580a624b11851fe6880de2c436408040abf0ed

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403111521112484876.dll

MD5 5a18f4fdd9a452d8f3a2692f79946acb
SHA1 abbc0892df6dc490fc1974ef835877c1fe585513
SHA256 e2cda95bdc19110fcbf8f56001c7c3741a60acb2e88fb9ee0d5f253d190e822e
SHA512 ead1438be6aeb7a1730dbc1a954b7b1129739fbf3b3adeaaf6862f4237a711a34dd14b4ef355af270348f5bf42220997f84fa871a6f3f37bfb67bb1999fc5a55

C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe

MD5 f8939b114aab258fa56e835d858747c2
SHA1 98350036dfec6cd033b48a574bb4cba481f6f77c
SHA256 7694f25356503f5f00a8d64587f905e7120607d3043114e02b127364c0643074
SHA512 51b0affac001a67ee573d77fbe5c616c5cd208cafa6ae13e74283eeb69f12ff5f2160dfe67729617f613f3f4555c5aa505486f42174fb40f7b76a9460f3c9233

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\GQJk1dwoGxDl5nhQbEOSw2DU.exe

MD5 98909fe4cc1b0f5c09662ccfef21c5d2
SHA1 f618453031e85465249eac849f55b3e64bae1a68
SHA256 e160053908776988cdc5860348b1782cc326856fb6976f352c0d83c62b1d3eb9
SHA512 a6a55687f1b0a887671fe6d6b405131012735eda1b8706fc92f6bf4dabde285f8565a0498347718089abd1996b73726157a012416e48433e955362a338e98d2d

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403111521116281244.dll

MD5 6585c04ac560776fa8dd6c2b85350b1f
SHA1 27b918c549a7e0cd3129b2a51f8451ab244f3429
SHA256 13624a80c9de106952e6315f00102bf44bfe2ce6192550e3a872d9c223212ef4
SHA512 9a40c9a11371b2dcb35a197c78cc991f269f897e281be1c4becbb2d90682b584644dbe367a701d114cfcc742fc4ba34910ff2691e712695986c0983526572bdd

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403111521116281244.dll

MD5 f755fe732556cd439a27be40f780b758
SHA1 ead634b25d40d27ee54a531e4e36361f08d8246a
SHA256 ed98d8bb826ef82fa25113a4d3992ae7951199b2fa7d851c6d14144a027ef6bc
SHA512 b1d3ae9fb4b1b3019234dff1add232da3c1c2cf36f39adbce82adc7ed0d0125feb53603088aefc5578ce6bdf17357096e63673055331b1566a322a253f0dbd4a

memory/1244-362-0x0000000000750000-0x0000000000C88000-memory.dmp

C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe

MD5 adb477df157b744465dfd76d5cb50cb7
SHA1 78c33535400f1bebbbc38f00f2ace5d78b57af5e
SHA256 c6cbf9678ca0efe2600cb5025a5f43e2a0b63a76a8b4173320b69170a5ef703d
SHA512 d05dfbf9225869f622509d54f207853db943a0d8b73e0eeb8e841880e3f580462dedc1df32656aadc440266333ff34d918c3311f625ec9fe0c8e54443a93dd93

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403111521130654712.dll

MD5 edcabf3acb09e79b542436c67624d50b
SHA1 c36b51cd4ff8d95586e4665e64fc611c3c043425
SHA256 e2eebe087ade661f6d17f8765a231b8e4a107bbe7b38200c5dd50de142b85347
SHA512 e2103a1f4bdf2bbf7b383785d1aba6294e698961f3cf87629962f35abc115573f842016802adddce7fa65c9e803a63b2717cc1a83bf9fd1b71e05132cc674953

memory/1984-366-0x0000000000400000-0x00000000005BB000-memory.dmp

C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe

MD5 348dc4d114e42f5bf85ce09760660246
SHA1 5f4da836d7e87e5386a7f361ce522d28f4327d0f
SHA256 8a70c4aa00e0b939787b572d651f5306687ed06248a2fc8bcedf0b1a1a7c23aa
SHA512 c0f8bdf9b6e50e0871905ea5b62c84ab0952c4181b24e32f6c238ecf40e54508b080c404ce97e411409e1240082a81f4178318c7a5454472e5de171d08b350ee

