Analysis Overview
SHA256
c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067
Threat Level: Known bad
The file c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067.exe was found to be: Known bad.
Malicious Activity Summary
Socks5Systemz
Stealc
SmokeLoader
Lumma Stealer
Glupteba payload
Detect Socks5Systemz Payload
DcRat
Windows security bypass
Glupteba
UPX dump on OEP (original entry point)
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Detects executables containing artifacts associated with disabling Widnows Defender
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Detect binaries embedding considerable number of MFA browser extension IDs.
Detects executables containing URLs to raw contents of a Github gist
Detects executables Discord URL observed in first stage droppers
Detects executables referencing many varying, potentially fake Windows User-Agents
Detects executables (downlaoders) containing URLs to raw contents of a paste
Detects executables packed with VMProtect.
Detects Windows executables referencing non-Windows User-Agents
Downloads MZ/PE file
Modifies Windows Firewall
UPX packed file
Windows security modification
Modifies file permissions
Unexpected DNS network traffic destination
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Checks computer location settings
Drops startup file
Loads dropped DLL
Executes dropped EXE
Manipulates WinMonFS driver.
Legitimate hosting services abused for malware hosting/C2
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Modifies boot configuration data using bcdedit
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Suspicious use of SetThreadContext
Drops file in System32 directory
Checks for VirtualBox DLLs, possible anti-VM trick
Launches sc.exe
Drops file in Windows directory
Program crash
Enumerates physical storage devices
NSIS installer
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Modifies data under HKEY_USERS
Suspicious use of SetWindowsHookEx
Modifies system certificate store
Uses Task Scheduler COM API
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Checks processor information in registry
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-12 03:10
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-12 03:10
Reported
2024-03-12 03:12
Platform
win7-20240221-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YgpvzWU3B0zrvxY8pYtNg9u2.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4kbzdzaRVlAZzSJIM3VkeRYT.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WEvKDqaxX0d0cHQaPAAXxiBZ.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZDKeX22VW3E6pqhadejs2yMj.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dqySBlLdnOaotpQeqez1DaOc.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | N/A |
Detect Socks5Systemz Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Socks5Systemz
Stealc
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\GrvElJYKO06x6qkPZO6ZBzWJ.exe = "0" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
Detect binaries embedding considerable number of MFA browser extension IDs.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables (downlaoders) containing URLs to raw contents of a paste
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables Discord URL observed in first stage droppers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing URLs to raw contents of a Github gist
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing artifacts associated with disabling Widnows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables packed with VMProtect.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing many varying, potentially fake Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dqySBlLdnOaotpQeqez1DaOc.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4kbzdzaRVlAZzSJIM3VkeRYT.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WEvKDqaxX0d0cHQaPAAXxiBZ.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YgpvzWU3B0zrvxY8pYtNg9u2.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZDKeX22VW3E6pqhadejs2yMj.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Pictures\zp21oMLRDu3Vfy8qCBl29eS8.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\wxNb1REuPpFqcvB34kxkYSJ8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-H6K96.tmp\wxNb1REuPpFqcvB34kxkYSJ8.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Website HTML to PDF\websitehtml2pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Website HTML to PDF\websitehtml2pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| N/A | N/A | C:\Windows\rss\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\WcjvadbkoULZoyjm457OFcph.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\syncUpd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
| N/A | N/A | C:\Windows\windefender.exe | N/A |
| N/A | N/A | C:\Windows\windefender.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 91.211.247.248 | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\GrvElJYKO06x6qkPZO6ZBzWJ.exe = "0" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2524 set thread context of 2644 | N/A | C:\Users\Admin\AppData\Local\Temp\c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| File created | C:\Windows\Logs\CBS\CbsPersist_20240312031025.cab | C:\Windows\system32\makecab.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Pictures\zp21oMLRDu3Vfy8qCBl29eS8.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Pictures\zp21oMLRDu3Vfy8qCBl29eS8.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Pictures\zp21oMLRDu3Vfy8qCBl29eS8.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\syncUpd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\syncUpd.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" | C:\Windows\system32\netsh.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\zp21oMLRDu3Vfy8qCBl29eS8.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\zp21oMLRDu3Vfy8qCBl29eS8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-H6K96.tmp\wxNb1REuPpFqcvB34kxkYSJ8.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-H6K96.tmp\wxNb1REuPpFqcvB34kxkYSJ8.tmp | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Pictures\zp21oMLRDu3Vfy8qCBl29eS8.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\rss\csrss.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-H6K96.tmp\wxNb1REuPpFqcvB34kxkYSJ8.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067.exe
"C:\Users\Admin\AppData\Local\Temp\c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067.exe"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
C:\Users\Admin\Pictures\zp21oMLRDu3Vfy8qCBl29eS8.exe
"C:\Users\Admin\Pictures\zp21oMLRDu3Vfy8qCBl29eS8.exe"
C:\Users\Admin\Pictures\wxNb1REuPpFqcvB34kxkYSJ8.exe
"C:\Users\Admin\Pictures\wxNb1REuPpFqcvB34kxkYSJ8.exe"
C:\Users\Admin\AppData\Local\Temp\is-H6K96.tmp\wxNb1REuPpFqcvB34kxkYSJ8.tmp
"C:\Users\Admin\AppData\Local\Temp\is-H6K96.tmp\wxNb1REuPpFqcvB34kxkYSJ8.tmp" /SL5="$60166,1741469,56832,C:\Users\Admin\Pictures\wxNb1REuPpFqcvB34kxkYSJ8.exe"
C:\Users\Admin\AppData\Local\Website HTML to PDF\websitehtml2pdf.exe
"C:\Users\Admin\AppData\Local\Website HTML to PDF\websitehtml2pdf.exe" -i
C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe
"C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe"
C:\Users\Admin\AppData\Local\Website HTML to PDF\websitehtml2pdf.exe
"C:\Users\Admin\AppData\Local\Website HTML to PDF\websitehtml2pdf.exe" -s
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240312031025.log C:\Windows\Logs\CBS\CbsPersist_20240312031025.cab
C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe
"C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Users\Admin\Pictures\WcjvadbkoULZoyjm457OFcph.exe
"C:\Users\Admin\Pictures\WcjvadbkoULZoyjm457OFcph.exe"
C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\B329.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| US | 104.21.79.77:443 | yip.su | tcp |
| US | 8.8.8.8:53 | galandskiyher5.com | udp |
| US | 8.8.8.8:53 | midnight.bestsup.su | udp |
