Analysis Overview
SHA256
c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067
Threat Level: Known bad
The file New.exe was found to be: Known bad.
Malicious Activity Summary
Stealc
Windows security bypass
Detect Vidar Stealer
Glupteba payload
SmokeLoader
Vidar
DcRat
Lumma Stealer
Detected Djvu ransomware
Djvu Ransomware
Glupteba
Downloads MZ/PE file
Modifies Windows Firewall
Reads data files stored by FTP clients
Windows security modification
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
UPX packed file
Drops startup file
Modifies file permissions
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMonFS driver.
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Looks up external IP address via web service
Enumerates connected drives
Checks installed software on the system
Suspicious use of SetThreadContext
Drops file in System32 directory
Launches sc.exe
Drops file in Windows directory
Checks for VirtualBox DLLs, possible anti-VM trick
Enumerates physical storage devices
Program crash
NSIS installer
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Suspicious use of SetWindowsHookEx
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Modifies system certificate store
Suspicious use of UnmapMainImage
Suspicious use of FindShellTrayWindow
Modifies data under HKEY_USERS
Uses Task Scheduler COM API
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-11 15:20
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-11 15:20
Reported
2024-03-11 15:22
Platform
win7-20240221-en
Max time kernel
129s
Max time network
135s
Command Line
Signatures
DcRat
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Stealc
Vidar
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\cSbFgdAsvOucWRwa7E5jY4KX.exe = "0" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZHUcEn2x7LjA371ZeB5oAV36.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fFOPRxb8bYFYkRmfjoDrEK25.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1mt9PShhIERJPYMI6YPDfxFl.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SVSQ7xgUPK1xZstKJqVu6ywP.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jmH4wzlgnihpPX3uEV9uOp9h.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\cSbFgdAsvOucWRwa7E5jY4KX.exe = "0" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ca2c8eec-2f22-42a2-a00a-33fbc1f3fe6c\\8029.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\8029.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 848 set thread context of 2980 | N/A | C:\Users\Admin\AppData\Local\Temp\New.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
| PID 2496 set thread context of 2532 | N/A | C:\Users\Admin\AppData\Local\Temp\8029.exe | C:\Users\Admin\AppData\Local\Temp\8029.exe |
| PID 1448 set thread context of 2664 | N/A | C:\Users\Admin\AppData\Local\Temp\8029.exe | C:\Users\Admin\AppData\Local\Temp\8029.exe |
| PID 1520 set thread context of 1316 | N/A | C:\Users\Admin\AppData\Local\96424831-b467-4015-b047-fc0605d71b31\build2.exe | C:\Users\Admin\AppData\Local\96424831-b467-4015-b047-fc0605d71b31\build2.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| File created | C:\Windows\Logs\CBS\CbsPersist_20240311152054.cab | C:\Windows\system32\makecab.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\96424831-b467-4015-b047-fc0605d71b31\build2.exe |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Pictures\n7KBRy0nP6u33SG4vO0RESsA.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Pictures\n7KBRy0nP6u33SG4vO0RESsA.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Pictures\n7KBRy0nP6u33SG4vO0RESsA.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\syncUpd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\syncUpd.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" | C:\Windows\system32\netsh.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\n7KBRy0nP6u33SG4vO0RESsA.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\n7KBRy0nP6u33SG4vO0RESsA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-95FKR.tmp\8gDbYZV0PwziwgGtmCC7oc3f.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-95FKR.tmp\8gDbYZV0PwziwgGtmCC7oc3f.tmp | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Pictures\n7KBRy0nP6u33SG4vO0RESsA.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\rss\csrss.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-95FKR.tmp\8gDbYZV0PwziwgGtmCC7oc3f.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\New.exe
"C:\Users\Admin\AppData\Local\Temp\New.exe"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe
"C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe"
C:\Users\Admin\Pictures\n7KBRy0nP6u33SG4vO0RESsA.exe
"C:\Users\Admin\Pictures\n7KBRy0nP6u33SG4vO0RESsA.exe"
C:\Users\Admin\Pictures\8gDbYZV0PwziwgGtmCC7oc3f.exe
"C:\Users\Admin\Pictures\8gDbYZV0PwziwgGtmCC7oc3f.exe"
C:\Users\Admin\AppData\Local\Temp\is-95FKR.tmp\8gDbYZV0PwziwgGtmCC7oc3f.tmp
"C:\Users\Admin\AppData\Local\Temp\is-95FKR.tmp\8gDbYZV0PwziwgGtmCC7oc3f.tmp" /SL5="$900F4,1518993,56832,C:\Users\Admin\Pictures\8gDbYZV0PwziwgGtmCC7oc3f.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240311152054.log C:\Windows\Logs\CBS\CbsPersist_20240311152054.cab
C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe
"C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe"
C:\Users\Admin\Pictures\GMIn4QlsVgYVXxrtavxMhQka.exe
"C:\Users\Admin\Pictures\GMIn4QlsVgYVXxrtavxMhQka.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\A9B.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Users\Admin\AppData\Local\Temp\8029.exe
C:\Users\Admin\AppData\Local\Temp\8029.exe
C:\Users\Admin\AppData\Local\Temp\8029.exe
C:\Users\Admin\AppData\Local\Temp\8029.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\ca2c8eec-2f22-42a2-a00a-33fbc1f3fe6c" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\8029.exe
"C:\Users\Admin\AppData\Local\Temp\8029.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\8029.exe
"C:\Users\Admin\AppData\Local\Temp\8029.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\96424831-b467-4015-b047-fc0605d71b31\build2.exe
"C:\Users\Admin\AppData\Local\96424831-b467-4015-b047-fc0605d71b31\build2.exe"
C:\Users\Admin\AppData\Local\96424831-b467-4015-b047-fc0605d71b31\build2.exe
"C:\Users\Admin\AppData\Local\96424831-b467-4015-b047-fc0605d71b31\build2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 1404
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| US | 188.114.97.2:443 | yip.su | tcp |
| US | 8.8.8.8:53 | galandskiyher5.com | udp |
| US | 8.8.8.8:53 | midnight.bestsup.su | udp |
| US | 8.8.8.8:53 | namecloudvideo.org | udp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| US | 15.204.49.148:80 | 15.204.49.148 | tcp |
| DE | 185.172.128.126:80 | 185.172.128.126 | tcp |
| RU | 194.87.206.12:80 | galandskiyher5.com | tcp |
| NL | 185.26.182.112:80 | net.geo.opera.com | tcp |
| US | 104.21.29.103:80 | midnight.bestsup.su | tcp |
| US | 188.114.97.2:443 | namecloudvideo.org | tcp |
| US | 8.8.8.8:53 | shipbank.org | udp |
| NL | 185.26.182.112:443 | net.geo.opera.com | tcp |
| US | 172.67.146.202:443 | shipbank.org | tcp |
| US | 8.8.8.8:53 | iplogger.com | udp |
| US | 104.21.76.57:443 | iplogger.com | tcp |