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 9cdf189636e47aa6042eb5856e0d9057
SHA1 afab72399ffb36dec1ad0793151eaa7ec91b9afd
SHA256 2da5f500f4eb304dc0b3377c19209c924267e3090c572abb66ce4beb301b1e02
SHA512 df1941c3feab837f1c6b870d59cde69d61532e30d4531fe222a0257cc83ad54ee8e66c8476089c5d2c2a0d2fba6239915e08a30f7df831e7bff975cc518d4a80

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403111521135653220.dll

MD5 a7e2a8f0dfb1639dc1591c0961b1f861
SHA1 cee658bc7c0eb2f0f55b966c9c5201959bdc8d34
SHA256 3c1c782496dfbd0fa4534ea89a0d914d40e7c4b0a94d4991c7eebf751501bd46
SHA512 3063912ea960f5c63645ac70f47294285ad83dfae0fb36442894372f9083879a67cd6a6539bcc7a13eda2618d2a5aa5302fb89f0cf82920f136ef7c9b203ea0a

memory/2980-380-0x0000000000400000-0x0000000001E16000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/2460-414-0x0000000000400000-0x0000000001A34000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 efd8ad67c3341bab76bcb7f85c8a0acd
SHA1 1c638d8b2330c7c19ac58b66e311e8472874c6d4
SHA256 051003d560bad10b963a231b15b642b216c6ba7a1fb7668ff3c0e5f56053fbf4
SHA512 50f22169679e5a691585962717c8aa320037cf62207b66c109036fdda56627bd81bd0bf11b161c04d2ee59ae1c6e8884e06a0d7d3da6cd14ee505f1576ae3ebf

memory/1984-434-0x0000000000400000-0x00000000005BB000-memory.dmp

memory/3220-436-0x0000000000370000-0x00000000008A8000-memory.dmp

memory/2980-438-0x0000000000400000-0x0000000001E16000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b9c56fef089c22f77c34ed291b6adf0c
SHA1 776ade0c003e86a7dc11e8f7e9a4ce6aadb22b54
SHA256 d34bf1ff2e2c75e16aab260415d1371dd9234d1fc201c6bad90c41461f7e74af
SHA512 adbc3ee356df5e448eac045a5f06cc68f23ccd9568e42967c3483ebe95f6e1f533e60b74574791e773583c9675ef439f70a6a16749422e27e43e5b22291399dc

C:\Windows\rss\csrss.exe

MD5 7df38c9b9403dc949a2b823b8682e9e5
SHA1 66ae8c2b251180d2acf6112452f812d44ecd81a1
SHA256 d5b48887ce12ec6f40229e9a5091bcc6d0bd35e289257f25c78378316976b1c8
SHA512 4a6e4fc56de13e9570fd4267a5c6e6e765a77d03426ae75e375506c946e4acfe8633b8120bb8b8801b0c0e646d69a75ac71b3421183ecd6a1205ddfc4fe88eef

C:\Windows\rss\csrss.exe

MD5 55c85f58da6671f67922f372d356325c
SHA1 7ba3811e1dcf31c3829e5c381eb563779798746a
SHA256 06badece824c881c0a004fa9874333d5f00f3cc3032efb224762548a274ef208
SHA512 8a90cf5d4931cc93546e945587009696387b3c09f36326adf475dd8638ba12e41585ef4c792f740c89cc3e0b2cbb6096036e19d057ec09cadd8262a979729097