| US | 8.8.8.8:53 | namecloudvideo.org | udp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| US | 15.204.49.148:80 | 15.204.49.148 | tcp |
| DE | 185.172.128.126:80 | 185.172.128.126 | tcp |
| US | 172.67.171.112:80 | midnight.bestsup.su | tcp |
| US | 172.67.164.28:443 | namecloudvideo.org | tcp |
| NL | 185.26.182.111:80 | net.geo.opera.com | tcp |
| RU | 194.87.206.12:80 | galandskiyher5.com | tcp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| NL | 185.26.182.112:443 | net.geo.opera.com | tcp |
| US | 8.8.8.8:53 | shipbank.org | udp |
| US | 104.21.10.217:443 | shipbank.org | tcp |
| US | 8.8.8.8:53 | da9b2aae-761b-4092-9ec7-a564fb811385.uuid.dumperstats.org | udp |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 20.150.79.68:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| DE | 185.172.128.145:80 | 185.172.128.145 | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| DE | 185.172.128.187:80 | 185.172.128.187 | tcp |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | sdfjhuz.com | udp |
| SR | 190.98.23.157:80 | sdfjhuz.com | tcp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard20.blob.core.windows.net | udp |
| US | 20.150.38.228:443 | vsblobprodscussu5shard20.blob.core.windows.net | tcp |
| US | 8.8.8.8:53 | server9.dumperstats.org | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | stun4.l.google.com | udp |
| BG | 185.82.216.111:443 | server9.dumperstats.org | tcp |
| PL | 142.251.98.127:19302 | stun4.l.google.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| BG | 185.82.216.111:443 | server9.dumperstats.org | tcp |
| LT | 91.211.247.248:53 | bbbddae.com | udp |
| TR | 195.16.74.230:80 | bbbddae.com | tcp |
| US | 8.8.8.8:53 | carsalessystem.com | udp |
| US | 172.67.221.71:443 | carsalessystem.com | tcp |
| DE | 185.172.128.145:80 | 185.172.128.145 | tcp |
Files
memory/2952-4-0x000000001B7B0000-0x000000001BA92000-memory.dmp
memory/2952-5-0x0000000001FF0000-0x0000000001FF8000-memory.dmp
memory/2952-6-0x000007FEF59E0000-0x000007FEF637D000-memory.dmp
memory/2952-8-0x000007FEF59E0000-0x000007FEF637D000-memory.dmp
memory/2952-7-0x0000000002DF0000-0x0000000002E70000-memory.dmp
memory/2952-9-0x0000000002DF0000-0x0000000002E70000-memory.dmp
memory/2952-10-0x0000000002DF0000-0x0000000002E70000-memory.dmp
memory/2952-11-0x000007FEF59E0000-0x000007FEF637D000-memory.dmp
memory/2644-12-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2644-13-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2644-14-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2644-15-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2644-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2644-17-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2644-19-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2644-21-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2644-22-0x00000000745D0000-0x0000000074CBE000-memory.dmp
memory/2644-23-0x0000000000630000-0x0000000000670000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\Tar327D.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
\Users\Admin\Pictures\zp21oMLRDu3Vfy8qCBl29eS8.exe
| MD5 | 5e00f94fcd7359ca6ace8e7851b9a7b1 |
| SHA1 | 87dd3211e6f43e9d71124dab4775b015cd6a0934 |
| SHA256 | d4e129f95bb994e76c7f01fac3ba587c40b25fd651f1ee995a457af1ea564d7a |
| SHA512 | 0dd6eef26ae250b2b8c57c4458b2c2bda1279b881dbb4d183b80e3b6bd31ae4a7370669e3ba84455dce8b882904a0078fa4e3926e8dffc3a2a2e9e0fb761cced |
memory/2924-79-0x00000000001B0000-0x00000000001BB000-memory.dmp
memory/2924-78-0x0000000000290000-0x0000000000390000-memory.dmp
memory/2924-80-0x0000000000400000-0x0000000001A32000-memory.dmp
\Users\Admin\Pictures\wxNb1REuPpFqcvB34kxkYSJ8.exe
| MD5 | dcbc8bd3271ca0306fc9df8e697ff007 |
| SHA1 | a7a9ff9ea23b34b84f4f8d8efc902b4db054a7d3 |
| SHA256 | fcbc2f82ce238090264e95583dc069a22f099ff04fb633d677de8088522714f1 |
| SHA512 | 8a7206a55a38fe6a2aca9bbb8dcc759fe8786babea1e1ae9cfe45ac47d6b23afd4233572e2f81aa77bb6f199e71f65c0b00652d10feac2932499ffc6c11c3e30 |
memory/1204-90-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-H6K96.tmp\wxNb1REuPpFqcvB34kxkYSJ8.tmp
| MD5 | 70a69b5d64f2eebdc9d01f6176a40853 |
| SHA1 | b632d495a4415e233986118f3fb7876a38e74e6a |
| SHA256 | b6db39a83b8bb8d4c9c47dd3e463be0eaac5f69bb11f3d50f62d37f10f721f27 |
| SHA512 | 9df4cfa66db0d4394b9dc5267736f50c7c11fa29ead9e11166e843a133fff1effe18ddd30e67eecc869ef2d9cc825609c88912a3d7acce40741241fa06291e5a |
memory/2508-100-0x0000000000240000-0x0000000000241000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-74SUP.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\AppData\Local\Temp\is-74SUP.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
\Users\Admin\AppData\Local\Website HTML to PDF\websitehtml2pdf.exe
| MD5 | 45ca3b76495f71a78cbefde1c71a0df7 |
| SHA1 | cfaeb0ad9636c360a9b0752c355558a1c722dfbc |
| SHA256 | 1009aa12173dccebc7e666cf20e1d66d7950aa2a0da98897f1c5ebd33878b12e |
| SHA512 | 05f3b4de18e2ecc2e9b838b69cdd2d820ab8a07cc76a0249fa8ce74ecbed4db9531d7a69415656b2ebe62d297d41f6532ce2af8a34e5968cc3b12b24a9325e8a |
memory/2508-131-0x00000000034C0000-0x00000000036AF000-memory.dmp
memory/2644-133-0x00000000745D0000-0x0000000074CBE000-memory.dmp
memory/860-134-0x0000000000400000-0x00000000005EF000-memory.dmp
memory/1208-135-0x0000000002F90000-0x0000000002FA6000-memory.dmp
memory/860-137-0x0000000000400000-0x00000000005EF000-memory.dmp
memory/2924-136-0x0000000000400000-0x0000000001A32000-memory.dmp
C:\Users\Admin\AppData\Local\Website HTML to PDF\websitehtml2pdf.exe
| MD5 | f4741fc9c861fd3d8924e6a8e83a5a61 |
| SHA1 | 21d0fb42355d34dd4ea1e86aa0adbbd972449ac0 |
| SHA256 | b14014359f33971a0f921a4763ea514ca09a4465a2a1f79cf90537049638120c |
| SHA512 | 7882e3724c64c268c85ab4fdf89e4e5c9243799675ddfa0fb1d94458c58f2e0e46f78437580cbfffaa3460a209349a8a05f59f2367967364c28769d58c5b8d5f |
memory/860-143-0x0000000000400000-0x00000000005EF000-memory.dmp
memory/1976-155-0x0000000003820000-0x0000000003C18000-memory.dmp
C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe
| MD5 | 342f9cd3d30435d17ed1ad374e8914dc |
| SHA1 | 758d509d6e0a69d6a6ef5757e766c6b96e231879 |
| SHA256 | b38a01939394a63b2241726a903c38a5fa5a562c07de20ed45cd6c05e09adc05 |
| SHA512 | 8bbd093934c7745cbc98e343ccdeaa8e0115c41c0d2acf573b000b0af2decc2a196f2c1d8aa7c82d58e34c271817227ad29e0a51f3889c9b7d7bcc90386fee88 |
memory/1976-156-0x0000000003820000-0x0000000003C18000-memory.dmp
C:\Users\Admin\AppData\Local\Website HTML to PDF\websitehtml2pdf.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2644-158-0x0000000000630000-0x0000000000670000-memory.dmp
memory/1976-159-0x0000000000400000-0x0000000001E16000-memory.dmp
memory/1976-161-0x0000000003C20000-0x000000000450B000-memory.dmp
memory/2840-160-0x0000000000400000-0x00000000005EF000-memory.dmp
memory/2840-163-0x0000000000400000-0x00000000005EF000-memory.dmp
C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe
| MD5 | 16556f70ca774800e02722a414d1fad1 |
| SHA1 | b3971b226be9dc7e9a486a15fff8c037b82a9523 |
| SHA256 | 88e20462113a9e3ff47aed395239e8d470cdc949ea1bf8a1a51cc1107337f0b8 |
| SHA512 | 40412ed6f201d9dac38b4f58652f0e1a6d3d5bb8714060dc9ed3e1b456e4d6ad596206ac05b5987a2109745323e01993ddac4f34b58a0868930f621bff1064d5 |
memory/2160-167-0x00000000036B0000-0x0000000003AA8000-memory.dmp
memory/1976-166-0x0000000000400000-0x0000000001E16000-memory.dmp
memory/2160-169-0x00000000036B0000-0x0000000003AA8000-memory.dmp
memory/1976-168-0x0000000003820000-0x0000000003C18000-memory.dmp
memory/2160-170-0x0000000000400000-0x0000000001E16000-memory.dmp
memory/1204-171-0x0000000000400000-0x0000000000414000-memory.dmp
\Windows\rss\csrss.exe
| MD5 | 8a99dd83969ca516e21ff0c2ea8951bd |
| SHA1 | 5574fa983bc3dc181c4a9c94f115295e7fb97251 |
| SHA256 | ea083c7fc321a3b81acf5df05073326586ced08af1d3a8365aaebfd422c62976 |
| SHA512 | 478a6889b481da4591ef43264f21fff692294aceb7202e79cc51d13786efcf3365aea552ec7e765f51b709a25cf5a6558ba82b78681a37f70d60fa835cbff6e0 |
memory/2348-233-0x0000000003790000-0x0000000003B88000-memory.dmp