| DE | 185.172.128.145:80 | 185.172.128.145 | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| DE | 185.172.128.187:80 | 185.172.128.187 | tcp |
| US | 8.8.8.8:53 | a889e364-2d97-4b93-af2c-719a71d91c72.uuid.filesdumpplace.org | udp |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 20.150.79.68:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | sdfjhuz.com | udp |
| HN | 138.204.181.135:80 | sdfjhuz.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 188.114.97.2:443 | api.2ip.ua | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 188.114.97.2:443 | api.2ip.ua | tcp |
| DE | 185.172.128.145:80 | 185.172.128.145 | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | sajdfue.com | udp |
| HN | 138.204.181.135:80 | sdfjhuz.com | tcp |
| KR | 123.213.233.131:80 | sajdfue.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| KR | 123.213.233.131:80 | sajdfue.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.154.77:443 | steamcommunity.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| DE | 49.12.116.63:80 | 49.12.116.63 | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
Files
memory/1648-4-0x000000001B290000-0x000000001B572000-memory.dmp
memory/1648-5-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp
memory/1648-7-0x0000000002950000-0x00000000029D0000-memory.dmp
memory/1648-6-0x0000000002220000-0x0000000002228000-memory.dmp
memory/1648-8-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp
memory/1648-9-0x0000000002950000-0x00000000029D0000-memory.dmp
memory/1648-10-0x0000000002950000-0x00000000029D0000-memory.dmp
memory/1648-11-0x0000000002950000-0x00000000029D0000-memory.dmp
memory/2980-12-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2980-13-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2980-14-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2980-15-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2980-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2980-17-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2980-19-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2980-21-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1648-22-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp
memory/2980-23-0x0000000073FF0000-0x00000000746DE000-memory.dmp
memory/2980-24-0x0000000004E40000-0x0000000004E80000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\Tar6F9C.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe
| MD5 | a7c452e26ea6b9763bfacfb7cf18b2d2 |
| SHA1 | 6f31f449c4e3b8675cd27f89dc3c4fe411516d6c |
| SHA256 | 4078a5797759d89c833b29a9296a384aecb84bcab5137a3fb6b712ff112928f2 |
| SHA512 | 1c9841cfd169dfc87ca3a6092b7b88d396220e740d92f2ab477e921e500c397638e8b3c6060b649d8cc4f1ddd28acc0af9b165736368e11943d110c0f0ac377b |
\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe
| MD5 | 6c1774b0b9043c398474db860f2e3afd |
| SHA1 | d3a62839f69a324f9772abe55d07786425684e8c |
| SHA256 | 39e9219594ca9af1ce957cf7c98670ba55551bcd223588cf6ec42c29b546f305 |
| SHA512 | 1360f00dab0780c5dc4c068f5f52c20164878964ca308e907746bdc12e3bb1b91b83c05cb33b6593b8341e722c8d39dab7ed2a0a88f62f9d3b8698eff1dc7382 |
memory/2656-162-0x0000000003650000-0x0000000003A48000-memory.dmp
\Users\Admin\Pictures\n7KBRy0nP6u33SG4vO0RESsA.exe
| MD5 | e474dda04f6f90ba50ebff47395b19c9 |
| SHA1 | db1dc005639d232a25e074267239fd9e5fcbe6c7 |
| SHA256 | d5bb21fb44947ee712af26750d6a1df9e91e3baa3c5270eca5f88adbdf329bef |
| SHA512 | aa906056618e239ab811a19492ea9b272b67b6b964f704a1679c68bf0ce1dbe1b574361d1d08901436a1d5faa888d0320dc56e84904421ad1134727090250055 |
memory/2656-175-0x0000000003650000-0x0000000003A48000-memory.dmp
memory/2668-177-0x0000000000020000-0x000000000002B000-memory.dmp
memory/2668-176-0x0000000001B20000-0x0000000001C20000-memory.dmp
memory/2656-181-0x0000000003A50000-0x000000000433B000-memory.dmp
\Users\Admin\Pictures\8gDbYZV0PwziwgGtmCC7oc3f.exe
| MD5 | 3ca2f625386f7a3ca29376148974fa64 |
| SHA1 | 646443709518ef699bae4755b262370ff6e7fbcc |
| SHA256 | 25749c401805a1d66f16db72ad533a807bcb56c4f2aef449341af1ca92ec66b4 |
| SHA512 | dbe638a9127d89854b2b36795c8842587b5419805df23404d9c110f4c6cfb29604e5136dd40da17cd8eb31ef56cf1b6bb0fb12e4cab999ad9e583ca4ebbffe79 |
C:\Users\Admin\Pictures\8gDbYZV0PwziwgGtmCC7oc3f.exe
| MD5 | bfa341e061b5de22ac962a1bb4e0d28b |
| SHA1 | 3ddf2fb36064994fcc0d1fc5054506ad71f765fb |
| SHA256 | 53b9719601792e1abe8165dced070112f37e581a3eb34730e90eb33d2db31f49 |
| SHA512 | d329d555c2f58be4835aba008401c1ee39bf37c1530793612860884e11899120629c943458c93a6c91fc89a2d8846993d04a7e9b64a79fa3ab1f647f0200d313 |
memory/2548-187-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2668-189-0x0000000000400000-0x0000000001A34000-memory.dmp
memory/2656-191-0x0000000000400000-0x0000000001E16000-memory.dmp
memory/2548-192-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe
| MD5 | 664b6d38762654f502b48c513ed59b3c |
| SHA1 | f2627fea451e80772f8629a85bac61442d4c9d5b |
| SHA256 | 4900ee269a6c4163d012ca06d48c2fb3f6afcffafa87adf193f0388389a88e6b |
| SHA512 | 6208f7f16dc1efa1f690cbbe469bb129254fcdc9eaaa59446c69119e9d4588e2a0b6e1d49fe31720edb23355a3771fffd4b4faccb6a6898ca766abd967d0ce4e |
\Users\Admin\AppData\Local\Temp\is-95FKR.tmp\8gDbYZV0PwziwgGtmCC7oc3f.tmp
| MD5 | 150a46b9c3e09bc0ed8d581669fe605b |
| SHA1 | 760baa334e4e024e80f27f8e23b900600281a853 |
| SHA256 | 2d574caab0e532210a5541fa9a3d5187bf38bed3ef8809180462d929fd32637f |
| SHA512 | d40d747e57c7e4ea33df06ae1c14bea2bc44fcad862432265158a248c1c4a0e4aae5107a1a2db5257a22f0b5223ec6f19401f7491435988da8137c4150009805 |
memory/1272-199-0x0000000002A40000-0x0000000002A56000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-DTGEV.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/2668-200-0x0000000000400000-0x0000000001A34000-memory.dmp
memory/1208-212-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/2668-214-0x0000000000020000-0x000000000002B000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-DTGEV.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/2980-208-0x0000000073FF0000-0x00000000746DE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-95FKR.tmp\8gDbYZV0PwziwgGtmCC7oc3f.tmp
| MD5 | af7fda7a10ef0b2e96d7dbd169f80110 |
| SHA1 | ab84331c89854b6730aa32be7518d14c371b44e1 |
| SHA256 | e3292a4334b611efb11aad718a3db3339b9790ee80c7b3ebb192312008a89759 |
| SHA512 | 72a4c89e8c2fa682012df1fecb523449cd415b482c86f48f5cbb97f432b3e93fb0230b92c05d2c864380bcf0b05c2b7568daf9be42e10e5224a765e0bcf54656 |
C:\Users\Admin\Pictures\cSbFgdAsvOucWRwa7E5jY4KX.exe
| MD5 | 1b5db3a14abeadec87533581be1ce2cf |
| SHA1 | 2522160144ecab17a9fe716595f43cb007a909a2 |
| SHA256 | c407fdfdf85ad02428199f989672c2f23d5e916c65341a461fb6071521305080 |
| SHA512 | 4309323b6fa7414402919c3d2624ccd73167e6afb10a278120fa13803c97bd1c5b6808206419ad6949e727f25a5c9da8a650529ac5f3e43f86c7afe80160c98f |
memory/768-225-0x0000000003720000-0x0000000003B18000-memory.dmp
memory/2656-226-0x0000000000400000-0x0000000001E16000-memory.dmp
memory/2656-232-0x0000000003A50000-0x000000000433B000-memory.dmp
memory/2548-233-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\Pictures\GMIn4QlsVgYVXxrtavxMhQka.exe
| MD5 | 8472669d90d8905aad3e96f64d26f130 |
| SHA1 | 277c1a882b0e18cb353f9c8f36498b0ef674e43e |
| SHA256 | b3ad170e8acc99fbd5901d9c99cc7b2f8bfedb2a849512f90ea6fa24cf648e2a |