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 25d3fbd37ff5d6639622a5e0ecdb0e10
SHA1 7d276361cf23eefb054a10a0467794a7346010e0
SHA256 ffe88bba8be83e4f1379f13550002dc4bc131f3b907e6fdc2a189c859b9232ee
SHA512 ae561698b7c69f340c8ad1bd2913c3c0ee675571d0f1c3c6e000864c16aeb8145fa9f08c68588efae9757b5145961a4d6d83df7974fce14294a14a0116cace19

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\opera_package

MD5 360efb56858be64f43fa1586e44c9f17
SHA1 721007f5b2d71047fae49c502c76d8b91e0f5876
SHA256 f967395aa0c889a0d8202d9347a1de1050216a0c45995eb756644d4d70d3ff44
SHA512 47a759f9fec7d0cd3868d479ee57d4057736e8c13f6c762f1615cd7356cdc7e7754b72c0df5992b488ba466fdb3041e1eb28b0ed4cb3a879f9c836aee9c97944

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe

MD5 20d293b9bf23403179ca48086ba88867
SHA1 dedf311108f607a387d486d812514a2defbd1b9e
SHA256 fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348
SHA512 5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\assistant\dbghelp.dll

MD5 925ea07f594d3fce3f73ede370d92ef7
SHA1 f67ea921368c288a9d3728158c3f80213d89d7c2
SHA256 6d02ebd4ec9a6093f21cd8ccefb9445fa0ab7b1f69ac868a5cfc5d28ed8d2de9
SHA512 a809851da820d9fdd8fb860a8f549311dcc2579df2c6f6fba74f50d5d8bf94baa834b09fb5476ac248f18d1deb6b47d4fdd6d658889d5d45ca8774a9264483d2

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\assistant\dbgcore.DLL

MD5 8b6f64e5d3a608b434079e50a1277913
SHA1 03f431fabf1c99a48b449099455c1575893d9f32
SHA256 926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2
SHA512 c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\assistant\assistant_installer.exe

MD5 b3f05009b53af6435e86cfd939717e82
SHA1 770877e7c5f03e8d684984fe430bdfcc2cf41b26
SHA256 3ea8d40fcede1fc03e5603246d75d13e8d44d7229d4c390c39a55534053027f7
SHA512 d2dee80aaa79b19f1eb1db85079a05f621780e06bfea9e838b62d757ba29399f9090ec7c6ff553377c9b712f3ba8dd812cdff39f3e28829928e86746a8ac6b27

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 fa403614546e98428b577aa8e009c870
SHA1 791d84ffe77113cdd0c2636d2df2cbebd9ec2ed4
SHA256 30400ee1e76f5b1cb056571b470528af0351ae4bee6c98a744f0ba7aeaf4a79d
SHA512 138d5a87f3e9e7983a2b56b2522cb6898b171e594f1bcbb5f0d461e36e0a8e3b1b1c0e9585ed85ba37e75a75c0fed0561795047ebd97e0d4bb89996eceb6b365

C:\Users\Admin\AppData\Local\Temp\6E94.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0152c0fbfba55b85e7f847867afbf00d
SHA1 0e09c666517e49526a7abefa94512cc30a556238
SHA256 4c307d5f7e9006df16213fb3be5ed0e0836032d9aacb83c42d0a150525a9305a
SHA512 c71c209ce051cb896784c382d013ed58d95d57c52b469aca4ba3c166ff88bd254ca037019f63afe88b47b8dc13c5483181b4ef0647c89bdf6c69296ebbd43ce5

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Users\Admin\AppData\Local\Temp\B6B9.exe

MD5 51597fedbf769613eac193b679de833d
SHA1 77c1fbd676bbaf9ef3f235d6f3d41df8ad6b7945
SHA256 b0129dd6f2d2f5bd058cddda97e1f47eedcfaec86995c6d988226c305d50d92c
SHA512 7e424c8548ace542cdd51c23b31e3907b9d14a95784f8918f85deb2d263d5e6cec845300b1db25aba6c29d3f9ff2ad768731237ab98430a52b83ed00ff017b23