memory/2160-232-0x0000000000400000-0x0000000001E16000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 63c491b5dd3d97e98476cc6729e826a5 |
| SHA1 | 3990bf97e6b01c46f471fdd1882c62e3a865a5a7 |
| SHA256 | b801f809d158756a0c825d3c7e5c16c5c0a6815348f7d8123eda29cab58225c6 |
| SHA512 | ce27c88c5d658161f16e2a36c666ec9e67f84daf199bde66b4af97c1282fe751928b140fc9fdc135ddc047452ad1f1dc6cdb0f1dbd0ba57c43906fe26248aec4 |
\Windows\rss\csrss.exe
| MD5 | d4ce146ddfdb2b47f3998a4a249520d5 |
| SHA1 | 40bec73e46a28e6ab26c5e7b0f70218ccef2840c |
| SHA256 | bd35ae3574a3023da92c66edbecf0518e714252dda2dcf791a4243ece088e01d |
| SHA512 | 0a7347d0b719fa92f125425bed210628dcec9f1bdecc57c89b59b4204af62c5d0dd77f6294ca1868ea5b743d6e134a4bede0f54b709715b6cdf2935cc161d1c2 |
memory/2508-246-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2348-247-0x0000000003790000-0x0000000003B88000-memory.dmp
memory/2508-249-0x00000000034C0000-0x00000000036AF000-memory.dmp
memory/2348-250-0x0000000000400000-0x0000000001E16000-memory.dmp
memory/2508-248-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2160-244-0x00000000036B0000-0x0000000003AA8000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | ba6cdbce382fe16287dbfefb741b16bb |
| SHA1 | 601615e6667e3cf90adf86cc98c829dc7de1fa76 |
| SHA256 | bac6c8fd5d919ae0b302e417c371a669c8d140b4e60dd185361d866f2b975904 |
| SHA512 | 596fcaf8db749537d901d38ce128d7abeed7cf3ccde5a1ad83b8cd284a98a9b8ed772c1d5a9d5473fe9ef9a1fd429a4b1b069d91f04a3843f356cf740837062d |
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 0bff38f17f55194ff503beea28c319a0 |
| SHA1 | c396ad38c740c334c41c7f22798052ee0d897cd1 |
| SHA256 | c1842e00e15c517d7d9352beb3100ae7ca42417aaa212abfeda94681f02056f3 |
| SHA512 | 2f3cabb2fedbbed3ca01939087f4dc3414a25291adb1c89409c4bc07b07a89c52779d13fa11a03640d3e0d5e93d39b3dcb2f1cde09fc8f8d52e24d7023f40c70 |
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 6efc113eddfdb94f312c9cfc9c433c20 |
| SHA1 | e448266d0f5b6d9c85b2abc0ba57dedbd6a147f3 |
| SHA256 | 3d02cb5742e9f8c8bb6715578bdabcea5ac9f79ca4bc22794362ead33f5afde7 |
| SHA512 | 10d081974273e386962a5d4e4a8989b381ff70f1cc4e1adc50d8beb6d726ec97100a3881bc2d19059ebbd5d4fd4dfa07c1363bb32cb6ee8913a294fee9e73abe |
memory/2440-258-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2840-255-0x0000000000400000-0x00000000005EF000-memory.dmp
\Users\Admin\AppData\Local\Temp\symsrv.dll
| MD5 | 5c399d34d8dc01741269ff1f1aca7554 |
| SHA1 | e0ceed500d3cef5558f3f55d33ba9c3a709e8f55 |
| SHA256 | e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f |
| SHA512 | 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d |
\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | 9bce875cd668fea07c20150884b0f987 |
| SHA1 | e1e95d0fb1a582cdfc07bc37a2617feac97c36b3 |
| SHA256 | e915b7654f7c9f7984c979d7d5fc38f0e89b0d078f3889e13e3c68181c336480 |
| SHA512 | 44f5b5cad94caf136d1223341af0d49b8291452f89c09756c7f270307d5d370c59b3018f63c99b32310c23f3ed39632169ca2b7c70f4a5c5bbb4fe09dbeea43d |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 24a85c50f970600a1ff687638d9a8c99 |
| SHA1 | e0402650b06c8e76928f3f1cc1d2a3418565e2c7 |
| SHA256 | b734ffb7dc34344985a6dbe6f8cd01e07b8743f7679248455d2b29e5dc5943cd |
| SHA512 | 4170b1cc8e3f42c4cfe9b832d43669c022ba658b4f99428068e400a23f687b424bb0d3d6f8b8ac270a46d46c8284b01f6ba13a90a829a6ac1050e28cbc33b494 |
memory/2440-272-0x0000000140000000-0x00000001405E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | f91c85a571d6f46e75828ee1793e5af1 |
| SHA1 | 696865ba07f805cf8d44ce914258921234c75ebd |
| SHA256 | 8429bda470ace5b9090095d9106af0fc3aa797fa0f07c468111a7db2be4b10c0 |
| SHA512 | 1838e61d00dca550aade429b6641ec4360a49e2d509ea398f5d82ce3e6927c0c46ee524b3548d959d5cc4b9fd48dc3fe0943d1f025e8e81804960ffce0d3f94e |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | e2cbd976bcb6c9b4bae269a679694fc5 |
| SHA1 | b9843f68a5d1610dd7b509703efe5bc13b09a3f8 |
| SHA256 | d424540430ce1c8853a5d056922850908f842d8e594b1a124ddeb5437fa36b06 |
| SHA512 | bfa3319d2ac780c71a86ebe534b8e1908142f6f0726e9b103b86ee031136caff0168b3704c823036ca5275afc2f7e174464ee1a429fc3accc2c0881f90581c61 |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 4f12fc18e8bf3c07b9183c9aa7e097e8 |
| SHA1 | 5863e5f8afe6863e5eea03e46b6c5e66cbecc5e5 |
| SHA256 | 2e9c48918a8505b7c80b74f3c1f716f94a191b2c79444e6957ba8ab1f9d99655 |
| SHA512 | 3b6a277407302c61238d36e7c0be0105df9ae16a631fea1b2397e3c7f1c4919fc29e8a89290d5911102ec57b34c7414e0ef82466d0a9d5392f2d4ee41cc94fe1 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b228b90e82188308e5d059f5acecdaeb |
| SHA1 | f42f577bdb5ca6474b71737d1784705501185c2c |
| SHA256 | 6de1ff7333c44d40de8c2bf60173a605114e6db01483a18dedbc4b5f393e6014 |
| SHA512 | c14713d818d0572170407abf3a1fe33438634d12eaebefae28fd2129c995a5c92cf62aebb8cb81ab599d4b89023a1028e3c3749487186c24279f012cacac7d17 |
memory/2840-292-0x0000000000400000-0x00000000005EF000-memory.dmp
\Users\Admin\Pictures\WcjvadbkoULZoyjm457OFcph.exe
| MD5 | d4592db394c7ab34bae315fa93fe9719 |
| SHA1 | fa52ccd12fbd4862da69257787a612b505ce325a |
| SHA256 | dc6e38821741f459af919fba5a4136a9e4c3ff930024b55a33cf682164aaf558 |
| SHA512 | 11c35197edefba207407168b2cf655892878d4632d642efcc564151a34a4045d7685d5a94f4ede008185ff5b9ff18f3dc6e1cb2abdbc4e2972d5a7fe5748e0eb |
C:\Users\Admin\Pictures\WcjvadbkoULZoyjm457OFcph.exe
| MD5 | a2a8aa251d5e3fe81088dcb8c789ac61 |
| SHA1 | 4b9e7059a7d3ce0e1df341b841cbafbe6029e2c3 |
| SHA256 | 845cde79f76abaa9d1e9fb5e1291c97b192dd3c30a47c70604c52beffc455f7f |
| SHA512 | 712263f0a27e4a2ccfb9753f1cc5129daa2ba371f46c22932f583a576062877fc87108fb9062e61549c28d1224caa04477a98d92c58db4dc496cf45e7802b077 |
C:\Users\Admin\Pictures\WcjvadbkoULZoyjm457OFcph.exe
| MD5 | 4d10d0577e6e399e89ca12dd2e2e1d5a |
| SHA1 | 91f8d4f73d381860c68b0064a47b08b72fdb279f |
| SHA256 | 674d318da7f057b587270969c062707236c2f3568046691f6d6f8a9e90852f1c |
| SHA512 | 53cf3e23ef57f26f850ef792f28cd61e79cbb77ba1cfdce4cf2591953065affe0454ff00380ba7b1f7169789bb0e965f5fb7a9b97bee6a293a2d43eba91ac3be |
C:\Users\Admin\Pictures\WcjvadbkoULZoyjm457OFcph.exe
| MD5 | 740fb81d15d6d4f40a29f5ec98a5ac54 |
| SHA1 | 0ddaed0062cc06c59f825b6834665cd445841136 |
| SHA256 | af9c753736f87b7ab8424b12a6e4efc007f371f39fab9cde7d58ccd1f2b81bce |
| SHA512 | 85450dbea4dbb43c15b6097ab2033ac0303fd249942ce92fc32a7ec6e4a8cbddfccf808f9dc8911f113797fbb01457e6b144691fd9ea8990264227b859a171d0 |
\Users\Admin\AppData\Local\Temp\syncUpd.exe
| MD5 | 45d22efe66c3573da47197ff44dd54f2 |
| SHA1 | 5c426bc365f775fbb433e2219c0dd2d146fc4cfc |
| SHA256 | e1cd1d1df222eeb723bc22f7ae326c151ea73ae6ef7c571516efe0dc1e2546fb |
| SHA512 | f22efc1de7fa66019e82040298c5285e06a8d5e1d9ac1478aaf478b99814002ba027056db3528d9d5ef451e542b70cfe2a12f17503fdce9c9f779dfe92c0524f |
\Users\Admin\AppData\Local\Temp\nst959D.tmp\INetC.dll
| MD5 | 2b342079303895c50af8040a91f30f71 |
| SHA1 | b11335e1cb8356d9c337cb89fe81d669a69de17e |
| SHA256 | 2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f |
| SHA512 | 550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47 |
memory/1716-327-0x0000000000400000-0x0000000001A32000-memory.dmp
memory/2348-326-0x0000000000400000-0x0000000001E16000-memory.dmp
memory/1716-325-0x0000000000220000-0x0000000000247000-memory.dmp
memory/1716-324-0x0000000001BF0000-0x0000000001CF0000-memory.dmp
memory/2840-323-0x0000000000400000-0x00000000005EF000-memory.dmp
memory/2840-337-0x0000000000400000-0x00000000005EF000-memory.dmp
memory/1716-338-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B329.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | eee5ddcffbed16222cac0a1b4e2e466e |
| SHA1 | 28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5 |
| SHA256 | 2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54 |
| SHA512 | 8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc |
memory/2752-384-0x0000000005790000-0x0000000005CC0000-memory.dmp
memory/2752-383-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2348-386-0x0000000000400000-0x0000000001E16000-memory.dmp
memory/2224-387-0x0000000000400000-0x0000000000930000-memory.dmp