| SHA512 | e33a23de1d06342edc49c263ea6f93b45b2b925e35e8ded85d18a79889a993d5a87ae1f531439e4991cfe2da84fc959d3a67b81a11e110d2d02cdce351754527 |
memory/768-234-0x0000000003720000-0x0000000003B18000-memory.dmp
memory/2656-239-0x0000000003650000-0x0000000003A48000-memory.dmp
C:\Users\Admin\Pictures\GMIn4QlsVgYVXxrtavxMhQka.exe
| MD5 | 74fbc954435fb0b73ad76afa3fb1969e |
| SHA1 | a9eeba2cace9e8a236cb4bcdf379d71832d7f163 |
| SHA256 | 7fae036851b4231149ee8d331cea9f3cd2d641c14be522909d9c3152d59241ab |
| SHA512 | a08710f95d7136cc411172a9ab7135f6f21abd7cf3393f8e71c62cba84cd2fb3d490aae2bc177bc40b6139152fe86a362d7bff28f3ea06920eb37b24a29204a6 |
memory/768-240-0x0000000000400000-0x0000000001E16000-memory.dmp
C:\Users\Admin\Pictures\GMIn4QlsVgYVXxrtavxMhQka.exe
| MD5 | ec1cfe227446950b198ce90831554404 |
| SHA1 | 919fd2a7a4b65ee9eeac6becfcc0455e442e01ee |
| SHA256 | 5d6cc44ca6ea24e7feaffdef68b477262d5326b9bcbba73823400a2ae6c003df |
| SHA512 | 8b7f80c000c12c079efcfade605a3d276b2d2497649c1c24cc89815631288e72f68c5369338a41097e377551260c19ef98764013f82b0b2b45eff4882bce4f7a |
C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
| MD5 | 694cea6208a828b323e8d4f51b40ba05 |
| SHA1 | 35633d388a48ae02b2defdfc443d9f8ac4acdb99 |
| SHA256 | 1b5e65ac9e3f4dd8dce9c8eebc5d3ba0a2ebd6b02b52aa901962d262edc4b0b3 |
| SHA512 | 62429016b84e4b760b4557df7bcc31bb692f9e1356f15b9954e46fbbfe69d957bd8266f66f3ec3163323fcb6955caf924bb4e651b733456119ed1d98b3da7a9c |
C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
| MD5 | 099d81985b4d1951c9a0448bdead2e31 |
| SHA1 | 3707f6971ecdd856999ca980a1b99b551bea5ff9 |
| SHA256 | 291e511eb00d5f658d345115de7fbd13e416e353bee19cdac8709b0b856da095 |
| SHA512 | f0a2f1c2542c3f898add88c6505a2fde764c5ff00835fee62ef0fe9523706d9dd617f539e80235c6307fe2af2440cb104465af1f9053dfb3743c2f675b1e71b2 |
memory/1684-257-0x0000000000220000-0x0000000000247000-memory.dmp
memory/1684-253-0x0000000001B90000-0x0000000001C90000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsoB1D4.tmp\INetC.dll
| MD5 | 2b342079303895c50af8040a91f30f71 |
| SHA1 | b11335e1cb8356d9c337cb89fe81d669a69de17e |
| SHA256 | 2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f |
| SHA512 | 550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47 |
memory/1684-258-0x0000000000400000-0x0000000001A34000-memory.dmp
\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | eee5ddcffbed16222cac0a1b4e2e466e |
| SHA1 | 28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5 |
| SHA256 | 2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54 |
| SHA512 | 8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc |
memory/1208-270-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2784-275-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2784-277-0x0000000004C90000-0x00000000051C0000-memory.dmp
memory/2568-278-0x0000000000400000-0x0000000000930000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 85fc35a88ae5479cbe485e780e90276e |
| SHA1 | 361a4841c0ea4db9f345148b374de9b377c5431a |
| SHA256 | 86634f2408b773572e139d90644cd65b25c3278cb478087b392d5c517de7b00c |
| SHA512 | 4b4ab8cc2e4b2042994f4117ad8e71f6bd5c7092cbc26a24a815b6832f0fba351b0f303de312836a487ab371d8eeb75b38643cfedaa934170ca61c483f80d078 |
memory/2740-286-0x00000000035E0000-0x00000000039D8000-memory.dmp
memory/1684-288-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/2568-292-0x0000000000240000-0x0000000000241000-memory.dmp
memory/768-287-0x0000000000400000-0x0000000001E16000-memory.dmp
memory/2740-313-0x00000000035E0000-0x00000000039D8000-memory.dmp
memory/2740-323-0x0000000000400000-0x0000000001E16000-memory.dmp
memory/1684-334-0x0000000000400000-0x0000000001A34000-memory.dmp
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | db8c6e6ce1f8d4be351dccba21b0706f |
| SHA1 | 7ebb9c845b738d959dc125d69e6ad509978816ef |
| SHA256 | 32c2fe8a6eda1f6d6e02396fe3211a88d4cf5c83871697df10efe5c4799d3399 |
| SHA512 | d91ede154093db8b151a31c10734cca6290a590864f5a9913c72c6dbd4ca03f992dc755e76128c0a37028a9976871474a90ec25504c4f78739ab8812fc256c01 |
memory/2568-346-0x0000000000400000-0x0000000000930000-memory.dmp
memory/2740-350-0x0000000000400000-0x0000000001E16000-memory.dmp
\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | f0616fa8bc54ece07e3107057f74e4db |
| SHA1 | b33995c4f9a004b7d806c4bb36040ee844781fca |
| SHA256 | 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026 |
| SHA512 | 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c |
\Users\Admin\AppData\Local\Temp\symsrv.dll
| MD5 | 5c399d34d8dc01741269ff1f1aca7554 |
| SHA1 | e0ceed500d3cef5558f3f55d33ba9c3a709e8f55 |
| SHA256 | e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f |
| SHA512 | 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d |
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 73b1f002db75e894b53dac0c507a1064 |
| SHA1 | 3196a961d35f836f8118728d696c264e233a617b |
| SHA256 | 56b5841db54c135a4e3775f4af1a73a37bca61750e6257914b3c8fdf2635d181 |
| SHA512 | af404beeeef948b6403bb2d4a06b7809b1cd1122b4e8e48adba6068cfe322448db348302602b744e9d04fa00a29c1e43081e749e6cc54165b23e61ac8f6118f6 |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 7d891b7d6ccb50d11ac7ba48923ab6fc |
| SHA1 | 85ffd57cc4dacefc35cad7befc3cb1af2a4dd58a |
| SHA256 | 5afc1252e2d74592cea475ce2d59b8ce212b968cd79fb401fb79e0d68229fafb |
| SHA512 | 8df1b7eacc7e3536c362e7dcd74cb6f9f5715bf3e4b25a74ab47011771bca35c9e0e1564814a2ca11e6c9ee2300798c657bf72d30304501425a9988f977bb990 |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | c6b8a197dcf908b0cd585f4f84e5b7e7 |
| SHA1 | 6e0e33a20114e1f3261106760fe599eb41b12d7e |
| SHA256 | 3fa9520c9330fdde14c524cb37e44d8b8c886a4e08f582be579ef038d90abc32 |
| SHA512 | 9b1554d138077477c4dba0c96d881d1e7bc91937f639b17722d55a11f620afe61429db4ba645dcb360fde36e21fe16fab3efdc97da0db5dc158fb377ec36f2b1 |
memory/1348-366-0x0000000000430000-0x0000000000A18000-memory.dmp
memory/1348-368-0x00000000005C0000-0x0000000000BA8000-memory.dmp
memory/1684-369-0x0000000001B90000-0x0000000001C90000-memory.dmp
memory/1684-370-0x0000000000400000-0x0000000001A34000-memory.dmp
memory/2784-371-0x0000000004C90000-0x00000000051C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A9B.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b3d1194e62cddb60ab48542b26e40251 |
| SHA1 | a6af30ed2bc5ca8de1cff7f294c23ba4474ff4ff |
| SHA256 | b37742645c03522f49213bbad39713ac0c8c8b64d7355ddafb738d2624bf0498 |
| SHA512 | 54f9308d82087555189e13a225eecb70b279914783fc4bfd4fa7c1a2755b4ed38e1374350a045ac88e33a84dc4059313b2c41c96cc8f6e3b399c6a8808b63a5f |
memory/2568-404-0x0000000000400000-0x0000000000930000-memory.dmp
memory/2740-405-0x0000000000400000-0x0000000001E16000-memory.dmp
memory/2568-406-0x0000000000400000-0x0000000000930000-memory.dmp
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
memory/2568-415-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2740-416-0x00000000035E0000-0x00000000039D8000-memory.dmp
memory/1684-422-0x0000000000400000-0x0000000001A34000-memory.dmp
memory/2568-429-0x0000000000400000-0x0000000000930000-memory.dmp
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/2740-438-0x0000000000400000-0x0000000001E16000-memory.dmp
memory/2740-446-0x0000000000400000-0x0000000001E16000-memory.dmp
memory/1684-448-0x0000000000400000-0x0000000001A34000-memory.dmp
memory/2740-451-0x0000000000400000-0x0000000001E16000-memory.dmp
memory/1348-452-0x0000000000430000-0x0000000000A18000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8029.exe
| MD5 | 51597fedbf769613eac193b679de833d |
| SHA1 | 77c1fbd676bbaf9ef3f235d6f3d41df8ad6b7945 |
| SHA256 | b0129dd6f2d2f5bd058cddda97e1f47eedcfaec86995c6d988226c305d50d92c |
| SHA512 | 7e424c8548ace542cdd51c23b31e3907b9d14a95784f8918f85deb2d263d5e6cec845300b1db25aba6c29d3f9ff2ad768731237ab98430a52b83ed00ff017b23 |
memory/2496-473-0x00000000033F0000-0x000000000350B000-memory.dmp
memory/2496-472-0x00000000002F0000-0x0000000000381000-memory.dmp
memory/2532-475-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d41bad24e85feecbb87060b006c750fd |
| SHA1 | feb8698ec9cca3dd502bb2e2c1441be26746445c |
| SHA256 | 7091bbb957d5b8c177a2c1f7b3eedffe77d8523a4520e14a988bb0f4b17cdb1b |
| SHA512 | ad236598b8813ab904ab47f044aedd2e32fdb07442e297cd44b093df51e8260e847ebd49533edf2f17e7b1d7054557d344ec9eba298712d137962ab416ae54ef |
\Users\Admin\AppData\Local\Temp\8029.exe
| MD5 | b7f5ca0c9a089b19350d404f4d954749 |
| SHA1 | d407efd2c451d5cd3b9c4fd8d64627e222e1c925 |
| SHA256 | 7f11ab4b84f397a1e533d56489a0cdeae0121c36621381c6f4026833e5208b15 |
| SHA512 | 694eea50e3c08a156b909d83fd29a9e414690d3a10be484a887cb9e032b150af7bc2c1a2acd66e170df776c47ae3a07f02370457bfe30d281f20f59801898920 |
memory/2532-500-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1448-508-0x00000000002B0000-0x0000000000341000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | be295cc1dce65627d0ff7b42e79ad790 |
| SHA1 | 613050a71398bffc4a5027f099138a57d404f426 |
| SHA256 | e4ff877adf628d7ada58e4c69f25548f42d7914f9b05599c18101a1e21f7a453 |
| SHA512 | f44fae10d5011e061597e31f20c1843887ac1660ac4062507c5e4cbd2a338ead082b45c3d433d9743a25b6636c3c706dfc2c58c7532d00f247de96897f0bb2ef |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 1548103e1299490d7d08fffa07918630 |
| SHA1 | c07b8d6c63bfba93d0b61533dec131c9df13bdd7 |
| SHA256 | 9d4c8ea2311df9881f7c6628b6a9fe101649cdf45e7f0f5cb1aef26801c99c34 |
| SHA512 | f309585e402638b3ff95e12b154bb0fe0babb8150f486b96124e9ca146c1a03b26d90402a2e6cefa5f701390547693329ef8814a49c7ac64e513f41d7d3caf39 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 55cf600d372cc65439f35275e06e18d0 |
| SHA1 | 9db69b0c9182baf5f6fda02a6da86d8ac22114e9 |
| SHA256 | 71c0841eb56f545f9a4bd8abe77f83a9ddd34d4ae2be73e6abcf057078838494 |
| SHA512 | c64c4ad1f95d2d6e4c807a21ecffc64f39ac6e44cb242af000e2391a2e3e9bc9ccfefb96e10be5cf174f4f27e9a105191e12d9233aecedfa79e83b2f84d592ec |
C:\Users\Admin\AppData\Local\96424831-b467-4015-b047-fc0605d71b31\build2.exe
| MD5 | 88c5ca503e8fecbca8ee889a892b165c |
| SHA1 | 2ec61a72dc88584abda48f19fb8e4d2847264aed |
| SHA256 | 41f6207540f5197717e1c601b43c9c89a5109ff3aab98fe80f6645f0ebd2a153 |
| SHA512 | 366035a481a439854094d13f8a0b9bf26e706dd43100421d92724baa1f9b1ceac74669e42e9331867a3c364f8e2f0c05d3387e5dea9d8669d29832614fa7b4b9 |
memory/1520-551-0x0000000000307000-0x0000000000322000-memory.dmp
memory/1520-553-0x00000000001C0000-0x00000000001F1000-memory.dmp
memory/1684-591-0x0000000001B90000-0x0000000001C90000-memory.dmp
memory/1684-592-0x0000000000400000-0x0000000001A34000-memory.dmp
memory/1316-596-0x0000000000400000-0x0000000000644000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-11 15:20
Reported
2024-03-11 15:22
Platform
win10v2004-20240226-en
Max time kernel
126s
Max time network
131s
Command Line
Signatures
DcRat
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer
SmokeLoader
Stealc
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\B6B9.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pQEHk30ZCMF08XA6daA7M7mV.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2Qbi460fuk6Day3HEHsDNBYs.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UALiPn0bEEMgv8iaZ5bhcts4.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TLnXuyKCBXc85u8ujglpVXLa.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qHjZKfbREOgWY8Ov407cinWj.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DcqKfeiXWi0YyYCA0mKO1MmI.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\b64cf3ea-884c-4ff1-a323-b7d4346eb5d6\\B6B9.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\B6B9.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe | N/A |
| File opened (read-only) | \??\D: | C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3672 set thread context of 2336 | N/A | C:\Users\Admin\AppData\Local\Temp\New.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe |
| PID 2204 set thread context of 2436 | N/A | C:\Users\Admin\AppData\Local\Temp\B6B9.exe | C:\Users\Admin\AppData\Local\Temp\B6B9.exe |
| PID 2244 set thread context of 624 | N/A | C:\Users\Admin\AppData\Local\Temp\B6B9.exe | C:\Users\Admin\AppData\Local\Temp\B6B9.exe |
| PID 4080 set thread context of 4592 | N/A | C:\Users\Admin\AppData\Local\Temp\D639.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\syncUpd.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\B6B9.exe |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Pictures\riroEZURknx6pNzdF5Mq9Zec.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Pictures\riroEZURknx6pNzdF5Mq9Zec.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Pictures\riroEZURknx6pNzdF5Mq9Zec.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\syncUpd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\syncUpd.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" | C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" | C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" | C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" | C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" | C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" | C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" | C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" | C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" | C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" | C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" | C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" | C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" | C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" | C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" | C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" | C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" | C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" | C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-162 = "Central Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" | C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" | C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" | C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" | C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" | C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" | C:\Windows\windefender.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 | C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-4P5A4.tmp\B073aAZciSwTQAxr1ovu1jw3.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-4P5A4.tmp\B073aAZciSwTQAxr1ovu1jw3.tmp | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\riroEZURknx6pNzdF5Mq9Zec.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\riroEZURknx6pNzdF5Mq9Zec.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\syncUpd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\syncUpd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Pictures\riroEZURknx6pNzdF5Mq9Zec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\rss\csrss.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-4P5A4.tmp\B073aAZciSwTQAxr1ovu1jw3.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\New.exe