memory/2224-388-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2348-402-0x0000000000400000-0x0000000001E16000-memory.dmp
memory/1716-403-0x0000000000400000-0x0000000001A32000-memory.dmp
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
memory/2840-412-0x0000000000400000-0x00000000005EF000-memory.dmp
memory/2224-413-0x0000000000400000-0x0000000000930000-memory.dmp
memory/2348-416-0x0000000000400000-0x0000000001E16000-memory.dmp
memory/1716-418-0x0000000001BF0000-0x0000000001CF0000-memory.dmp
memory/2840-419-0x0000000000400000-0x00000000005EF000-memory.dmp
memory/2224-425-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2840-435-0x0000000002590000-0x0000000002634000-memory.dmp
memory/2840-456-0x0000000002590000-0x0000000002634000-memory.dmp
\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | e2f68dc7fbd6e0bf031ca3809a739346 |
| SHA1 | 9c35494898e65c8a62887f28e04c0359ab6f63f5 |
| SHA256 | b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4 |
| SHA512 | 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579 |
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
memory/1712-494-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/2444-497-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/1712-499-0x0000000000400000-0x00000000008DF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-12 03:10
Reported
2024-03-12 03:12
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
DcRat
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer
SmokeLoader
Socks5Systemz
Stealc
Detect binaries embedding considerable number of MFA browser extension IDs.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables (downlaoders) containing URLs to raw contents of a paste
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables Discord URL observed in first stage droppers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing URLs to raw contents of a Github gist
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing artifacts associated with disabling Widnows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables packed with VMProtect.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing many varying, potentially fake Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\76D2.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Y4l0x92JWtyeAroRGLzZvV8e.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lKZHwAtLRPMKIXQba5urXU12.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KNwF1qXu4KusgLTsphYiAHIU.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HvYFX5eUArShe3qAwAVvhhSC.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UMxuooMeahrxsXgdlR3C9nIX.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UF1zAqfUem3vnmfr5FRgGHkj.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 141.98.234.31 | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1215e589-af49-43c4-8c1b-44cd497b07ca\\76D2.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\76D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe | N/A |
| File opened (read-only) | \??\D: | C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 792 set thread context of 1044 | N/A | C:\Users\Admin\AppData\Local\Temp\c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe |
| PID 5268 set thread context of 2624 | N/A | C:\Users\Admin\AppData\Local\Temp\76D2.exe | C:\Users\Admin\AppData\Local\Temp\76D2.exe |
| PID 5424 set thread context of 1260 | N/A | C:\Users\Admin\AppData\Local\Temp\76D2.exe | C:\Users\Admin\AppData\Local\Temp\76D2.exe |
| PID 5832 set thread context of 5916 | N/A | C:\Users\Admin\AppData\Local\Temp\9DA4.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\76D2.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\syncUpd.exe |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Pictures\KzalldW4RFwV6q6yKJmc2zUy.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Pictures\KzalldW4RFwV6q6yKJmc2zUy.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Pictures\KzalldW4RFwV6q6yKJmc2zUy.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\syncUpd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\syncUpd.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-3142 = "South Sudan Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" | C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" | C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" | C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" | C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" | C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" | C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" | C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" | C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" | C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" | C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" | C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" | C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" | C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" | C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" | C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" | C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" | C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" | C:\Windows\windefender.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 | C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-VDFL2.tmp\78VPQf30xfDaNqamK5tNzm7n.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-VDFL2.tmp\78VPQf30xfDaNqamK5tNzm7n.tmp | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\KzalldW4RFwV6q6yKJmc2zUy.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\KzalldW4RFwV6q6yKJmc2zUy.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Pictures\KzalldW4RFwV6q6yKJmc2zUy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\rss\csrss.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-VDFL2.tmp\78VPQf30xfDaNqamK5tNzm7n.tmp | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067.exe
"C:\Users\Admin\AppData\Local\Temp\c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067.exe"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
C:\Users\Admin\Pictures\78VPQf30xfDaNqamK5tNzm7n.exe
"C:\Users\Admin\Pictures\78VPQf30xfDaNqamK5tNzm7n.exe"
C:\Users\Admin\AppData\Local\Temp\is-VDFL2.tmp\78VPQf30xfDaNqamK5tNzm7n.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VDFL2.tmp\78VPQf30xfDaNqamK5tNzm7n.tmp" /SL5="$100058,1741469,56832,C:\Users\Admin\Pictures\78VPQf30xfDaNqamK5tNzm7n.exe"
C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe
"C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe"
C:\Users\Admin\AppData\Local\Website HTML to PDF\websitehtml2pdf.exe
"C:\Users\Admin\AppData\Local\Website HTML to PDF\websitehtml2pdf.exe" -i
C:\Users\Admin\Pictures\KzalldW4RFwV6q6yKJmc2zUy.exe
"C:\Users\Admin\Pictures\KzalldW4RFwV6q6yKJmc2zUy.exe"
C:\Users\Admin\AppData\Local\Website HTML to PDF\websitehtml2pdf.exe
"C:\Users\Admin\AppData\Local\Website HTML to PDF\websitehtml2pdf.exe" -s
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe
"C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe" --silent --allusers=0
C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe
C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2c8,0x2ec,0x2f0,0x24c,0x2f4,0x6ef421c8,0x6ef421d4,0x6ef421e0
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\QpRFSrNhS5ZTsUqX4PTlrHTi.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\QpRFSrNhS5ZTsUqX4PTlrHTi.exe" --version
C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe
"C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3036 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240312031032" --session-guid=8452ce8c-df71-457b-b773-2794b972dc31 --server-tracking-blob=N2JiMDA5MGZkODI5OTk0NjVlZDg5NGEyYjg2Nzk1NGZiYjQwMGY1YWE1MGZlN2NjOTg5Mjc2MjlhODBhM2NmYTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxMDIxMzAyMS4xOTYwIiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiJlYjY2YTJjZi03MTAzLTQxMGQtYWZiNi1hNmUxZjFjOTI4ODEifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=CC04000000000000