"C:\Users\Admin\AppData\Local\Temp\New.exe"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
C:\Users\Admin\Pictures\B073aAZciSwTQAxr1ovu1jw3.exe
"C:\Users\Admin\Pictures\B073aAZciSwTQAxr1ovu1jw3.exe"
C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe
"C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe"
C:\Users\Admin\AppData\Local\Temp\is-4P5A4.tmp\B073aAZciSwTQAxr1ovu1jw3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4P5A4.tmp\B073aAZciSwTQAxr1ovu1jw3.tmp" /SL5="$801E2,1518993,56832,C:\Users\Admin\Pictures\B073aAZciSwTQAxr1ovu1jw3.exe"
C:\Users\Admin\Pictures\riroEZURknx6pNzdF5Mq9Zec.exe
"C:\Users\Admin\Pictures\riroEZURknx6pNzdF5Mq9Zec.exe"
C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe
"C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe" -i
C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe
"C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe" -s
C:\Users\Admin\Pictures\8knxBMfGnop5OTwevXH2AlNE.exe
"C:\Users\Admin\Pictures\8knxBMfGnop5OTwevXH2AlNE.exe"
C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe
"C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe
"C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe" --silent --allusers=0
C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe
C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2e0,0x2e4,0x2e8,0x2bc,0x2ec,0x6e6221c8,0x6e6221d4,0x6e6221e0
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\GQJk1dwoGxDl5nhQbEOSw2DU.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\GQJk1dwoGxDl5nhQbEOSw2DU.exe" --version
C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe
"C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=1224 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240311152112" --session-guid=208ae88d-0526-43b9-85ae-846938541081 --server-tracking-blob=MDI5OTQ3OWM3YzJkNWNhNDNmMDQ4NDRiNzAxZWMxMjgzOTMyMWU1YjlmY2MyODE3YzI2YmIwNjQzZGZjMDVmMzp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxMDE3MDQzOS44MjYwIiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiI4MTYxZTM1MC04OTgyLTQ3NmUtOThlYy1mMDg3YzAzOWFkMjcifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=5405000000000000
C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe
C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2c4,0x300,0x6db121c8,0x6db121d4,0x6db121e0
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2460 -ip 2460
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 1984
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\assistant\assistant_installer.exe" --version
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x600040,0x60004c,0x600058
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6E94.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Users\Admin\AppData\Local\Temp\B6B9.exe
C:\Users\Admin\AppData\Local\Temp\B6B9.exe
C:\Users\Admin\AppData\Local\Temp\B6B9.exe
C:\Users\Admin\AppData\Local\Temp\B6B9.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\b64cf3ea-884c-4ff1-a323-b7d4346eb5d6" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\B6B9.exe
"C:\Users\Admin\AppData\Local\Temp\B6B9.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\B6B9.exe
"C:\Users\Admin\AppData\Local\Temp\B6B9.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 624 -ip 624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 568
C:\Users\Admin\AppData\Local\Temp\D639.exe
C:\Users\Admin\AppData\Local\Temp\D639.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| US | 188.114.96.2:443 | yip.su | tcp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | galandskiyher5.com | udp |
| DE | 185.172.128.126:80 | 185.172.128.126 | tcp |
| US | 8.8.8.8:53 | midnight.bestsup.su | udp |
| US | 8.8.8.8:53 | namecloudvideo.org | udp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| US | 15.204.49.148:80 | 15.204.49.148 | tcp |
| US | 188.114.97.2:443 | namecloudvideo.org | tcp |
| NL | 185.26.182.112:80 | net.geo.opera.com | tcp |
| US | 172.67.171.112:80 | midnight.bestsup.su | tcp |
| NL | 185.26.182.112:443 | net.geo.opera.com | tcp |
| US | 8.8.8.8:53 | shipbank.org | udp |
| US | 104.21.10.217:443 | shipbank.org | tcp |
| US | 8.8.8.8:53 | 143.68.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.182.26.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.171.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.49.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.10.21.104.in-addr.arpa | udp |
| RU | 194.87.206.12:80 | galandskiyher5.com | tcp |
| US | 8.8.8.8:53 | 12.206.87.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| DE | 185.172.128.145:80 | 185.172.128.145 | tcp |
| DE | 185.172.128.187:80 | 185.172.128.187 | tcp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | autoupdate.geo.opera.com | udp |
| US | 8.8.8.8:53 | desktop-netinstaller-sub.osp.opera.software | udp |
| NL | 185.26.182.124:443 | autoupdate.geo.opera.com | tcp |
| NL | 185.26.182.124:443 | autoupdate.geo.opera.com | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 124.182.26.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.217.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | features.opera-api2.com | udp |
| US | 8.8.8.8:53 | download.opera.com | udp |
| NL | 82.145.216.24:443 | download.opera.com | tcp |
| NL | 82.145.216.15:443 | features.opera-api2.com | tcp |
| US | 8.8.8.8:53 | download3.operacdn.com | udp |
| GB | 95.101.143.176:443 | download3.operacdn.com | tcp |
| US | 8.8.8.8:53 | 24.216.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.216.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.143.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 8f1be729-088d-4df7-a467-544ee60645df.uuid.filesdumpplace.org | udp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | sdfjhuz.com | udp |
| CO | 186.147.159.149:80 | sdfjhuz.com | tcp |
| US | 8.8.8.8:53 | 149.159.147.186.in-addr.arpa | udp |
| US | 8.8.8.8:53 | server1.filesdumpplace.org | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | stun1.l.google.com | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| BG | 185.82.216.96:443 | server1.filesdumpplace.org | tcp |
| CH | 172.217.210.127:19302 | stun1.l.google.com | udp |
| US | 8.8.8.8:53 | carsalessystem.com | udp |
| US | 104.21.94.82:443 | carsalessystem.com | tcp |
| US | 8.8.8.8:53 | 233.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 127.210.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.94.21.104.in-addr.arpa | udp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 220.139.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| BG | 185.82.216.96:443 | server1.filesdumpplace.org | tcp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| AU | 104.192.141.1:443 | bitbucket.org | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 1.141.192.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | superemeboxlogosites.pro | udp |
| US | 188.114.97.2:443 | superemeboxlogosites.pro | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | wisemassiveharmonious.shop | udp |
| US | 104.21.80.130:443 | wisemassiveharmonious.shop | tcp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| US | 8.8.8.8:53 | colorfulequalugliess.shop | udp |
| US | 8.8.8.8:53 | 130.80.21.104.in-addr.arpa | udp |
| US | 188.114.97.2:443 | colorfulequalugliess.shop | tcp |
| US | 8.8.8.8:53 | relevantvoicelesskw.shop | udp |
| US | 172.67.147.173:443 | relevantvoicelesskw.shop | tcp |
| US | 8.8.8.8:53 | 80.232.23.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | detectordiscusser.shop | udp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 8.8.8.8:53 | turkeyunlikelyofw.shop | udp |
| US | 8.8.8.8:53 | associationokeo.shop | udp |
| US | 104.21.10.242:443 | associationokeo.shop | tcp |
| US | 8.8.8.8:53 | 173.147.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 242.10.21.104.in-addr.arpa | udp |
Files
memory/3192-2-0x00000165B9860000-0x00000165B9882000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zsvgfn3f.v5v.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3192-10-0x00007FFEEED70000-0x00007FFEEF831000-memory.dmp
memory/3192-11-0x00000165B9850000-0x00000165B9860000-memory.dmp
memory/3192-12-0x00000165B9850000-0x00000165B9860000-memory.dmp
memory/2336-13-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3192-14-0x00000165B9850000-0x00000165B9860000-memory.dmp
memory/3192-17-0x00007FFEEED70000-0x00007FFEEF831000-memory.dmp
memory/2336-18-0x00000000750A0000-0x0000000075850000-memory.dmp
memory/2336-19-0x00000000059F0000-0x0000000005A00000-memory.dmp
C:\Users\Admin\Pictures\7EiCwzdezozWvWhtgnDpecT7.exe
| MD5 | 5b423612b36cde7f2745455c5dd82577 |
| SHA1 | 0187c7c80743b44e9e0c193e993294e3b969cc3d |
| SHA256 | e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09 |
| SHA512 | c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c |
C:\Users\Admin\Pictures\B073aAZciSwTQAxr1ovu1jw3.exe
| MD5 | 3ca2f625386f7a3ca29376148974fa64 |
| SHA1 | 646443709518ef699bae4755b262370ff6e7fbcc |
| SHA256 | 25749c401805a1d66f16db72ad533a807bcb56c4f2aef449341af1ca92ec66b4 |
| SHA512 | dbe638a9127d89854b2b36795c8842587b5419805df23404d9c110f4c6cfb29604e5136dd40da17cd8eb31ef56cf1b6bb0fb12e4cab999ad9e583ca4ebbffe79 |
memory/3720-52-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe
| MD5 | d184e9f455a3fb4b66cda4f480e2ebf8 |
| SHA1 | 1369492c1ce7ce4bd8cee7a9bde706b781fb9f46 |
| SHA256 | bbecbf128a00477ac026297bac7bd37e623bace32afdda18cd561a8ea5fa06ab |
| SHA512 | c4d335b6325e1638cc24476d4248cb5fa45e75564561fdff10c889b6d269fab9bf798f115c3858e50b0a39328845189571a7d67d4318d004a9a5cc0af8afd97e |
C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe
| MD5 | 1b5db3a14abeadec87533581be1ce2cf |
| SHA1 | 2522160144ecab17a9fe716595f43cb007a909a2 |
| SHA256 | c407fdfdf85ad02428199f989672c2f23d5e916c65341a461fb6071521305080 |
| SHA512 | 4309323b6fa7414402919c3d2624ccd73167e6afb10a278120fa13803c97bd1c5b6808206419ad6949e727f25a5c9da8a650529ac5f3e43f86c7afe80160c98f |
C:\Users\Admin\AppData\Local\Temp\is-4P5A4.tmp\B073aAZciSwTQAxr1ovu1jw3.tmp
| MD5 | 150a46b9c3e09bc0ed8d581669fe605b |
| SHA1 | 760baa334e4e024e80f27f8e23b900600281a853 |
| SHA256 | 2d574caab0e532210a5541fa9a3d5187bf38bed3ef8809180462d929fd32637f |
| SHA512 | d40d747e57c7e4ea33df06ae1c14bea2bc44fcad862432265158a248c1c4a0e4aae5107a1a2db5257a22f0b5223ec6f19401f7491435988da8137c4150009805 |
memory/4744-62-0x0000000000610000-0x0000000000611000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-E924I.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\Pictures\riroEZURknx6pNzdF5Mq9Zec.exe
| MD5 | e474dda04f6f90ba50ebff47395b19c9 |
| SHA1 | db1dc005639d232a25e074267239fd9e5fcbe6c7 |
| SHA256 | d5bb21fb44947ee712af26750d6a1df9e91e3baa3c5270eca5f88adbdf329bef |
| SHA512 | aa906056618e239ab811a19492ea9b272b67b6b964f704a1679c68bf0ce1dbe1b574361d1d08901436a1d5faa888d0320dc56e84904421ad1134727090250055 |
memory/1188-100-0x0000000001B90000-0x0000000001B9B000-memory.dmp
memory/1188-97-0x0000000001D30000-0x0000000001E30000-memory.dmp
C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe
| MD5 | c472ca448e146d814ab657cc95fb0a12 |
| SHA1 | 28c1c8dc0f593622a25d2fb3bfcb7c685b0145f8 |
| SHA256 | 7769f42e9600973ec055bde949de805a7d30793ba12cf7d0a5bd80abf1a3409c |
| SHA512 | bfa704c1ba79f3e9f1e5f39e2a59bacce28fdbff65028278c7b573179b203d92598ee0b08513341965cfce041074952a3bb9b83afe7e376beb257eb5bd8b279e |
memory/1580-105-0x0000000000400000-0x00000000005BB000-memory.dmp
C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe
| MD5 | 1f30bb1d3121cbf566cb63e8c06776ee |
| SHA1 | 988c9f2d7e8e1453d03d79562e0917fa541377e7 |
| SHA256 | e9e9019a47cf606755f12e46f46913a4957c7f77c1585f71c2d9164ecad15a87 |
| SHA512 | 7278b759e73e88e4cb99811fb9d67e9f9107085c0c42a1baa83072ed59b0da3e39f89e561888edc8fd14dc1244f00f2852d4b3605927c5728ff582d6db39fc6e |
memory/1188-108-0x0000000000400000-0x0000000001A34000-memory.dmp
memory/1580-109-0x0000000000400000-0x00000000005BB000-memory.dmp
memory/3528-110-0x0000000003A20000-0x0000000003E22000-memory.dmp
C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe
| MD5 | ad60bd5c56e08f463cb1f9d5fde642cd |
| SHA1 | e71df8a16862f186bc6793d5d5e448bee018f041 |
| SHA256 | 9b1db8d4b15d7a25ff7296cab3f618de825e7e4f5b054adc7534abab93132693 |
| SHA512 | 54954a4ad9477ec61964e362a0b9293dc5915241bfc9f723cd6574360c04285c517798fbf121de7211e30b5a0fe3856cb5e12fcc5107bff815c3476a0ab3d7a9 |
memory/3528-113-0x0000000003E30000-0x000000000471B000-memory.dmp
memory/3528-114-0x0000000000400000-0x0000000001E16000-memory.dmp
memory/1984-115-0x0000000000400000-0x00000000005BB000-memory.dmp
C:\Users\Admin\Pictures\8knxBMfGnop5OTwevXH2AlNE.exe
| MD5 | 74fbc954435fb0b73ad76afa3fb1969e |
| SHA1 | a9eeba2cace9e8a236cb4bcdf379d71832d7f163 |
| SHA256 | 7fae036851b4231149ee8d331cea9f3cd2d641c14be522909d9c3152d59241ab |
| SHA512 | a08710f95d7136cc411172a9ab7135f6f21abd7cf3393f8e71c62cba84cd2fb3d490aae2bc177bc40b6139152fe86a362d7bff28f3ea06920eb37b24a29204a6 |
memory/3428-126-0x0000000003170000-0x0000000003186000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
| MD5 | 099d81985b4d1951c9a0448bdead2e31 |
| SHA1 | 3707f6971ecdd856999ca980a1b99b551bea5ff9 |
| SHA256 | 291e511eb00d5f658d345115de7fbd13e416e353bee19cdac8709b0b856da095 |
| SHA512 | f0a2f1c2542c3f898add88c6505a2fde764c5ff00835fee62ef0fe9523706d9dd617f539e80235c6307fe2af2440cb104465af1f9053dfb3743c2f675b1e71b2 |
C:\Users\Admin\AppData\Local\Temp\nst8E77.tmp\INetC.dll
| MD5 | 2b342079303895c50af8040a91f30f71 |
| SHA1 | b11335e1cb8356d9c337cb89fe81d669a69de17e |
| SHA256 | 2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f |
| SHA512 | 550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47 |
memory/1188-127-0x0000000000400000-0x0000000001A34000-memory.dmp
memory/2460-142-0x0000000001C70000-0x0000000001D70000-memory.dmp
memory/2460-143-0x0000000003650000-0x0000000003677000-memory.dmp
memory/2460-144-0x0000000000400000-0x0000000001A34000-memory.dmp