C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe
C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2fc,0x300,0x304,0x2d0,0x308,0x6de021c8,0x6de021d4,0x6de021e0
C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe
"C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\Pictures\NgMVolUFzFH9Z7ZfaZ9pkhwr.exe
"C:\Users\Admin\Pictures\NgMVolUFzFH9Z7ZfaZ9pkhwr.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4949.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120310321\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120310321\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120310321\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120310321\assistant\assistant_installer.exe" --version
C:\Users\Admin\AppData\Local\Temp\76D2.exe
C:\Users\Admin\AppData\Local\Temp\76D2.exe
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120310321\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120310321\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0xdc0040,0xdc004c,0xdc0058
C:\Users\Admin\AppData\Local\Temp\76D2.exe
C:\Users\Admin\AppData\Local\Temp\76D2.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\1215e589-af49-43c4-8c1b-44cd497b07ca" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\76D2.exe
"C:\Users\Admin\AppData\Local\Temp\76D2.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\76D2.exe
"C:\Users\Admin\AppData\Local\Temp\76D2.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1260 -ip 1260
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 568
C:\Users\Admin\AppData\Local\Temp\9DA4.exe
C:\Users\Admin\AppData\Local\Temp\9DA4.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\49D4.exe
C:\Users\Admin\AppData\Local\Temp\49D4.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\66A4.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3336 -ip 3336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 3396
C:\Users\Admin\AppData\Local\Temp\AA64.exe
C:\Users\Admin\AppData\Local\Temp\AA64.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.169.89:443 | yip.su | tcp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.68.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.169.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | midnight.bestsup.su | udp |
| US | 8.8.8.8:53 | galandskiyher5.com | udp |
| US | 8.8.8.8:53 | namecloudvideo.org | udp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| DE | 185.172.128.126:80 | 185.172.128.126 | tcp |
| US | 15.204.49.148:80 | 15.204.49.148 | tcp |
| US | 172.67.171.112:80 | midnight.bestsup.su | tcp |
| US | 104.21.65.148:443 | namecloudvideo.org | tcp |
| NL | 185.26.182.112:80 | net.geo.opera.com | tcp |
| NL | 185.26.182.112:443 | net.geo.opera.com | tcp |
| RU | 194.87.206.12:80 | galandskiyher5.com | tcp |
| US | 8.8.8.8:53 | 112.171.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.65.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.182.26.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.49.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | shipbank.org | udp |
| US | 104.21.10.217:443 | shipbank.org | tcp |
| US | 8.8.8.8:53 | 12.206.87.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.10.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | iplogger.com | udp |
| US | 172.67.188.178:443 | iplogger.com | tcp |
| US | 8.8.8.8:53 | 178.188.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | autoupdate.geo.opera.com | udp |
| US | 8.8.8.8:53 | desktop-netinstaller-sub.osp.opera.software | udp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| NL | 185.26.182.123:443 | autoupdate.geo.opera.com | tcp |
| NL | 185.26.182.123:443 | autoupdate.geo.opera.com | tcp |
| US | 8.8.8.8:53 | 121.217.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.182.26.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | download.opera.com | udp |
| US | 8.8.8.8:53 | features.opera-api2.com | udp |
| NL | 82.145.216.15:443 | features.opera-api2.com | tcp |
| NL | 82.145.216.24:443 | download.opera.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.216.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | download3.operacdn.com | udp |
| GB | 95.101.143.176:443 | download3.operacdn.com | tcp |
| US | 8.8.8.8:53 | 15.216.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.143.101.95.in-addr.arpa | udp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| DE | 185.172.128.145:80 | 185.172.128.145 | tcp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 185.172.128.187:80 | 185.172.128.187 | tcp |
| US | 8.8.8.8:53 | 145.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | e50a9521-59de-496e-b4eb-c06b6fdc2263.uuid.dumperstats.org | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 211.135.221.88.in-addr.arpa | udp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | sdfjhuz.com | udp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | server7.dumperstats.org | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | stun.sipgate.net | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| MX | 187.209.127.200:80 | sdfjhuz.com | tcp |
| US | 3.33.249.248:3478 | stun.sipgate.net | udp |
| BG | 185.82.216.111:443 | server7.dumperstats.org | tcp |
| US | 8.8.8.8:53 | 248.249.33.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.127.209.187.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.133.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 111.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | carsalessystem.com | udp |
| US | 104.21.94.82:443 | carsalessystem.com | tcp |
| US | 8.8.8.8:53 | 82.94.21.104.in-addr.arpa | udp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 24.65.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| BG | 185.82.216.111:443 | server7.dumperstats.org | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| AU | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | 1.141.192.104.in-addr.arpa | udp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | superemeboxlogosites.pro | udp |
| US | 104.21.44.94:443 | superemeboxlogosites.pro | tcp |
| US | 8.8.8.8:53 | 94.44.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wisemassiveharmonious.shop | udp |
| US | 172.67.181.250:443 | wisemassiveharmonious.shop | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 250.181.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| US | 172.67.181.250:443 | wisemassiveharmonious.shop | tcp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.232.23.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | colorfulequalugliess.shop | udp |
| US | 104.21.19.68:443 | colorfulequalugliess.shop | tcp |
| US | 8.8.8.8:53 | 68.19.21.104.in-addr.arpa | udp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 104.21.19.68:443 | colorfulequalugliess.shop | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | resergvearyinitiani.shop | udp |
| BG | 185.82.216.111:443 | server7.dumperstats.org | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 172.67.217.100:443 | resergvearyinitiani.shop | tcp |
| US | 8.8.8.8:53 | 100.217.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | relevantvoicelesskw.shop | udp |
| US | 104.21.33.178:443 | relevantvoicelesskw.shop | tcp |
| US | 8.8.8.8:53 | technologyenterdo.shop | udp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 8.8.8.8:53 | 178.33.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | detectordiscusser.shop | udp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | turkeyunlikelyofw.shop | udp |
| US | 8.8.8.8:53 | associationokeo.shop | udp |
| HK | 141.98.234.31:53 | csvpbch.net | udp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| DE | 185.172.128.145:80 | 185.172.128.145 | tcp |
| US | 172.67.147.18:443 | associationokeo.shop | tcp |
| US | 172.67.147.18:443 | associationokeo.shop | tcp |
| US | 8.8.8.8:53 | 31.234.98.141.in-addr.arpa | udp |
| TR | 195.16.74.230:80 | csvpbch.net | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| FR | 195.154.179.197:2023 | tcp | |
| US | 8.8.8.8:53 | 230.74.16.195.in-addr.arpa | udp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 18.147.67.172.in-addr.arpa | udp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | valowaves.com | udp |
| US | 172.67.192.62:443 | valowaves.com | tcp |
| US | 8.8.8.8:53 | 62.192.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.173.189.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| RU | 194.87.206.12:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | hadogarden.com | udp |
| VN | 103.216.113.30:443 | hadogarden.com | tcp |
Files
memory/2376-5-0x000001CA98BA0000-0x000001CA98BC2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bcmfbiq1.ket.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2376-10-0x00007FFEBC3F0000-0x00007FFEBCEB1000-memory.dmp
memory/2376-11-0x000001CA98B90000-0x000001CA98BA0000-memory.dmp
memory/2376-13-0x000001CA98B90000-0x000001CA98BA0000-memory.dmp
memory/2376-12-0x000001CA98B90000-0x000001CA98BA0000-memory.dmp
memory/1044-14-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2376-15-0x000001CA98B90000-0x000001CA98BA0000-memory.dmp
memory/1044-19-0x0000000074FE0000-0x0000000075790000-memory.dmp
memory/2376-18-0x00007FFEBC3F0000-0x00007FFEBCEB1000-memory.dmp
memory/1044-20-0x0000000004E40000-0x0000000004E50000-memory.dmp
C:\Users\Admin\Pictures\bHmJ1wZ6tbzrFqvg4RdLfrNb.exe
| MD5 | 5b423612b36cde7f2745455c5dd82577 |
| SHA1 | 0187c7c80743b44e9e0c193e993294e3b969cc3d |
| SHA256 | e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09 |
| SHA512 | c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c |
C:\Users\Admin\Pictures\78VPQf30xfDaNqamK5tNzm7n.exe
| MD5 | dcbc8bd3271ca0306fc9df8e697ff007 |
| SHA1 | a7a9ff9ea23b34b84f4f8d8efc902b4db054a7d3 |
| SHA256 | fcbc2f82ce238090264e95583dc069a22f099ff04fb633d677de8088522714f1 |
| SHA512 | 8a7206a55a38fe6a2aca9bbb8dcc759fe8786babea1e1ae9cfe45ac47d6b23afd4233572e2f81aa77bb6f199e71f65c0b00652d10feac2932499ffc6c11c3e30 |
memory/2640-45-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-VDFL2.tmp\78VPQf30xfDaNqamK5tNzm7n.tmp
| MD5 | 70a69b5d64f2eebdc9d01f6176a40853 |
| SHA1 | b632d495a4415e233986118f3fb7876a38e74e6a |
| SHA256 | b6db39a83b8bb8d4c9c47dd3e463be0eaac5f69bb11f3d50f62d37f10f721f27 |
| SHA512 | 9df4cfa66db0d4394b9dc5267736f50c7c11fa29ead9e11166e843a133fff1effe18ddd30e67eecc869ef2d9cc825609c88912a3d7acce40741241fa06291e5a |
memory/1892-51-0x0000000002350000-0x0000000002351000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-75KF3.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe
| MD5 | 342f9cd3d30435d17ed1ad374e8914dc |
| SHA1 | 758d509d6e0a69d6a6ef5757e766c6b96e231879 |
| SHA256 | b38a01939394a63b2241726a903c38a5fa5a562c07de20ed45cd6c05e09adc05 |
| SHA512 | 8bbd093934c7745cbc98e343ccdeaa8e0115c41c0d2acf573b000b0af2decc2a196f2c1d8aa7c82d58e34c271817227ad29e0a51f3889c9b7d7bcc90386fee88 |
C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe
| MD5 | 493cca42fc91dfcceeb77853b3d60d95 |
| SHA1 | e35d0ef88f276029deefd6132946d5d5552661f4 |
| SHA256 | 7dba1246ae2581acd450d6811e71074c31ef226c841c0c09cae4b1cef4e06ae7 |
| SHA512 | dcdba0c22613653a43e2c315920da3943dc2c4375ae28224e0b3d5f134c6a81e63335edc5e1582643585aea773ccb92441b73af314e8aa394d9e8afc7233d450 |
C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe
| MD5 | dd87da918d5d5f4a99b8175177f0a717 |
| SHA1 | 3ca356a3372dc58b1163b9a4762a27ad3ce462c4 |
| SHA256 | bcf3e7098b45a1e2acd515b8d311f2dfba69d19a2a54cffa1f32a2f26a9efa4f |
| SHA512 | 1d192e122fc8bb3bb1431ffefd5fb62d504f82acdde34794b069270522ccc5dc039de95b0820a8cc506c967017df46ff7b79f0b4fd97cecd0055a86fc8bf8268 |
C:\Users\Admin\Pictures\KzalldW4RFwV6q6yKJmc2zUy.exe
| MD5 | 5e00f94fcd7359ca6ace8e7851b9a7b1 |
| SHA1 | 87dd3211e6f43e9d71124dab4775b015cd6a0934 |
| SHA256 | d4e129f95bb994e76c7f01fac3ba587c40b25fd651f1ee995a457af1ea564d7a |
| SHA512 | 0dd6eef26ae250b2b8c57c4458b2c2bda1279b881dbb4d183b80e3b6bd31ae4a7370669e3ba84455dce8b882904a0078fa4e3926e8dffc3a2a2e9e0fb761cced |
C:\Users\Admin\AppData\Local\Website HTML to PDF\websitehtml2pdf.exe
| MD5 | 45ca3b76495f71a78cbefde1c71a0df7 |
| SHA1 | cfaeb0ad9636c360a9b0752c355558a1c722dfbc |
| SHA256 | 1009aa12173dccebc7e666cf20e1d66d7950aa2a0da98897f1c5ebd33878b12e |
| SHA512 | 05f3b4de18e2ecc2e9b838b69cdd2d820ab8a07cc76a0249fa8ce74ecbed4db9531d7a69415656b2ebe62d297d41f6532ce2af8a34e5968cc3b12b24a9325e8a |
memory/4424-101-0x0000000000400000-0x00000000005EF000-memory.dmp
C:\Users\Admin\AppData\Local\Website HTML to PDF\websitehtml2pdf.exe
| MD5 | cb7dd894ebf1d432839a1a0e191fed10 |
| SHA1 | b8ce279e932184a13808cf1fb56a91c6e219682e |
| SHA256 | be6f41d71d6fb3e159f3890bf385980e5a610228774cfdc31bb443efd1c4d371 |
| SHA512 | 959608efe527ab7d091f3c6b853a0b600f10a6f593995f0089ad2bf55ae6c8de54bef0145109873d2428e657a555bca570318e7ded82264c79ffe8f1dac777bf |
memory/3312-109-0x0000000001B90000-0x0000000001B9B000-memory.dmp
memory/4424-107-0x0000000000400000-0x00000000005EF000-memory.dmp
memory/4424-104-0x0000000000400000-0x00000000005EF000-memory.dmp
memory/3892-110-0x0000000003930000-0x0000000003D2E000-memory.dmp
memory/3312-111-0x0000000001DD0000-0x0000000001ED0000-memory.dmp
memory/3312-114-0x0000000000400000-0x0000000001A32000-memory.dmp
memory/4252-115-0x0000000000400000-0x00000000005EF000-memory.dmp
memory/3892-116-0x0000000000400000-0x0000000001E16000-memory.dmp
memory/3892-117-0x0000000003E30000-0x000000000471B000-memory.dmp
memory/2096-118-0x0000000004690000-0x00000000046C6000-memory.dmp
memory/1044-119-0x0000000074FE0000-0x0000000075790000-memory.dmp
memory/2096-120-0x0000000004D00000-0x0000000005328000-memory.dmp
memory/2096-121-0x0000000074FE0000-0x0000000075790000-memory.dmp
memory/2096-122-0x0000000004680000-0x0000000004690000-memory.dmp
memory/1044-124-0x0000000004E40000-0x0000000004E50000-memory.dmp
memory/2096-123-0x0000000004680000-0x0000000004690000-memory.dmp
memory/2096-125-0x0000000004C60000-0x0000000004C82000-memory.dmp
memory/2096-126-0x0000000005430000-0x0000000005496000-memory.dmp
memory/2096-127-0x00000000055D0000-0x0000000005636000-memory.dmp
memory/2096-137-0x00000000058A0000-0x0000000005BF4000-memory.dmp
memory/2096-138-0x0000000005C50000-0x0000000005C6E000-memory.dmp
memory/2096-139-0x0000000005CA0000-0x0000000005CEC000-memory.dmp
memory/3416-140-0x0000000003150000-0x0000000003166000-memory.dmp
memory/2096-145-0x0000000006200000-0x0000000006244000-memory.dmp
memory/3312-142-0x0000000000400000-0x0000000001A32000-memory.dmp
memory/3312-144-0x0000000001B90000-0x0000000001B9B000-memory.dmp
memory/2096-146-0x0000000004680000-0x0000000004690000-memory.dmp
memory/2096-147-0x0000000006D70000-0x0000000006DE6000-memory.dmp
memory/2096-148-0x00000000076A0000-0x0000000007D1A000-memory.dmp
memory/2096-149-0x0000000007020000-0x000000000703A000-memory.dmp
memory/2640-150-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1892-151-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2096-153-0x00000000071D0000-0x0000000007202000-memory.dmp
memory/2096-152-0x000000007F230000-0x000000007F240000-memory.dmp
memory/2096-159-0x000000006F580000-0x000000006F5CC000-memory.dmp
memory/2096-165-0x000000006F1F0000-0x000000006F544000-memory.dmp
C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe
| MD5 | a617720e66ae0396ae34fa47336198eb |
| SHA1 | 4d0fba0526fc2d6adf3e1ab38a578ca0eda9f3c7 |
| SHA256 | 3b278b7cda267add420f93e2785e28097571d033ae6459fbf210bbc4ec05ab11 |
| SHA512 | a97475111d49085f16b4821ec13843e50167af26a98ce3a5221cd9727bfd3e0532cc4561d5d724618563bb403a97ff9687aafce3940f2db650944603802194b4 |
memory/2096-176-0x00000000071B0000-0x00000000071CE000-memory.dmp
C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe
| MD5 | 3a7c324eb1b48273084c205cad814bd6 |
| SHA1 | 0ed79ab96ca300470fd045b71f64c60cf2a767e0 |
| SHA256 | 61915b7f9d843e4b4070ed8020ab980c8042dd99e1336f8fb70d50bbcd4ba089 |
| SHA512 | 84360fb3dbf6e17989348916cc958892aa388cfaeb1603308963da5ca8e58f1d4ab752c6b52bed0c33440563a10f9487972cb71cb2b69819a7109bf63facfbeb |
memory/2096-179-0x0000000007210000-0x00000000072B3000-memory.dmp
memory/3036-181-0x00000000000A0000-0x00000000005D8000-memory.dmp