memory/380-150-0x0000000002C20000-0x0000000002C56000-memory.dmp
memory/380-152-0x00000000750A0000-0x0000000075850000-memory.dmp
memory/4832-159-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | be1ac00f167db10466dd478c5fc84236 |
| SHA1 | 88fdd87741500809227220714ebcdf6640ee12a5 |
| SHA256 | b2327156069cffc46a71de7796fa849247cb1be9e984baf38d3198aba6f0df84 |
| SHA512 | cf59ba95daaf312b504d5b86e222c9ff93f1b8b09dd0648bb3c712e61b83921bf3c00371c4aae0a9cbc81543a84d225dbc5e4803bd3486bbea2a0d537869a6bf |
memory/2336-162-0x00000000750A0000-0x0000000075850000-memory.dmp
memory/380-161-0x00000000057E0000-0x0000000005E08000-memory.dmp
memory/2284-163-0x0000000000400000-0x0000000000930000-memory.dmp
memory/380-160-0x0000000003140000-0x0000000003150000-memory.dmp
memory/380-157-0x0000000003140000-0x0000000003150000-memory.dmp
memory/3720-164-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2284-165-0x0000000000C20000-0x0000000000C21000-memory.dmp
memory/380-167-0x0000000005720000-0x0000000005786000-memory.dmp
memory/380-173-0x0000000005E10000-0x0000000005E76000-memory.dmp
memory/380-166-0x0000000005680000-0x00000000056A2000-memory.dmp
memory/380-178-0x0000000006130000-0x0000000006484000-memory.dmp
memory/2460-179-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/380-185-0x0000000006560000-0x000000000657E000-memory.dmp
memory/380-187-0x00000000065A0000-0x00000000065EC000-memory.dmp
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
memory/380-217-0x0000000006AE0000-0x0000000006B24000-memory.dmp
memory/3528-224-0x0000000000400000-0x0000000001E16000-memory.dmp
memory/4744-225-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/1984-226-0x0000000000400000-0x00000000005BB000-memory.dmp
memory/2336-227-0x00000000059F0000-0x0000000005A00000-memory.dmp
memory/380-228-0x0000000007890000-0x0000000007906000-memory.dmp
memory/380-229-0x0000000007F90000-0x000000000860A000-memory.dmp
memory/380-230-0x0000000007930000-0x000000000794A000-memory.dmp
memory/2460-234-0x0000000000400000-0x0000000001A34000-memory.dmp
memory/380-235-0x0000000007B00000-0x0000000007B32000-memory.dmp
memory/380-236-0x000000006F420000-0x000000006F46C000-memory.dmp
memory/380-238-0x000000006EB00000-0x000000006EE54000-memory.dmp
memory/380-237-0x000000007F230000-0x000000007F240000-memory.dmp
memory/380-251-0x0000000007AE0000-0x0000000007AFE000-memory.dmp
memory/380-252-0x0000000007B40000-0x0000000007BE3000-memory.dmp
memory/380-253-0x0000000007C20000-0x0000000007C2A000-memory.dmp
memory/380-257-0x0000000007CE0000-0x0000000007D76000-memory.dmp
memory/380-258-0x0000000007C40000-0x0000000007C51000-memory.dmp
memory/380-259-0x0000000007C80000-0x0000000007C8E000-memory.dmp
memory/380-260-0x0000000007C90000-0x0000000007CA4000-memory.dmp
memory/380-261-0x0000000007D80000-0x0000000007D9A000-memory.dmp
memory/380-264-0x0000000007CC0000-0x0000000007CC8000-memory.dmp
memory/3528-263-0x0000000000400000-0x0000000001E16000-memory.dmp
memory/2284-266-0x0000000000400000-0x0000000000930000-memory.dmp
memory/1984-267-0x0000000000400000-0x00000000005BB000-memory.dmp
memory/4744-268-0x0000000000610000-0x0000000000611000-memory.dmp
memory/380-271-0x00000000750A0000-0x0000000075850000-memory.dmp
memory/3528-280-0x0000000003A20000-0x0000000003E22000-memory.dmp
memory/2980-281-0x0000000003AE0000-0x0000000003EE1000-memory.dmp
memory/1984-282-0x0000000000400000-0x00000000005BB000-memory.dmp
memory/2980-286-0x0000000000400000-0x0000000001E16000-memory.dmp
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
memory/2460-298-0x0000000000400000-0x0000000001A34000-memory.dmp
memory/2460-302-0x0000000001C70000-0x0000000001D70000-memory.dmp
memory/3972-303-0x0000000005DC0000-0x0000000006114000-memory.dmp
memory/2460-313-0x0000000000400000-0x0000000001A34000-memory.dmp
memory/3972-314-0x00000000750A0000-0x0000000075850000-memory.dmp
memory/3972-317-0x0000000002D20000-0x0000000002D30000-memory.dmp
memory/3972-315-0x0000000002D20000-0x0000000002D30000-memory.dmp
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe
| MD5 | 6e2cba75e503c329503116801611b52f |
| SHA1 | 87fa56666fda240a3e2f0be5bb817d888d35b926 |
| SHA256 | 88fcd287fbf95422454ccd263b0a0915cddaa92e4c86a426d3680b40fa0b29b6 |
| SHA512 | 1dc8ccfc04d3a49d045233831b762f7122d2db000c5f663a50e9425991f3d51ce4d1fc2bf31aeefa5560553a12c25c9cbccc6a912c50fabea8c21776cc5b384b |
C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe
| MD5 | 177c38eb9eb7af5087cb80b4a68b1281 |
| SHA1 | a7d0620725792d41222d03bb8c4e2c31ead7847f |
| SHA256 | 801ae1fee7f3a78340ccedf787d1391930045ba39b1efe077fba0e746b6b1d0b |
| SHA512 | a97bd903f361f65929e640075882e2e3d3565b60e968142bb86ae50e848c71ff2363d55ada1c101b98804c96f63b5f81eb254ad68b9dda9a6c07e20c52d87641 |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403111521106541224.dll
| MD5 | dda78bf5a869f7b193163fd1a9c054da |
| SHA1 | e5a0945ee6abc5be19cf42d3afc08bb2be419128 |
| SHA256 | 6b3516adc6be5724707a7bb708f391765bc90cab33e5e144ece0b57ee8622524 |
| SHA512 | 9e3e7b6e3cdb655b621b7c69d3569536005b0acfd7e10c4e7c8f82ff1a147b85eb54991d7c84bfc7ace739bdbc973f6b799b5b676eaeb3c41befd2c918f86f17 |
memory/3528-339-0x0000000000400000-0x0000000001E16000-memory.dmp
C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe
| MD5 | 5614e2ea9f10d56d3199572664ab4abc |
| SHA1 | d2e26e5ac239c00e561d7d92357e27bfbc5e16b3 |
| SHA256 | 94d2ef9e71ef2ce604877a354562e1b367d11dc337b8db3a75fae1bc4354075b |
| SHA512 | 51fef200adbe6f1b167f68e9810beaf5a429b6a68ec4a756b6aca594889919f6773a57fc177e999a1a75979f1c580a624b11851fe6880de2c436408040abf0ed |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403111521112484876.dll
| MD5 | 5a18f4fdd9a452d8f3a2692f79946acb |
| SHA1 | abbc0892df6dc490fc1974ef835877c1fe585513 |
| SHA256 | e2cda95bdc19110fcbf8f56001c7c3741a60acb2e88fb9ee0d5f253d190e822e |
| SHA512 | ead1438be6aeb7a1730dbc1a954b7b1129739fbf3b3adeaaf6862f4237a711a34dd14b4ef355af270348f5bf42220997f84fa871a6f3f37bfb67bb1999fc5a55 |
C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe
| MD5 | f8939b114aab258fa56e835d858747c2 |
| SHA1 | 98350036dfec6cd033b48a574bb4cba481f6f77c |
| SHA256 | 7694f25356503f5f00a8d64587f905e7120607d3043114e02b127364c0643074 |
| SHA512 | 51b0affac001a67ee573d77fbe5c616c5cd208cafa6ae13e74283eeb69f12ff5f2160dfe67729617f613f3f4555c5aa505486f42174fb40f7b76a9460f3c9233 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\GQJk1dwoGxDl5nhQbEOSw2DU.exe
| MD5 | 98909fe4cc1b0f5c09662ccfef21c5d2 |
| SHA1 | f618453031e85465249eac849f55b3e64bae1a68 |
| SHA256 | e160053908776988cdc5860348b1782cc326856fb6976f352c0d83c62b1d3eb9 |
| SHA512 | a6a55687f1b0a887671fe6d6b405131012735eda1b8706fc92f6bf4dabde285f8565a0498347718089abd1996b73726157a012416e48433e955362a338e98d2d |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403111521116281244.dll
| MD5 | 6585c04ac560776fa8dd6c2b85350b1f |
| SHA1 | 27b918c549a7e0cd3129b2a51f8451ab244f3429 |
| SHA256 | 13624a80c9de106952e6315f00102bf44bfe2ce6192550e3a872d9c223212ef4 |
| SHA512 | 9a40c9a11371b2dcb35a197c78cc991f269f897e281be1c4becbb2d90682b584644dbe367a701d114cfcc742fc4ba34910ff2691e712695986c0983526572bdd |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403111521116281244.dll
| MD5 | f755fe732556cd439a27be40f780b758 |
| SHA1 | ead634b25d40d27ee54a531e4e36361f08d8246a |