memory/2096-183-0x0000000007300000-0x000000000730A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403120310306913036.dll
| MD5 | 7275cd1d05589fd14be76b1e4120a0ed |
| SHA1 | d032c889b7987f830d41a9dc2d5913b84dba5873 |
| SHA256 | f516d5c8ad15c98a6800fd63d80bfa67871e33e6c35d516843fcd7aa91fbb3da |
| SHA512 | 4728efa8c2f73dc97fe660898913771e122f939f05434fe391764823776d05c7bccbe17feda3b12a37ae18c8fad241136aef37781a747096e203df9478d92057 |
memory/2096-184-0x0000000007410000-0x00000000074A6000-memory.dmp
C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe
| MD5 | 2dd20c67e2194bf94eeb258f02053529 |
| SHA1 | 6d93c9a2762384f9af365046c42ddd19ab62b3ad |
| SHA256 | 16d5536f9cf5f8719a326d6f6fb5a25ede5c03d974dfb0b6bf27914bf25bf43f |
| SHA512 | f6ea21ea99a07c8b8107c74bfddf990922a5710f77be1d154017a0095ce0f8e3af1ecef55266f2cc7ba3f23e3a767c97104d9e05823f02fbbb6b81664a83e44c |
memory/1892-187-0x0000000002350000-0x0000000002351000-memory.dmp
memory/2096-191-0x0000000007310000-0x0000000007321000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403120310314414064.dll
| MD5 | fb3e7d99bbe35d4977d44f1d0bd51a5a |
| SHA1 | e7f264c2a9a4bd9d8609550dd37ce5b73bb63f34 |
| SHA256 | 5dc3cd55b4419ca4116264ca7434a31a7ca8bf7f28512e802a6dd46b984b8d66 |
| SHA512 | ec9df6013cac0269c0c4af22bede5028bd2a3967b01688d9c452a2155829587eb1cc22d482e90ef06af6bc06f45a81815a73df807711bc9d9c03099cb4dca0a6 |
C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe
| MD5 | 691c0daf7b2ced11929d27c70eb4c548 |
| SHA1 | 2e69124e0435b1b338efeb63fc4e8b2c32d812da |
| SHA256 | a67ba664295395a9d65b1a9e94781a14312d9a59d6f098e80bcc4ab046e461ae |
| SHA512 | 447d92b1afbb44c68e91ced169d299e73387a2bf1619363ce5d3d47ef8cda3d99334d420e51e7a0f7d63ff6a9fc2d9234d188c53424e940a3e06ba9e5ab080e5 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\QpRFSrNhS5ZTsUqX4PTlrHTi.exe
| MD5 | a9d3c5b67a2edf51d4a29312903acebc |
| SHA1 | 523c89ff58ff41733eb5106fe01e9eab4a444466 |
| SHA256 | 5299b628b7690b10e619e9a2bc316a5f569858b031ffac7988664b482a5452f4 |
| SHA512 | 3d0922e65e458db42bd3799ee3e8ad7b8b46077012fe5ab4eddcf7bbf134b204be5a27dbbb139ea6299770845015cd6feb85767646d3863370c13c93ade6ad29 |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403120310318324360.dll
| MD5 | ace36922049eb9e8e5b0cd4d51bcf679 |
| SHA1 | e0a32671bf8d8ded09582fbe82f5192b957438e8 |
| SHA256 | 4ea144b2d573d779ea022f0d13c4b3adbfa28e0203add17dc0ca6aa15b96dcda |
| SHA512 | 8807dd3994a05dc72323ab2e6fb18f3312a3ea91b22b9c4fc8124d6b81de98acd2b53c95325fb5a3ec70339cbde14ce69cd8f858615196bd1e0f911846466b3b |
memory/4360-203-0x00000000000E0000-0x0000000000618000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403120310318324360.dll
| MD5 | 88d2324df04f936e2fb6ddd13f642b1e |
| SHA1 | 3d34e91cba87a7f55886fb84b508a021a8d4092f |
| SHA256 | a55c5532dfa54f71b14c076b73012b222476db713571d9bdb33df9246b965544 |
| SHA512 | dc619e3c37fdc1be292bc92f84b5c8aa10a5dcb32000b647b8f2f72f05e0994cb8ea92c6a8b200831126915ae778ab9fc515be9bd24e303ed1db7baf62126dd5 |
memory/4064-204-0x00000000000A0000-0x00000000005D8000-memory.dmp
memory/3892-192-0x0000000000400000-0x0000000001E16000-memory.dmp
memory/3892-207-0x0000000003930000-0x0000000003D2E000-memory.dmp
C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe
| MD5 | c8dfa45bbb3b1aa56b0da03a34bcda42 |
| SHA1 | ced063cda49f7cd6a57b87255b36480d8af11470 |
| SHA256 | c6a70c72e1c2e149bf0f9632d5831d561ffe8bd09011e0516c21cff2a5c433d4 |
| SHA512 | 9cdff1c057357543c17f750b2b0431305b47cfe7fa945bd828d0def15e0f3cbe7016047fe220e2686472beaf2e30e3d291d2143debf48b5084dba1bca3588ee0 |
memory/3700-211-0x00000000000A0000-0x00000000005D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403120310323013700.dll
| MD5 | 5480dbac32a258c5a7051f61a081dc0f |
| SHA1 | a7aaff6515a52f2d799f1149ed3f9548af5a5cca |
| SHA256 | c64a94b8da9f0ff1954c95b14729ace2c19da91c08f8680ee94ca824b16defae |
| SHA512 | 5f73aa2604483d1e846e3a750ed538a95319b384d35af65bfa03c63f984e7e96b01a7ff1aba7cb1da08c94a57bb97901a7e7168d5697be830caf41fbcb14daf7 |
C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe
| MD5 | 5d28e9408515ad80cc098ba9263d4182 |
| SHA1 | 5c9d08c1751a4cb129dfd51be1577574db1490c6 |
| SHA256 | 44d5c215d2f4bfcb395f5b675ff7a717779caac7a28bfa7dfb067e89367957b1 |
| SHA512 | 3c727094d35dd51878cdc4c7305dd9541cda59b564ff7310c7363220f875d1c67e615a298a5f2d9f00cc20ba94d41c9885539e4c8c9cdd9b97a2e2799a1c263a |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403120310329722804.dll
| MD5 | 9e65368cef81e2ba2e0a46a979cf5e7f |
| SHA1 | 4c39ef6a1bfec6f95d3f2eec772fde5ec9e24592 |
| SHA256 | fa093b0851f26c62cdf97205ce76d76dd2e724111734c3a0389618404bf6be29 |
| SHA512 | ae53f5b312a44502fccf0acce63364044d47cbab85f8588779f1f7bfca28025533f6379ed49f33d22ee4eb256eb42ef26ce711015fa93d7eeec92fa98106c809 |
memory/4252-214-0x0000000000400000-0x00000000005EF000-memory.dmp
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
| MD5 | 4934866bdb1e2785b849ecc04e00ddc9 |
| SHA1 | 02f04b6ca29ed244b8ea233e73eb6f268a6302aa |
| SHA256 | e8e97b5487ce4d4f5cb836a9a11af89816a7403ec57194dc715b2c64e5c0e817 |
| SHA512 | 16c7ef61f4bfc2fdb1d33c7e5c0c70b9603d6a7385c32b27ca39e6a7fc2d544d97b04664421134155985e5f9ca6035895b7e5d6b68d2ba19d04a5303c94fa940 |
memory/2804-222-0x00000000000A0000-0x00000000005D8000-memory.dmp
memory/2096-226-0x0000000007380000-0x000000000738E000-memory.dmp
memory/2096-227-0x0000000007390000-0x00000000073A4000-memory.dmp
memory/2096-228-0x00000000073E0000-0x00000000073FA000-memory.dmp
memory/2096-229-0x00000000073D0000-0x00000000073D8000-memory.dmp
memory/2096-232-0x0000000074FE0000-0x0000000075790000-memory.dmp
C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe
| MD5 | bbb4f916a5e85d2bff453a56b5518286 |
| SHA1 | 79903b71f2d2c97826363ee300a2a0092619499b |
| SHA256 | 019e2ef50921d74016528779a42f6b3907f382b1cb85d673d4c2d9b7242000a3 |
| SHA512 | a522614e44769502086d42b9dc510e04ab4f5a8487a169a4f8d6160413a96c23dfff914f5b248a110e33695d457f5e3765da82048fb2e49ca7209e860ec61ed4 |
memory/3180-235-0x0000000003B00000-0x0000000003EFA000-memory.dmp
memory/3180-236-0x0000000000400000-0x0000000001E16000-memory.dmp
memory/4732-239-0x0000000002C50000-0x0000000002C60000-memory.dmp
memory/4732-240-0x0000000002C50000-0x0000000002C60000-memory.dmp
memory/4732-242-0x0000000074FE0000-0x0000000075790000-memory.dmp
memory/4732-253-0x0000000002C50000-0x0000000002C60000-memory.dmp
C:\Users\Admin\Pictures\NgMVolUFzFH9Z7ZfaZ9pkhwr.exe
| MD5 | 740fb81d15d6d4f40a29f5ec98a5ac54 |
| SHA1 | 0ddaed0062cc06c59f825b6834665cd445841136 |
| SHA256 | af9c753736f87b7ab8424b12a6e4efc007f371f39fab9cde7d58ccd1f2b81bce |
| SHA512 | 85450dbea4dbb43c15b6097ab2033ac0303fd249942ce92fc32a7ec6e4a8cbddfccf808f9dc8911f113797fbb01457e6b144691fd9ea8990264227b859a171d0 |
C:\Users\Admin\AppData\Local\Temp\nsuDEE8.tmp\INetC.dll
| MD5 | 2b342079303895c50af8040a91f30f71 |
| SHA1 | b11335e1cb8356d9c337cb89fe81d669a69de17e |
| SHA256 | 2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f |
| SHA512 | 550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47 |
C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
| MD5 | 45d22efe66c3573da47197ff44dd54f2 |
| SHA1 | 5c426bc365f775fbb433e2219c0dd2d146fc4cfc |
| SHA256 | e1cd1d1df222eeb723bc22f7ae326c151ea73ae6ef7c571516efe0dc1e2546fb |
| SHA512 | f22efc1de7fa66019e82040298c5285e06a8d5e1d9ac1478aaf478b99814002ba027056db3528d9d5ef451e542b70cfe2a12f17503fdce9c9f779dfe92c0524f |
memory/3892-298-0x0000000000400000-0x0000000001E16000-memory.dmp
memory/4252-299-0x0000000000400000-0x00000000005EF000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 5242aebb59a00b194def179aea6372c4 |
| SHA1 | a32116b7c50240668780799d5de13487584bf260 |
| SHA256 | 928e08cc429ab94c465aa4787b5aa95d7b14268262b28e57bbeab7397bb2765b |
| SHA512 | 4c4e8db96580d3011beef69711ece8116e452789e025e942dc30f3d79d8053f2599bf531a01b80db2df54bcf07847968e3d7a03a666dc351c6c55d1d0182c7a6 |
memory/3180-328-0x0000000000400000-0x0000000001E16000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | f0e775924790a1e58dd6931f5e10366f |