| SHA256 | ed98d8bb826ef82fa25113a4d3992ae7951199b2fa7d851c6d14144a027ef6bc |
| SHA512 | b1d3ae9fb4b1b3019234dff1add232da3c1c2cf36f39adbce82adc7ed0d0125feb53603088aefc5578ce6bdf17357096e63673055331b1566a322a253f0dbd4a |
memory/1244-362-0x0000000000750000-0x0000000000C88000-memory.dmp
C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe
| MD5 | adb477df157b744465dfd76d5cb50cb7 |
| SHA1 | 78c33535400f1bebbbc38f00f2ace5d78b57af5e |
| SHA256 | c6cbf9678ca0efe2600cb5025a5f43e2a0b63a76a8b4173320b69170a5ef703d |
| SHA512 | d05dfbf9225869f622509d54f207853db943a0d8b73e0eeb8e841880e3f580462dedc1df32656aadc440266333ff34d918c3311f625ec9fe0c8e54443a93dd93 |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403111521130654712.dll
| MD5 | edcabf3acb09e79b542436c67624d50b |
| SHA1 | c36b51cd4ff8d95586e4665e64fc611c3c043425 |
| SHA256 | e2eebe087ade661f6d17f8765a231b8e4a107bbe7b38200c5dd50de142b85347 |
| SHA512 | e2103a1f4bdf2bbf7b383785d1aba6294e698961f3cf87629962f35abc115573f842016802adddce7fa65c9e803a63b2717cc1a83bf9fd1b71e05132cc674953 |
memory/1984-366-0x0000000000400000-0x00000000005BB000-memory.dmp
C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe
| MD5 | 348dc4d114e42f5bf85ce09760660246 |
| SHA1 | 5f4da836d7e87e5386a7f361ce522d28f4327d0f |
| SHA256 | 8a70c4aa00e0b939787b572d651f5306687ed06248a2fc8bcedf0b1a1a7c23aa |
| SHA512 | c0f8bdf9b6e50e0871905ea5b62c84ab0952c4181b24e32f6c238ecf40e54508b080c404ce97e411409e1240082a81f4178318c7a5454472e5de171d08b350ee |
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
| MD5 | 9cdf189636e47aa6042eb5856e0d9057 |
| SHA1 | afab72399ffb36dec1ad0793151eaa7ec91b9afd |
| SHA256 | 2da5f500f4eb304dc0b3377c19209c924267e3090c572abb66ce4beb301b1e02 |
| SHA512 | df1941c3feab837f1c6b870d59cde69d61532e30d4531fe222a0257cc83ad54ee8e66c8476089c5d2c2a0d2fba6239915e08a30f7df831e7bff975cc518d4a80 |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403111521135653220.dll
| MD5 | a7e2a8f0dfb1639dc1591c0961b1f861 |
| SHA1 | cee658bc7c0eb2f0f55b966c9c5201959bdc8d34 |
| SHA256 | 3c1c782496dfbd0fa4534ea89a0d914d40e7c4b0a94d4991c7eebf751501bd46 |
| SHA512 | 3063912ea960f5c63645ac70f47294285ad83dfae0fb36442894372f9083879a67cd6a6539bcc7a13eda2618d2a5aa5302fb89f0cf82920f136ef7c9b203ea0a |
memory/2980-380-0x0000000000400000-0x0000000001E16000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
memory/2460-414-0x0000000000400000-0x0000000001A34000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | efd8ad67c3341bab76bcb7f85c8a0acd |
| SHA1 | 1c638d8b2330c7c19ac58b66e311e8472874c6d4 |
| SHA256 | 051003d560bad10b963a231b15b642b216c6ba7a1fb7668ff3c0e5f56053fbf4 |
| SHA512 | 50f22169679e5a691585962717c8aa320037cf62207b66c109036fdda56627bd81bd0bf11b161c04d2ee59ae1c6e8884e06a0d7d3da6cd14ee505f1576ae3ebf |
memory/1984-434-0x0000000000400000-0x00000000005BB000-memory.dmp
memory/3220-436-0x0000000000370000-0x00000000008A8000-memory.dmp
memory/2980-438-0x0000000000400000-0x0000000001E16000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | b9c56fef089c22f77c34ed291b6adf0c |
| SHA1 | 776ade0c003e86a7dc11e8f7e9a4ce6aadb22b54 |
| SHA256 | d34bf1ff2e2c75e16aab260415d1371dd9234d1fc201c6bad90c41461f7e74af |
| SHA512 | adbc3ee356df5e448eac045a5f06cc68f23ccd9568e42967c3483ebe95f6e1f533e60b74574791e773583c9675ef439f70a6a16749422e27e43e5b22291399dc |
C:\Windows\rss\csrss.exe
| MD5 | 7df38c9b9403dc949a2b823b8682e9e5 |
| SHA1 | 66ae8c2b251180d2acf6112452f812d44ecd81a1 |
| SHA256 | d5b48887ce12ec6f40229e9a5091bcc6d0bd35e289257f25c78378316976b1c8 |
| SHA512 | 4a6e4fc56de13e9570fd4267a5c6e6e765a77d03426ae75e375506c946e4acfe8633b8120bb8b8801b0c0e646d69a75ac71b3421183ecd6a1205ddfc4fe88eef |
C:\Windows\rss\csrss.exe
| MD5 | 55c85f58da6671f67922f372d356325c |
| SHA1 | 7ba3811e1dcf31c3829e5c381eb563779798746a |
| SHA256 | 06badece824c881c0a004fa9874333d5f00f3cc3032efb224762548a274ef208 |
| SHA512 | 8a90cf5d4931cc93546e945587009696387b3c09f36326adf475dd8638ba12e41585ef4c792f740c89cc3e0b2cbb6096036e19d057ec09cadd8262a979729097 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 25d3fbd37ff5d6639622a5e0ecdb0e10 |
| SHA1 | 7d276361cf23eefb054a10a0467794a7346010e0 |
| SHA256 | ffe88bba8be83e4f1379f13550002dc4bc131f3b907e6fdc2a189c859b9232ee |
| SHA512 | ae561698b7c69f340c8ad1bd2913c3c0ee675571d0f1c3c6e000864c16aeb8145fa9f08c68588efae9757b5145961a4d6d83df7974fce14294a14a0116cace19 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\opera_package
| MD5 | 360efb56858be64f43fa1586e44c9f17 |
| SHA1 | 721007f5b2d71047fae49c502c76d8b91e0f5876 |
| SHA256 | f967395aa0c889a0d8202d9347a1de1050216a0c45995eb756644d4d70d3ff44 |
| SHA512 | 47a759f9fec7d0cd3868d479ee57d4057736e8c13f6c762f1615cd7356cdc7e7754b72c0df5992b488ba466fdb3041e1eb28b0ed4cb3a879f9c836aee9c97944 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
| MD5 | 20d293b9bf23403179ca48086ba88867 |
| SHA1 | dedf311108f607a387d486d812514a2defbd1b9e |
| SHA256 | fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348 |
| SHA512 | 5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\assistant\dbghelp.dll
| MD5 | 925ea07f594d3fce3f73ede370d92ef7 |
| SHA1 | f67ea921368c288a9d3728158c3f80213d89d7c2 |
| SHA256 | 6d02ebd4ec9a6093f21cd8ccefb9445fa0ab7b1f69ac868a5cfc5d28ed8d2de9 |
| SHA512 | a809851da820d9fdd8fb860a8f549311dcc2579df2c6f6fba74f50d5d8bf94baa834b09fb5476ac248f18d1deb6b47d4fdd6d658889d5d45ca8774a9264483d2 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\assistant\dbgcore.DLL
| MD5 | 8b6f64e5d3a608b434079e50a1277913 |
| SHA1 | 03f431fabf1c99a48b449099455c1575893d9f32 |
| SHA256 | 926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2 |
| SHA512 | c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\assistant\assistant_installer.exe
| MD5 | b3f05009b53af6435e86cfd939717e82 |
| SHA1 | 770877e7c5f03e8d684984fe430bdfcc2cf41b26 |
| SHA256 | 3ea8d40fcede1fc03e5603246d75d13e8d44d7229d4c390c39a55534053027f7 |
| SHA512 | d2dee80aaa79b19f1eb1db85079a05f621780e06bfea9e838b62d757ba29399f9090ec7c6ff553377c9b712f3ba8dd812cdff39f3e28829928e86746a8ac6b27 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | fa403614546e98428b577aa8e009c870 |
| SHA1 | 791d84ffe77113cdd0c2636d2df2cbebd9ec2ed4 |
| SHA256 | 30400ee1e76f5b1cb056571b470528af0351ae4bee6c98a744f0ba7aeaf4a79d |
| SHA512 | 138d5a87f3e9e7983a2b56b2522cb6898b171e594f1bcbb5f0d461e36e0a8e3b1b1c0e9585ed85ba37e75a75c0fed0561795047ebd97e0d4bb89996eceb6b365 |
C:\Users\Admin\AppData\Local\Temp\6E94.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 0152c0fbfba55b85e7f847867afbf00d |
| SHA1 | 0e09c666517e49526a7abefa94512cc30a556238 |
| SHA256 | 4c307d5f7e9006df16213fb3be5ed0e0836032d9aacb83c42d0a150525a9305a |
| SHA512 | c71c209ce051cb896784c382d013ed58d95d57c52b469aca4ba3c166ff88bd254ca037019f63afe88b47b8dc13c5483181b4ef0647c89bdf6c69296ebbd43ce5 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
C:\Users\Admin\AppData\Local\Temp\B6B9.exe
| MD5 | 51597fedbf769613eac193b679de833d |
| SHA1 | 77c1fbd676bbaf9ef3f235d6f3d41df8ad6b7945 |
| SHA256 | b0129dd6f2d2f5bd058cddda97e1f47eedcfaec86995c6d988226c305d50d92c |
| SHA512 | 7e424c8548ace542cdd51c23b31e3907b9d14a95784f8918f85deb2d263d5e6cec845300b1db25aba6c29d3f9ff2ad768731237ab98430a52b83ed00ff017b23 |