| SHA1 | 2dbfe7446d6216db704a0b9fd7fbef1574b1ba75 |
| SHA256 | 2e01c1110d9379cc3d7fc8f70763e861791bd3d7456244496d5fb833c3f4c142 |
| SHA512 | b81c2a7d61c3e1ba6551139d2056d8c5c87f4e277cc3499fa9b8f4ddbf30e337b2b22b74ee6bfb71917e324385135fdd1819deb3796835b7380f29d709c5b35c |
memory/4624-336-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | b4d04f430441f32d425a28138355abde |
| SHA1 | 85c5dbbe7204bb80dd46e5803e57a676b5d3fded |
| SHA256 | 7a2be1c73ea22d2438ecaddb3a4ec15aebe0610567ba7cda0044836091ec3249 |
| SHA512 | 8e10152e72c2c7fef63962f7058571efec6a0bc2ddf04837766f3c679ed4ef9c54e3b80c448ac52f0325baf672d945abcaa69c0c94730ecad70bb46fddacc9a3 |
memory/3336-381-0x0000000000400000-0x0000000001A32000-memory.dmp
memory/4252-393-0x0000000000400000-0x00000000005EF000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 6a6794d2bd787d66c3cb6e2eace60116 |
| SHA1 | c65d7ef43b9f2b240c30bf06bc8af3ef548ee0f1 |
| SHA256 | 3115b47ffda9e3dcfa246462c88e48749fe5947bfc478f3dd9312d3cbbb779c2 |
| SHA512 | 437faa764d0f298a62671ae33cbec527f4b5b383af2ced463ca7f19af03c71bb090bf2b44f87a510838e12fa1ee0d90c5a586ae1bea13af01ecbc5f7cea783f2 |
C:\Windows\rss\csrss.exe
| MD5 | 0161f912b8a3a0ef079cb8be65e6804c |
| SHA1 | 20e0fa38a02e3ebbfbe2341c9d73f60e223bcd7a |
| SHA256 | 0830c5dbe1249d52a7ba4b3010e1007ad6e21433ec743c669ba4de8510349f54 |
| SHA512 | e5fe0ddb37a74bb82aac33227a17573e2a549ea06f398bdb7cfb6dd6a5a2afb5d45c44661ca59d54222f4f99ae3119371c39ab3418a64a4dfbb512f6598b446e |
memory/3180-406-0x0000000000400000-0x0000000001E16000-memory.dmp
memory/2780-410-0x0000000000400000-0x0000000000930000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 3f22f6a5188ccddf29449ab37e514965 |
| SHA1 | ee6b5e4c7174789712fa3316364ab2d5c91fba0d |
| SHA256 | 7bcb5baa6cd02436adafbbaf608a2754fb7a669e05e8ac28e88f72ed9ecbfca2 |
| SHA512 | a0d24970aa66e4c1d5d4b42092b25fe54870a400912782eb3f969122b2988f6a20e84ba545c3595b2c2d636e0b124dad4406b4f8a3c9bc4823e97584305faa22 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 91e692720a6d134d3b342702288a74e4 |
| SHA1 | b9361ca17568ee7862b47ada846b34d419b4a781 |
| SHA256 | c0693d6b3b7db1438661c360da925942827df1b4e6072fc6b621c164187511c5 |
| SHA512 | d4724dc98307eb9769e48985515ccc1fa0e3f0a421e9adeb0503eebd17b359010606e9f662de015f8ad3451fd08e24e675178b9a2b5e87c3123d305a13639239 |
memory/4252-470-0x0000000000400000-0x00000000005EF000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 73932071b3a20b2732830da6cc7617fc |
| SHA1 | 6e59af7de04c90e1ba1a8b4ed262aae47da26488 |
| SHA256 | 9670c92530eff9a520e8b6e5e8fdace1a49abf0060f9f761b2e313956eed078e |
| SHA512 | 38e1e87e6e994e35fca6d7d96d11d140c9c6789ae3fcd891501442b21d19908988c41db0073c7552a3aac425d3f20d17e48894fc458b3cb3b0254ed231c4885a |
memory/3292-487-0x0000000000400000-0x0000000001E16000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\Users\Admin\AppData\Local\Temp\4949.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
memory/4252-522-0x0000000000400000-0x00000000005EF000-memory.dmp
memory/3292-527-0x0000000000400000-0x0000000001E16000-memory.dmp
memory/3336-538-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120310321\opera_package
| MD5 | bcce07fff6654d6e6f30b512f8dd831d |
| SHA1 | db8d16b3a39a70da7175ee0ec3c508e147afc7e0 |
| SHA256 | 05776e2d7ae5028cf53abec4dcdfd2d8046fb8f2d87ebd49a6a795597e17511a |
| SHA512 | 0d5c7054ad147b2446893d3d920b8d824de6564207a25c840b12a807e09e502c40b5b5d4216731af49a567fd9087ba4584d2a3fe686c231e27b6b808f7b71b65 |
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120310321\additional_file0.tmp
| MD5 | b4f66061c002a666d0c610cf75107ee1 |
| SHA1 | 6fb437c96a1f596e5635c0eb780695f5c4cb0fac |
| SHA256 | eb0de8a36e422d060a384563171844d9d9dc2cfb198d0e55a4162a84952b5727 |
| SHA512 | 872458a9401619bf7e9b5320cc2a3123e1c8f1ac8abaac6fdd461b9e0c4d4b3767a2b12e8941d6d0a75764b96098cef516b71ba8324cda052f5996cc8e61dda2 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120310321\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
| MD5 | 20d293b9bf23403179ca48086ba88867 |
| SHA1 | dedf311108f607a387d486d812514a2defbd1b9e |
| SHA256 | fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348 |
| SHA512 | 5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120310321\assistant\assistant_installer.exe
| MD5 | 140a1b4c3cfaf026bdab2a40c7c9ba26 |
| SHA1 | cdf556c613174f6e3c6628c126ed18c5d6b0f20f |
| SHA256 | 5359fed507c46216c1ddb386903710577a8b2ec0dfe1584d79e0a5b5e5d14e2a |
| SHA512 | 67ffa5fa38437456b83ad352240ef813440dfe817e484ed9c3e4ac85953ede3e764066dc14a4ff362da711e3beb7b173f1403641b02922e783a942a92d0106b5 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120310321\assistant\dbghelp.dll
| MD5 | c538d4fec85bdbf51d33f9c872f1f245 |
| SHA1 | eb0b7a72a053dababf130ef2ae3d28c5a524d28d |
| SHA256 | 78967dff43e4672f077aa8f5fb406b61e8a03f015103993532f392327e8912d6 |
| SHA512 | ac3d1c564711cf3b6ef6176c14f72482b9ad25801f12824ee427ff87d06492a51fad85f3ede1519094c39c6fe15725b0f98b56d18eb690f7d8c5886b45cefde1 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120310321\assistant\dbghelp.dll
| MD5 | 942a65c5cc08a7a1a8c517f2215bbd49 |
| SHA1 | c144cc4e06c5464f9f9a99744b21ad5492914b0d |
| SHA256 | 324dcd1f390b110d625178fe95e67f21661094da8c93a314099622734071fc24 |
| SHA512 | 4e5d01e8ec9e49b7383a3226ac4cb868a6d9a347ff925c85d32c122722a8b3e62de7645ece3df1aa8b891ede4d6617da43ef325acc282452e6b9fff75f3fb8e2 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120310321\assistant\dbgcore.dll
| MD5 | 8b6f64e5d3a608b434079e50a1277913 |
| SHA1 | 03f431fabf1c99a48b449099455c1575893d9f32 |
| SHA256 | 926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2 |
| SHA512 | c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c |
C:\Users\Admin\AppData\Local\Temp\76D2.exe
| MD5 | d204d78acc5a68472862c384018dd1a3 |
| SHA1 | 5c91a06e04474e91f0a21d9d609d365f83990b03 |
| SHA256 | 531d078ecb17cb4e48ce6927034f46848dcc9ed807df82b6a44941662fd4ec63 |
| SHA512 | 4187092e3127b5523ad66e56f25df9247839c1006fa9da063ee04a6bc11a0cb9a8edc764096fb47135cabe64259752a5abc9eba75eed1acf8ef95b8b1d452b6e |
C:\Users\Admin\AppData\Local\Temp\76D2.exe
| MD5 | fd4dcc56cf861be40cbd4d6f308b5a6a |
| SHA1 | de94b1cad8dc1e4462d2c1085caea30dcc00f5aa |
| SHA256 | 308f200200224da6fba05e26d89d27dade8c3fe42dda166c79e303d89eead13c |
| SHA512 | 5b9a9945f649389d6a6f15cb7e912e4e7b0429dc53a37056d42ad007ed40ace02805b68560197ca239fea9ad05a8e6a66772d4cd456e9eebaa167b7d88420dc7 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120310321\assistant\dbghelp.dll
| MD5 | 9f9634667934511222ecfec8a1b23369 |
| SHA1 | 69d80187a3cf4b93ba9ad86c6983fcb33a01b92c |
| SHA256 | 4eb93a4fcb213817fb03168fc4c3b4f22860624218a14399fc586194ae55464b |
| SHA512 | bdfeccfdaad0d8414f09c92470d546fd23f8568b3c00048526af560bf4da8035735bd0d59feb23a7b0b87a2d142f5a93b0232ef3efb08414374d4d97abfb81c8 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120310321\assistant\assistant_installer.exe
| MD5 | 81e948af3529ca7d4caa57aa1ce378d2 |
| SHA1 | 7d798af140eaba747121a146ddb521979ede7a02 |
| SHA256 | 27109f6b9f4d1d4b2adc5f9fac3a88e7437cfb25e1e6df19950ccba73da1eeb7 |
| SHA512 | db87dbd8a263bec5714fdffdd605d31a5de7089626d0a7967ba15bb1d11def2e10eb81d821794b0b7e46452e57e572e32c5234f5b85e9d385da90f3943057b3d |
C:\Users\Admin\AppData\Local\Temp\76D2.exe
| MD5 | 109125669dc1ccce29f0c630d2d985eb |
| SHA1 | 2d1b211ff69b6d3ff178ee9716263631e8f39027 |
| SHA256 | 1718fb956c30c4a56490ecfc903ef34ed514ec13c1101d44ff4cf87095e5b064 |
| SHA512 | 92bbf2eb15f7083bf5b3d376e15289c5d5e027b38100ec7cf5db6f811fde1a8e21ef32c87b9dd5120c096fdfcb7307fe4987e5c92d81fbd2c2807bb076074ea9 |
C:\Users\Admin\AppData\Local\Temp\76D2.exe
| MD5 | a81c90a9781956177068a5619f70a113 |
| SHA1 | 56924f0cd9bf19f10ec0957ce632c366d515ffb1 |
| SHA256 | 4322b6cf84bceef8352105631f6e9b1afa3f7f31fe20bf1f0ba80b1e73ad5013 |
| SHA512 | 9f32f41ecfe191007f35ee74de025ef03c6f199cf2583e82ea7d925229769635b41e72eb5868e2eccd142627f1d49e9202ec3fe4ed40b006f40bbdbb26086854 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |