Malware Analysis Report

2025-01-02 11:15

Sample ID 240312-dn1wyagf54
Target c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067.exe
SHA256 c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067
Tags
dcrat glupteba smokeloader socks5systemz stealc pub1 backdoor botnet discovery dropper evasion infostealer loader persistence rat rootkit spyware stealer trojan upx lumma
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067

Threat Level: Known bad

The file c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067.exe was found to be: Known bad.

Malicious Activity Summary

dcrat glupteba smokeloader socks5systemz stealc pub1 backdoor botnet discovery dropper evasion infostealer loader persistence rat rootkit spyware stealer trojan upx lumma

Socks5Systemz

Stealc

SmokeLoader

Lumma Stealer

Glupteba payload

Detect Socks5Systemz Payload

DcRat

Windows security bypass

Glupteba

UPX dump on OEP (original entry point)

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects executables containing artifacts associated with disabling Widnows Defender

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Detect binaries embedding considerable number of MFA browser extension IDs.

Detects executables containing URLs to raw contents of a Github gist

Detects executables Discord URL observed in first stage droppers

Detects executables referencing many varying, potentially fake Windows User-Agents

Detects executables (downlaoders) containing URLs to raw contents of a paste

Detects executables packed with VMProtect.

Detects Windows executables referencing non-Windows User-Agents

Downloads MZ/PE file

Modifies Windows Firewall

UPX packed file

Windows security modification

Modifies file permissions

Unexpected DNS network traffic destination

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Checks computer location settings

Drops startup file

Loads dropped DLL

Executes dropped EXE

Manipulates WinMonFS driver.

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Modifies boot configuration data using bcdedit

Adds Run key to start application

Checks installed software on the system

Enumerates connected drives

Suspicious use of SetThreadContext

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Program crash

Enumerates physical storage devices

NSIS installer

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

Suspicious use of SetWindowsHookEx

Modifies system certificate store

Uses Task Scheduler COM API

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Checks processor information in registry

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-12 03:10

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-12 03:10

Reported

2024-03-12 03:12

Platform

win7-20240221-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YgpvzWU3B0zrvxY8pYtNg9u2.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4kbzdzaRVlAZzSJIM3VkeRYT.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WEvKDqaxX0d0cHQaPAAXxiBZ.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZDKeX22VW3E6pqhadejs2yMj.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dqySBlLdnOaotpQeqez1DaOc.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A

Detect Socks5Systemz Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Socks5Systemz

botnet socks5systemz

Stealc

stealer stealc

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\GrvElJYKO06x6qkPZO6ZBzWJ.exe = "0" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A

Detect binaries embedding considerable number of MFA browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables (downlaoders) containing URLs to raw contents of a paste

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables Discord URL observed in first stage droppers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing artifacts associated with disabling Widnows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many varying, potentially fake Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dqySBlLdnOaotpQeqez1DaOc.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4kbzdzaRVlAZzSJIM3VkeRYT.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WEvKDqaxX0d0cHQaPAAXxiBZ.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YgpvzWU3B0zrvxY8pYtNg9u2.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZDKeX22VW3E6pqhadejs2yMj.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
N/A N/A C:\Users\Admin\Pictures\wxNb1REuPpFqcvB34kxkYSJ8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-H6K96.tmp\wxNb1REuPpFqcvB34kxkYSJ8.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-H6K96.tmp\wxNb1REuPpFqcvB34kxkYSJ8.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-H6K96.tmp\wxNb1REuPpFqcvB34kxkYSJ8.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-H6K96.tmp\wxNb1REuPpFqcvB34kxkYSJ8.tmp N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
N/A N/A C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
N/A N/A C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
N/A N/A C:\Users\Admin\Pictures\WcjvadbkoULZoyjm457OFcph.exe N/A
N/A N/A C:\Users\Admin\Pictures\WcjvadbkoULZoyjm457OFcph.exe N/A
N/A N/A C:\Users\Admin\Pictures\WcjvadbkoULZoyjm457OFcph.exe N/A
N/A N/A C:\Users\Admin\Pictures\WcjvadbkoULZoyjm457OFcph.exe N/A
N/A N/A C:\Users\Admin\Pictures\WcjvadbkoULZoyjm457OFcph.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 91.211.247.248 N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\GrvElJYKO06x6qkPZO6ZBzWJ.exe = "0" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Modifies boot configuration data using bcdedit

Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20240312031025.cab C:\Windows\system32\makecab.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Pictures\zp21oMLRDu3Vfy8qCBl29eS8.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Pictures\zp21oMLRDu3Vfy8qCBl29eS8.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Pictures\zp21oMLRDu3Vfy8qCBl29eS8.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\zp21oMLRDu3Vfy8qCBl29eS8.exe N/A
N/A N/A C:\Users\Admin\Pictures\zp21oMLRDu3Vfy8qCBl29eS8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-H6K96.tmp\wxNb1REuPpFqcvB34kxkYSJ8.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-H6K96.tmp\wxNb1REuPpFqcvB34kxkYSJ8.tmp N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
N/A N/A C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
N/A N/A C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
N/A N/A C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
N/A N/A C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\zp21oMLRDu3Vfy8qCBl29eS8.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-H6K96.tmp\wxNb1REuPpFqcvB34kxkYSJ8.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2524 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 2524 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 2524 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 2524 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2524 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2524 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2524 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2524 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2524 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2524 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2524 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2524 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2524 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2524 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2524 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2644 wrote to memory of 2924 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\zp21oMLRDu3Vfy8qCBl29eS8.exe
PID 2644 wrote to memory of 2924 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\zp21oMLRDu3Vfy8qCBl29eS8.exe
PID 2644 wrote to memory of 2924 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\zp21oMLRDu3Vfy8qCBl29eS8.exe
PID 2644 wrote to memory of 2924 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\zp21oMLRDu3Vfy8qCBl29eS8.exe
PID 2644 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\wxNb1REuPpFqcvB34kxkYSJ8.exe
PID 2644 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\wxNb1REuPpFqcvB34kxkYSJ8.exe
PID 2644 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\wxNb1REuPpFqcvB34kxkYSJ8.exe
PID 2644 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\wxNb1REuPpFqcvB34kxkYSJ8.exe
PID 2644 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\wxNb1REuPpFqcvB34kxkYSJ8.exe
PID 2644 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\wxNb1REuPpFqcvB34kxkYSJ8.exe
PID 2644 wrote to memory of 1204 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\wxNb1REuPpFqcvB34kxkYSJ8.exe
PID 1204 wrote to memory of 2508 N/A C:\Users\Admin\Pictures\wxNb1REuPpFqcvB34kxkYSJ8.exe C:\Users\Admin\AppData\Local\Temp\is-H6K96.tmp\wxNb1REuPpFqcvB34kxkYSJ8.tmp
PID 1204 wrote to memory of 2508 N/A C:\Users\Admin\Pictures\wxNb1REuPpFqcvB34kxkYSJ8.exe C:\Users\Admin\AppData\Local\Temp\is-H6K96.tmp\wxNb1REuPpFqcvB34kxkYSJ8.tmp
PID 1204 wrote to memory of 2508 N/A C:\Users\Admin\Pictures\wxNb1REuPpFqcvB34kxkYSJ8.exe C:\Users\Admin\AppData\Local\Temp\is-H6K96.tmp\wxNb1REuPpFqcvB34kxkYSJ8.tmp
PID 1204 wrote to memory of 2508 N/A C:\Users\Admin\Pictures\wxNb1REuPpFqcvB34kxkYSJ8.exe C:\Users\Admin\AppData\Local\Temp\is-H6K96.tmp\wxNb1REuPpFqcvB34kxkYSJ8.tmp
PID 1204 wrote to memory of 2508 N/A C:\Users\Admin\Pictures\wxNb1REuPpFqcvB34kxkYSJ8.exe C:\Users\Admin\AppData\Local\Temp\is-H6K96.tmp\wxNb1REuPpFqcvB34kxkYSJ8.tmp
PID 1204 wrote to memory of 2508 N/A C:\Users\Admin\Pictures\wxNb1REuPpFqcvB34kxkYSJ8.exe C:\Users\Admin\AppData\Local\Temp\is-H6K96.tmp\wxNb1REuPpFqcvB34kxkYSJ8.tmp
PID 1204 wrote to memory of 2508 N/A C:\Users\Admin\Pictures\wxNb1REuPpFqcvB34kxkYSJ8.exe C:\Users\Admin\AppData\Local\Temp\is-H6K96.tmp\wxNb1REuPpFqcvB34kxkYSJ8.tmp
PID 2508 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\is-H6K96.tmp\wxNb1REuPpFqcvB34kxkYSJ8.tmp C:\Users\Admin\AppData\Local\Website HTML to PDF\websitehtml2pdf.exe
PID 2508 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\is-H6K96.tmp\wxNb1REuPpFqcvB34kxkYSJ8.tmp C:\Users\Admin\AppData\Local\Website HTML to PDF\websitehtml2pdf.exe
PID 2508 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\is-H6K96.tmp\wxNb1REuPpFqcvB34kxkYSJ8.tmp C:\Users\Admin\AppData\Local\Website HTML to PDF\websitehtml2pdf.exe
PID 2508 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\is-H6K96.tmp\wxNb1REuPpFqcvB34kxkYSJ8.tmp C:\Users\Admin\AppData\Local\Website HTML to PDF\websitehtml2pdf.exe
PID 2644 wrote to memory of 1976 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe
PID 2644 wrote to memory of 1976 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe
PID 2644 wrote to memory of 1976 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe
PID 2644 wrote to memory of 1976 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe
PID 2508 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\is-H6K96.tmp\wxNb1REuPpFqcvB34kxkYSJ8.tmp C:\Users\Admin\AppData\Local\Website HTML to PDF\websitehtml2pdf.exe
PID 2508 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\is-H6K96.tmp\wxNb1REuPpFqcvB34kxkYSJ8.tmp C:\Users\Admin\AppData\Local\Website HTML to PDF\websitehtml2pdf.exe
PID 2508 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\is-H6K96.tmp\wxNb1REuPpFqcvB34kxkYSJ8.tmp C:\Users\Admin\AppData\Local\Website HTML to PDF\websitehtml2pdf.exe
PID 2508 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\is-H6K96.tmp\wxNb1REuPpFqcvB34kxkYSJ8.tmp C:\Users\Admin\AppData\Local\Website HTML to PDF\websitehtml2pdf.exe
PID 2160 wrote to memory of 704 N/A C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe C:\Windows\system32\cmd.exe
PID 2160 wrote to memory of 704 N/A C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe C:\Windows\system32\cmd.exe
PID 2160 wrote to memory of 704 N/A C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe C:\Windows\system32\cmd.exe
PID 2160 wrote to memory of 704 N/A C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe C:\Windows\system32\cmd.exe
PID 704 wrote to memory of 2208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 704 wrote to memory of 2208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 704 wrote to memory of 2208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2160 wrote to memory of 2348 N/A C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe C:\Windows\rss\csrss.exe
PID 2160 wrote to memory of 2348 N/A C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe C:\Windows\rss\csrss.exe
PID 2160 wrote to memory of 2348 N/A C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe C:\Windows\rss\csrss.exe
PID 2160 wrote to memory of 2348 N/A C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe C:\Windows\rss\csrss.exe
PID 2348 wrote to memory of 2892 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2348 wrote to memory of 2892 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2348 wrote to memory of 2892 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2348 wrote to memory of 2892 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2644 wrote to memory of 2752 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\WcjvadbkoULZoyjm457OFcph.exe
PID 2644 wrote to memory of 2752 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\WcjvadbkoULZoyjm457OFcph.exe
PID 2644 wrote to memory of 2752 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\WcjvadbkoULZoyjm457OFcph.exe
PID 2644 wrote to memory of 2752 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\WcjvadbkoULZoyjm457OFcph.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067.exe

"C:\Users\Admin\AppData\Local\Temp\c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Users\Admin\Pictures\zp21oMLRDu3Vfy8qCBl29eS8.exe

"C:\Users\Admin\Pictures\zp21oMLRDu3Vfy8qCBl29eS8.exe"

C:\Users\Admin\Pictures\wxNb1REuPpFqcvB34kxkYSJ8.exe

"C:\Users\Admin\Pictures\wxNb1REuPpFqcvB34kxkYSJ8.exe"

C:\Users\Admin\AppData\Local\Temp\is-H6K96.tmp\wxNb1REuPpFqcvB34kxkYSJ8.tmp

"C:\Users\Admin\AppData\Local\Temp\is-H6K96.tmp\wxNb1REuPpFqcvB34kxkYSJ8.tmp" /SL5="$60166,1741469,56832,C:\Users\Admin\Pictures\wxNb1REuPpFqcvB34kxkYSJ8.exe"

C:\Users\Admin\AppData\Local\Website HTML to PDF\websitehtml2pdf.exe

"C:\Users\Admin\AppData\Local\Website HTML to PDF\websitehtml2pdf.exe" -i

C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe

"C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe"

C:\Users\Admin\AppData\Local\Website HTML to PDF\websitehtml2pdf.exe

"C:\Users\Admin\AppData\Local\Website HTML to PDF\websitehtml2pdf.exe" -s

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240312031025.log C:\Windows\Logs\CBS\CbsPersist_20240312031025.cab

C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe

"C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\Pictures\WcjvadbkoULZoyjm457OFcph.exe

"C:\Users\Admin\Pictures\WcjvadbkoULZoyjm457OFcph.exe"

C:\Users\Admin\AppData\Local\Temp\syncUpd.exe

C:\Users\Admin\AppData\Local\Temp\syncUpd.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\B329.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 yip.su udp
US 104.20.67.143:443 pastebin.com tcp
US 104.21.79.77:443 yip.su tcp
US 8.8.8.8:53 galandskiyher5.com udp
US 8.8.8.8:53 midnight.bestsup.su udp
US 8.8.8.8:53 namecloudvideo.org udp
US 8.8.8.8:53 net.geo.opera.com udp
US 15.204.49.148:80 15.204.49.148 tcp
DE 185.172.128.126:80 185.172.128.126 tcp
US 172.67.171.112:80 midnight.bestsup.su tcp
US 172.67.164.28:443 namecloudvideo.org tcp
NL 185.26.182.111:80 net.geo.opera.com tcp
RU 194.87.206.12:80 galandskiyher5.com tcp
US 8.8.8.8:53 net.geo.opera.com udp
NL 185.26.182.112:443 net.geo.opera.com tcp
US 8.8.8.8:53 shipbank.org udp
US 104.21.10.217:443 shipbank.org tcp
US 8.8.8.8:53 da9b2aae-761b-4092-9ec7-a564fb811385.uuid.dumperstats.org udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
DE 185.172.128.145:80 185.172.128.145 tcp
DE 185.172.128.90:80 185.172.128.90 tcp
DE 185.172.128.187:80 185.172.128.187 tcp
US 8.8.8.8:53 trad-einmyus.com udp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 8.8.8.8:53 sdfjhuz.com udp
SR 190.98.23.157:80 sdfjhuz.com tcp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard20.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard20.blob.core.windows.net tcp
US 8.8.8.8:53 server9.dumperstats.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun4.l.google.com udp
BG 185.82.216.111:443 server9.dumperstats.org tcp
PL 142.251.98.127:19302 stun4.l.google.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server9.dumperstats.org tcp
LT 91.211.247.248:53 bbbddae.com udp
TR 195.16.74.230:80 bbbddae.com tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
DE 185.172.128.145:80 185.172.128.145 tcp

Files

memory/2952-4-0x000000001B7B0000-0x000000001BA92000-memory.dmp

memory/2952-5-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

memory/2952-6-0x000007FEF59E0000-0x000007FEF637D000-memory.dmp

memory/2952-8-0x000007FEF59E0000-0x000007FEF637D000-memory.dmp

memory/2952-7-0x0000000002DF0000-0x0000000002E70000-memory.dmp

memory/2952-9-0x0000000002DF0000-0x0000000002E70000-memory.dmp

memory/2952-10-0x0000000002DF0000-0x0000000002E70000-memory.dmp

memory/2952-11-0x000007FEF59E0000-0x000007FEF637D000-memory.dmp

memory/2644-12-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2644-13-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2644-14-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2644-15-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2644-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2644-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2644-19-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2644-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2644-22-0x00000000745D0000-0x0000000074CBE000-memory.dmp

memory/2644-23-0x0000000000630000-0x0000000000670000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar327D.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

\Users\Admin\Pictures\zp21oMLRDu3Vfy8qCBl29eS8.exe

MD5 5e00f94fcd7359ca6ace8e7851b9a7b1
SHA1 87dd3211e6f43e9d71124dab4775b015cd6a0934
SHA256 d4e129f95bb994e76c7f01fac3ba587c40b25fd651f1ee995a457af1ea564d7a
SHA512 0dd6eef26ae250b2b8c57c4458b2c2bda1279b881dbb4d183b80e3b6bd31ae4a7370669e3ba84455dce8b882904a0078fa4e3926e8dffc3a2a2e9e0fb761cced

memory/2924-79-0x00000000001B0000-0x00000000001BB000-memory.dmp

memory/2924-78-0x0000000000290000-0x0000000000390000-memory.dmp

memory/2924-80-0x0000000000400000-0x0000000001A32000-memory.dmp

\Users\Admin\Pictures\wxNb1REuPpFqcvB34kxkYSJ8.exe

MD5 dcbc8bd3271ca0306fc9df8e697ff007
SHA1 a7a9ff9ea23b34b84f4f8d8efc902b4db054a7d3
SHA256 fcbc2f82ce238090264e95583dc069a22f099ff04fb633d677de8088522714f1
SHA512 8a7206a55a38fe6a2aca9bbb8dcc759fe8786babea1e1ae9cfe45ac47d6b23afd4233572e2f81aa77bb6f199e71f65c0b00652d10feac2932499ffc6c11c3e30

memory/1204-90-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-H6K96.tmp\wxNb1REuPpFqcvB34kxkYSJ8.tmp

MD5 70a69b5d64f2eebdc9d01f6176a40853
SHA1 b632d495a4415e233986118f3fb7876a38e74e6a
SHA256 b6db39a83b8bb8d4c9c47dd3e463be0eaac5f69bb11f3d50f62d37f10f721f27
SHA512 9df4cfa66db0d4394b9dc5267736f50c7c11fa29ead9e11166e843a133fff1effe18ddd30e67eecc869ef2d9cc825609c88912a3d7acce40741241fa06291e5a

memory/2508-100-0x0000000000240000-0x0000000000241000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-74SUP.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-74SUP.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Website HTML to PDF\websitehtml2pdf.exe

MD5 45ca3b76495f71a78cbefde1c71a0df7
SHA1 cfaeb0ad9636c360a9b0752c355558a1c722dfbc
SHA256 1009aa12173dccebc7e666cf20e1d66d7950aa2a0da98897f1c5ebd33878b12e
SHA512 05f3b4de18e2ecc2e9b838b69cdd2d820ab8a07cc76a0249fa8ce74ecbed4db9531d7a69415656b2ebe62d297d41f6532ce2af8a34e5968cc3b12b24a9325e8a

memory/2508-131-0x00000000034C0000-0x00000000036AF000-memory.dmp

memory/2644-133-0x00000000745D0000-0x0000000074CBE000-memory.dmp

memory/860-134-0x0000000000400000-0x00000000005EF000-memory.dmp

memory/1208-135-0x0000000002F90000-0x0000000002FA6000-memory.dmp

memory/860-137-0x0000000000400000-0x00000000005EF000-memory.dmp

memory/2924-136-0x0000000000400000-0x0000000001A32000-memory.dmp

C:\Users\Admin\AppData\Local\Website HTML to PDF\websitehtml2pdf.exe

MD5 f4741fc9c861fd3d8924e6a8e83a5a61
SHA1 21d0fb42355d34dd4ea1e86aa0adbbd972449ac0
SHA256 b14014359f33971a0f921a4763ea514ca09a4465a2a1f79cf90537049638120c
SHA512 7882e3724c64c268c85ab4fdf89e4e5c9243799675ddfa0fb1d94458c58f2e0e46f78437580cbfffaa3460a209349a8a05f59f2367967364c28769d58c5b8d5f

memory/860-143-0x0000000000400000-0x00000000005EF000-memory.dmp

memory/1976-155-0x0000000003820000-0x0000000003C18000-memory.dmp

C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe

MD5 342f9cd3d30435d17ed1ad374e8914dc
SHA1 758d509d6e0a69d6a6ef5757e766c6b96e231879
SHA256 b38a01939394a63b2241726a903c38a5fa5a562c07de20ed45cd6c05e09adc05
SHA512 8bbd093934c7745cbc98e343ccdeaa8e0115c41c0d2acf573b000b0af2decc2a196f2c1d8aa7c82d58e34c271817227ad29e0a51f3889c9b7d7bcc90386fee88

memory/1976-156-0x0000000003820000-0x0000000003C18000-memory.dmp

C:\Users\Admin\AppData\Local\Website HTML to PDF\websitehtml2pdf.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2644-158-0x0000000000630000-0x0000000000670000-memory.dmp

memory/1976-159-0x0000000000400000-0x0000000001E16000-memory.dmp

memory/1976-161-0x0000000003C20000-0x000000000450B000-memory.dmp

memory/2840-160-0x0000000000400000-0x00000000005EF000-memory.dmp

memory/2840-163-0x0000000000400000-0x00000000005EF000-memory.dmp

C:\Users\Admin\Pictures\GrvElJYKO06x6qkPZO6ZBzWJ.exe

MD5 16556f70ca774800e02722a414d1fad1
SHA1 b3971b226be9dc7e9a486a15fff8c037b82a9523
SHA256 88e20462113a9e3ff47aed395239e8d470cdc949ea1bf8a1a51cc1107337f0b8
SHA512 40412ed6f201d9dac38b4f58652f0e1a6d3d5bb8714060dc9ed3e1b456e4d6ad596206ac05b5987a2109745323e01993ddac4f34b58a0868930f621bff1064d5

memory/2160-167-0x00000000036B0000-0x0000000003AA8000-memory.dmp

memory/1976-166-0x0000000000400000-0x0000000001E16000-memory.dmp

memory/2160-169-0x00000000036B0000-0x0000000003AA8000-memory.dmp

memory/1976-168-0x0000000003820000-0x0000000003C18000-memory.dmp

memory/2160-170-0x0000000000400000-0x0000000001E16000-memory.dmp

memory/1204-171-0x0000000000400000-0x0000000000414000-memory.dmp

\Windows\rss\csrss.exe

MD5 8a99dd83969ca516e21ff0c2ea8951bd
SHA1 5574fa983bc3dc181c4a9c94f115295e7fb97251
SHA256 ea083c7fc321a3b81acf5df05073326586ced08af1d3a8365aaebfd422c62976
SHA512 478a6889b481da4591ef43264f21fff692294aceb7202e79cc51d13786efcf3365aea552ec7e765f51b709a25cf5a6558ba82b78681a37f70d60fa835cbff6e0

memory/2348-233-0x0000000003790000-0x0000000003B88000-memory.dmp

memory/2160-232-0x0000000000400000-0x0000000001E16000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 63c491b5dd3d97e98476cc6729e826a5
SHA1 3990bf97e6b01c46f471fdd1882c62e3a865a5a7
SHA256 b801f809d158756a0c825d3c7e5c16c5c0a6815348f7d8123eda29cab58225c6
SHA512 ce27c88c5d658161f16e2a36c666ec9e67f84daf199bde66b4af97c1282fe751928b140fc9fdc135ddc047452ad1f1dc6cdb0f1dbd0ba57c43906fe26248aec4

\Windows\rss\csrss.exe

MD5 d4ce146ddfdb2b47f3998a4a249520d5
SHA1 40bec73e46a28e6ab26c5e7b0f70218ccef2840c
SHA256 bd35ae3574a3023da92c66edbecf0518e714252dda2dcf791a4243ece088e01d
SHA512 0a7347d0b719fa92f125425bed210628dcec9f1bdecc57c89b59b4204af62c5d0dd77f6294ca1868ea5b743d6e134a4bede0f54b709715b6cdf2935cc161d1c2

memory/2508-246-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/2348-247-0x0000000003790000-0x0000000003B88000-memory.dmp

memory/2508-249-0x00000000034C0000-0x00000000036AF000-memory.dmp

memory/2348-250-0x0000000000400000-0x0000000001E16000-memory.dmp

memory/2508-248-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2160-244-0x00000000036B0000-0x0000000003AA8000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 ba6cdbce382fe16287dbfefb741b16bb
SHA1 601615e6667e3cf90adf86cc98c829dc7de1fa76
SHA256 bac6c8fd5d919ae0b302e417c371a669c8d140b4e60dd185361d866f2b975904
SHA512 596fcaf8db749537d901d38ce128d7abeed7cf3ccde5a1ad83b8cd284a98a9b8ed772c1d5a9d5473fe9ef9a1fd429a4b1b069d91f04a3843f356cf740837062d

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 0bff38f17f55194ff503beea28c319a0
SHA1 c396ad38c740c334c41c7f22798052ee0d897cd1
SHA256 c1842e00e15c517d7d9352beb3100ae7ca42417aaa212abfeda94681f02056f3
SHA512 2f3cabb2fedbbed3ca01939087f4dc3414a25291adb1c89409c4bc07b07a89c52779d13fa11a03640d3e0d5e93d39b3dcb2f1cde09fc8f8d52e24d7023f40c70

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 6efc113eddfdb94f312c9cfc9c433c20
SHA1 e448266d0f5b6d9c85b2abc0ba57dedbd6a147f3
SHA256 3d02cb5742e9f8c8bb6715578bdabcea5ac9f79ca4bc22794362ead33f5afde7
SHA512 10d081974273e386962a5d4e4a8989b381ff70f1cc4e1adc50d8beb6d726ec97100a3881bc2d19059ebbd5d4fd4dfa07c1363bb32cb6ee8913a294fee9e73abe

memory/2440-258-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2840-255-0x0000000000400000-0x00000000005EF000-memory.dmp

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 5c399d34d8dc01741269ff1f1aca7554
SHA1 e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256 e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA512 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 9bce875cd668fea07c20150884b0f987
SHA1 e1e95d0fb1a582cdfc07bc37a2617feac97c36b3
SHA256 e915b7654f7c9f7984c979d7d5fc38f0e89b0d078f3889e13e3c68181c336480
SHA512 44f5b5cad94caf136d1223341af0d49b8291452f89c09756c7f270307d5d370c59b3018f63c99b32310c23f3ed39632169ca2b7c70f4a5c5bbb4fe09dbeea43d

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 24a85c50f970600a1ff687638d9a8c99
SHA1 e0402650b06c8e76928f3f1cc1d2a3418565e2c7
SHA256 b734ffb7dc34344985a6dbe6f8cd01e07b8743f7679248455d2b29e5dc5943cd
SHA512 4170b1cc8e3f42c4cfe9b832d43669c022ba658b4f99428068e400a23f687b424bb0d3d6f8b8ac270a46d46c8284b01f6ba13a90a829a6ac1050e28cbc33b494

memory/2440-272-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 f91c85a571d6f46e75828ee1793e5af1
SHA1 696865ba07f805cf8d44ce914258921234c75ebd
SHA256 8429bda470ace5b9090095d9106af0fc3aa797fa0f07c468111a7db2be4b10c0
SHA512 1838e61d00dca550aade429b6641ec4360a49e2d509ea398f5d82ce3e6927c0c46ee524b3548d959d5cc4b9fd48dc3fe0943d1f025e8e81804960ffce0d3f94e

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 e2cbd976bcb6c9b4bae269a679694fc5
SHA1 b9843f68a5d1610dd7b509703efe5bc13b09a3f8
SHA256 d424540430ce1c8853a5d056922850908f842d8e594b1a124ddeb5437fa36b06
SHA512 bfa3319d2ac780c71a86ebe534b8e1908142f6f0726e9b103b86ee031136caff0168b3704c823036ca5275afc2f7e174464ee1a429fc3accc2c0881f90581c61

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 4f12fc18e8bf3c07b9183c9aa7e097e8
SHA1 5863e5f8afe6863e5eea03e46b6c5e66cbecc5e5
SHA256 2e9c48918a8505b7c80b74f3c1f716f94a191b2c79444e6957ba8ab1f9d99655
SHA512 3b6a277407302c61238d36e7c0be0105df9ae16a631fea1b2397e3c7f1c4919fc29e8a89290d5911102ec57b34c7414e0ef82466d0a9d5392f2d4ee41cc94fe1

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b228b90e82188308e5d059f5acecdaeb
SHA1 f42f577bdb5ca6474b71737d1784705501185c2c
SHA256 6de1ff7333c44d40de8c2bf60173a605114e6db01483a18dedbc4b5f393e6014
SHA512 c14713d818d0572170407abf3a1fe33438634d12eaebefae28fd2129c995a5c92cf62aebb8cb81ab599d4b89023a1028e3c3749487186c24279f012cacac7d17

memory/2840-292-0x0000000000400000-0x00000000005EF000-memory.dmp

\Users\Admin\Pictures\WcjvadbkoULZoyjm457OFcph.exe

MD5 d4592db394c7ab34bae315fa93fe9719
SHA1 fa52ccd12fbd4862da69257787a612b505ce325a
SHA256 dc6e38821741f459af919fba5a4136a9e4c3ff930024b55a33cf682164aaf558
SHA512 11c35197edefba207407168b2cf655892878d4632d642efcc564151a34a4045d7685d5a94f4ede008185ff5b9ff18f3dc6e1cb2abdbc4e2972d5a7fe5748e0eb

C:\Users\Admin\Pictures\WcjvadbkoULZoyjm457OFcph.exe

MD5 a2a8aa251d5e3fe81088dcb8c789ac61
SHA1 4b9e7059a7d3ce0e1df341b841cbafbe6029e2c3
SHA256 845cde79f76abaa9d1e9fb5e1291c97b192dd3c30a47c70604c52beffc455f7f
SHA512 712263f0a27e4a2ccfb9753f1cc5129daa2ba371f46c22932f583a576062877fc87108fb9062e61549c28d1224caa04477a98d92c58db4dc496cf45e7802b077

C:\Users\Admin\Pictures\WcjvadbkoULZoyjm457OFcph.exe

MD5 4d10d0577e6e399e89ca12dd2e2e1d5a
SHA1 91f8d4f73d381860c68b0064a47b08b72fdb279f
SHA256 674d318da7f057b587270969c062707236c2f3568046691f6d6f8a9e90852f1c
SHA512 53cf3e23ef57f26f850ef792f28cd61e79cbb77ba1cfdce4cf2591953065affe0454ff00380ba7b1f7169789bb0e965f5fb7a9b97bee6a293a2d43eba91ac3be

C:\Users\Admin\Pictures\WcjvadbkoULZoyjm457OFcph.exe

MD5 740fb81d15d6d4f40a29f5ec98a5ac54
SHA1 0ddaed0062cc06c59f825b6834665cd445841136
SHA256 af9c753736f87b7ab8424b12a6e4efc007f371f39fab9cde7d58ccd1f2b81bce
SHA512 85450dbea4dbb43c15b6097ab2033ac0303fd249942ce92fc32a7ec6e4a8cbddfccf808f9dc8911f113797fbb01457e6b144691fd9ea8990264227b859a171d0

\Users\Admin\AppData\Local\Temp\syncUpd.exe

MD5 45d22efe66c3573da47197ff44dd54f2
SHA1 5c426bc365f775fbb433e2219c0dd2d146fc4cfc
SHA256 e1cd1d1df222eeb723bc22f7ae326c151ea73ae6ef7c571516efe0dc1e2546fb
SHA512 f22efc1de7fa66019e82040298c5285e06a8d5e1d9ac1478aaf478b99814002ba027056db3528d9d5ef451e542b70cfe2a12f17503fdce9c9f779dfe92c0524f

\Users\Admin\AppData\Local\Temp\nst959D.tmp\INetC.dll

MD5 2b342079303895c50af8040a91f30f71
SHA1 b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA256 2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512 550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

memory/1716-327-0x0000000000400000-0x0000000001A32000-memory.dmp

memory/2348-326-0x0000000000400000-0x0000000001E16000-memory.dmp

memory/1716-325-0x0000000000220000-0x0000000000247000-memory.dmp

memory/1716-324-0x0000000001BF0000-0x0000000001CF0000-memory.dmp

memory/2840-323-0x0000000000400000-0x00000000005EF000-memory.dmp

memory/2840-337-0x0000000000400000-0x00000000005EF000-memory.dmp

memory/1716-338-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B329.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 eee5ddcffbed16222cac0a1b4e2e466e
SHA1 28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5
SHA256 2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54
SHA512 8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc

memory/2752-384-0x0000000005790000-0x0000000005CC0000-memory.dmp

memory/2752-383-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2348-386-0x0000000000400000-0x0000000001E16000-memory.dmp

memory/2224-387-0x0000000000400000-0x0000000000930000-memory.dmp

memory/2224-388-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2348-402-0x0000000000400000-0x0000000001E16000-memory.dmp

memory/1716-403-0x0000000000400000-0x0000000001A32000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/2840-412-0x0000000000400000-0x00000000005EF000-memory.dmp

memory/2224-413-0x0000000000400000-0x0000000000930000-memory.dmp

memory/2348-416-0x0000000000400000-0x0000000001E16000-memory.dmp

memory/1716-418-0x0000000001BF0000-0x0000000001CF0000-memory.dmp

memory/2840-419-0x0000000000400000-0x00000000005EF000-memory.dmp

memory/2224-425-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2840-435-0x0000000002590000-0x0000000002634000-memory.dmp

memory/2840-456-0x0000000002590000-0x0000000002634000-memory.dmp

\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1712-494-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2444-497-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1712-499-0x0000000000400000-0x00000000008DF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-12 03:10

Reported

2024-03-12 03:12

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067.exe"

Signatures

DcRat

rat infostealer dcrat

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

Socks5Systemz

botnet socks5systemz

Stealc

stealer stealc

Detect binaries embedding considerable number of MFA browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables (downlaoders) containing URLs to raw contents of a paste

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables Discord URL observed in first stage droppers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing artifacts associated with disabling Widnows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many varying, potentially fake Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\76D2.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Y4l0x92JWtyeAroRGLzZvV8e.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lKZHwAtLRPMKIXQba5urXU12.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KNwF1qXu4KusgLTsphYiAHIU.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HvYFX5eUArShe3qAwAVvhhSC.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UMxuooMeahrxsXgdlR3C9nIX.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UF1zAqfUem3vnmfr5FRgGHkj.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\78VPQf30xfDaNqamK5tNzm7n.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VDFL2.tmp\78VPQf30xfDaNqamK5tNzm7n.tmp N/A
N/A N/A C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Website HTML to PDF\websitehtml2pdf.exe N/A
N/A N/A C:\Users\Admin\Pictures\KzalldW4RFwV6q6yKJmc2zUy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Website HTML to PDF\websitehtml2pdf.exe N/A
N/A N/A C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe N/A
N/A N/A C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\QpRFSrNhS5ZTsUqX4PTlrHTi.exe N/A
N/A N/A C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe N/A
N/A N/A C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe N/A
N/A N/A C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe N/A
N/A N/A C:\Users\Admin\Pictures\NgMVolUFzFH9Z7ZfaZ9pkhwr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120310321\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120310321\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76D2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120310321\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76D2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76D2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76D2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9DA4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\49D4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AA64.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 141.98.234.31 N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1215e589-af49-43c4-8c1b-44cd497b07ca\\76D2.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\76D2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Pictures\KzalldW4RFwV6q6yKJmc2zUy.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Pictures\KzalldW4RFwV6q6yKJmc2zUy.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Pictures\KzalldW4RFwV6q6yKJmc2zUy.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-3142 = "South Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" C:\Windows\windefender.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VDFL2.tmp\78VPQf30xfDaNqamK5tNzm7n.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VDFL2.tmp\78VPQf30xfDaNqamK5tNzm7n.tmp N/A
N/A N/A C:\Users\Admin\Pictures\KzalldW4RFwV6q6yKJmc2zUy.exe N/A
N/A N/A C:\Users\Admin\Pictures\KzalldW4RFwV6q6yKJmc2zUy.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\KzalldW4RFwV6q6yKJmc2zUy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VDFL2.tmp\78VPQf30xfDaNqamK5tNzm7n.tmp N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 792 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 792 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 792 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 792 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 792 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 792 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 792 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 792 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 792 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 792 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 1044 wrote to memory of 2640 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\78VPQf30xfDaNqamK5tNzm7n.exe
PID 1044 wrote to memory of 2640 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\78VPQf30xfDaNqamK5tNzm7n.exe
PID 1044 wrote to memory of 2640 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\78VPQf30xfDaNqamK5tNzm7n.exe
PID 2640 wrote to memory of 1892 N/A C:\Users\Admin\Pictures\78VPQf30xfDaNqamK5tNzm7n.exe C:\Users\Admin\AppData\Local\Temp\is-VDFL2.tmp\78VPQf30xfDaNqamK5tNzm7n.tmp
PID 2640 wrote to memory of 1892 N/A C:\Users\Admin\Pictures\78VPQf30xfDaNqamK5tNzm7n.exe C:\Users\Admin\AppData\Local\Temp\is-VDFL2.tmp\78VPQf30xfDaNqamK5tNzm7n.tmp
PID 2640 wrote to memory of 1892 N/A C:\Users\Admin\Pictures\78VPQf30xfDaNqamK5tNzm7n.exe C:\Users\Admin\AppData\Local\Temp\is-VDFL2.tmp\78VPQf30xfDaNqamK5tNzm7n.tmp
PID 1044 wrote to memory of 3892 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe
PID 1044 wrote to memory of 3892 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe
PID 1044 wrote to memory of 3892 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe
PID 1892 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\is-VDFL2.tmp\78VPQf30xfDaNqamK5tNzm7n.tmp C:\Users\Admin\AppData\Local\Website HTML to PDF\websitehtml2pdf.exe
PID 1892 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\is-VDFL2.tmp\78VPQf30xfDaNqamK5tNzm7n.tmp C:\Users\Admin\AppData\Local\Website HTML to PDF\websitehtml2pdf.exe
PID 1892 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\is-VDFL2.tmp\78VPQf30xfDaNqamK5tNzm7n.tmp C:\Users\Admin\AppData\Local\Website HTML to PDF\websitehtml2pdf.exe
PID 1044 wrote to memory of 3312 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\KzalldW4RFwV6q6yKJmc2zUy.exe
PID 1044 wrote to memory of 3312 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\KzalldW4RFwV6q6yKJmc2zUy.exe
PID 1044 wrote to memory of 3312 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\KzalldW4RFwV6q6yKJmc2zUy.exe
PID 1892 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\is-VDFL2.tmp\78VPQf30xfDaNqamK5tNzm7n.tmp C:\Users\Admin\AppData\Local\Website HTML to PDF\websitehtml2pdf.exe
PID 1892 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\is-VDFL2.tmp\78VPQf30xfDaNqamK5tNzm7n.tmp C:\Users\Admin\AppData\Local\Website HTML to PDF\websitehtml2pdf.exe
PID 1892 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\is-VDFL2.tmp\78VPQf30xfDaNqamK5tNzm7n.tmp C:\Users\Admin\AppData\Local\Website HTML to PDF\websitehtml2pdf.exe
PID 3892 wrote to memory of 2096 N/A C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3892 wrote to memory of 2096 N/A C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3892 wrote to memory of 2096 N/A C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1044 wrote to memory of 3036 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe
PID 1044 wrote to memory of 3036 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe
PID 1044 wrote to memory of 3036 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe
PID 3036 wrote to memory of 4064 N/A C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe
PID 3036 wrote to memory of 4064 N/A C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe
PID 3036 wrote to memory of 4064 N/A C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe
PID 3036 wrote to memory of 4360 N/A C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\QpRFSrNhS5ZTsUqX4PTlrHTi.exe
PID 3036 wrote to memory of 4360 N/A C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\QpRFSrNhS5ZTsUqX4PTlrHTi.exe
PID 3036 wrote to memory of 4360 N/A C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\QpRFSrNhS5ZTsUqX4PTlrHTi.exe
PID 3036 wrote to memory of 3700 N/A C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe
PID 3036 wrote to memory of 3700 N/A C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe
PID 3036 wrote to memory of 3700 N/A C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe
PID 3700 wrote to memory of 2804 N/A C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe
PID 3700 wrote to memory of 2804 N/A C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe
PID 3700 wrote to memory of 2804 N/A C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe
PID 3180 wrote to memory of 4732 N/A C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3180 wrote to memory of 4732 N/A C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3180 wrote to memory of 4732 N/A C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3180 wrote to memory of 8 N/A C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe C:\Windows\system32\cmd.exe
PID 3180 wrote to memory of 8 N/A C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe C:\Windows\system32\cmd.exe
PID 1044 wrote to memory of 4624 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\NgMVolUFzFH9Z7ZfaZ9pkhwr.exe
PID 1044 wrote to memory of 4624 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\NgMVolUFzFH9Z7ZfaZ9pkhwr.exe
PID 1044 wrote to memory of 4624 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\NgMVolUFzFH9Z7ZfaZ9pkhwr.exe
PID 8 wrote to memory of 3624 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 8 wrote to memory of 3624 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4624 wrote to memory of 3336 N/A C:\Users\Admin\Pictures\NgMVolUFzFH9Z7ZfaZ9pkhwr.exe C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
PID 4624 wrote to memory of 3336 N/A C:\Users\Admin\Pictures\NgMVolUFzFH9Z7ZfaZ9pkhwr.exe C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
PID 4624 wrote to memory of 3336 N/A C:\Users\Admin\Pictures\NgMVolUFzFH9Z7ZfaZ9pkhwr.exe C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
PID 3180 wrote to memory of 1252 N/A C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3180 wrote to memory of 1252 N/A C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3180 wrote to memory of 1252 N/A C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4624 wrote to memory of 2780 N/A C:\Users\Admin\Pictures\NgMVolUFzFH9Z7ZfaZ9pkhwr.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 4624 wrote to memory of 2780 N/A C:\Users\Admin\Pictures\NgMVolUFzFH9Z7ZfaZ9pkhwr.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067.exe

"C:\Users\Admin\AppData\Local\Temp\c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"

C:\Users\Admin\Pictures\78VPQf30xfDaNqamK5tNzm7n.exe

"C:\Users\Admin\Pictures\78VPQf30xfDaNqamK5tNzm7n.exe"

C:\Users\Admin\AppData\Local\Temp\is-VDFL2.tmp\78VPQf30xfDaNqamK5tNzm7n.tmp

"C:\Users\Admin\AppData\Local\Temp\is-VDFL2.tmp\78VPQf30xfDaNqamK5tNzm7n.tmp" /SL5="$100058,1741469,56832,C:\Users\Admin\Pictures\78VPQf30xfDaNqamK5tNzm7n.exe"

C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe

"C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe"

C:\Users\Admin\AppData\Local\Website HTML to PDF\websitehtml2pdf.exe

"C:\Users\Admin\AppData\Local\Website HTML to PDF\websitehtml2pdf.exe" -i

C:\Users\Admin\Pictures\KzalldW4RFwV6q6yKJmc2zUy.exe

"C:\Users\Admin\Pictures\KzalldW4RFwV6q6yKJmc2zUy.exe"

C:\Users\Admin\AppData\Local\Website HTML to PDF\websitehtml2pdf.exe

"C:\Users\Admin\AppData\Local\Website HTML to PDF\websitehtml2pdf.exe" -s

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe

"C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe" --silent --allusers=0

C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe

C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2c8,0x2ec,0x2f0,0x24c,0x2f4,0x6ef421c8,0x6ef421d4,0x6ef421e0

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\QpRFSrNhS5ZTsUqX4PTlrHTi.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\QpRFSrNhS5ZTsUqX4PTlrHTi.exe" --version

C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe

"C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3036 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240312031032" --session-guid=8452ce8c-df71-457b-b773-2794b972dc31 --server-tracking-blob=N2JiMDA5MGZkODI5OTk0NjVlZDg5NGEyYjg2Nzk1NGZiYjQwMGY1YWE1MGZlN2NjOTg5Mjc2MjlhODBhM2NmYTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxMDIxMzAyMS4xOTYwIiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiJlYjY2YTJjZi03MTAzLTQxMGQtYWZiNi1hNmUxZjFjOTI4ODEifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=CC04000000000000

C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe

C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2fc,0x300,0x304,0x2d0,0x308,0x6de021c8,0x6de021d4,0x6de021e0

C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe

"C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\Pictures\NgMVolUFzFH9Z7ZfaZ9pkhwr.exe

"C:\Users\Admin\Pictures\NgMVolUFzFH9Z7ZfaZ9pkhwr.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Users\Admin\AppData\Local\Temp\syncUpd.exe

C:\Users\Admin\AppData\Local\Temp\syncUpd.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4949.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120310321\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120310321\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120310321\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120310321\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\76D2.exe

C:\Users\Admin\AppData\Local\Temp\76D2.exe

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120310321\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120310321\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0xdc0040,0xdc004c,0xdc0058

C:\Users\Admin\AppData\Local\Temp\76D2.exe

C:\Users\Admin\AppData\Local\Temp\76D2.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\1215e589-af49-43c4-8c1b-44cd497b07ca" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\76D2.exe

"C:\Users\Admin\AppData\Local\Temp\76D2.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\76D2.exe

"C:\Users\Admin\AppData\Local\Temp\76D2.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1260 -ip 1260

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 568

C:\Users\Admin\AppData\Local\Temp\9DA4.exe

C:\Users\Admin\AppData\Local\Temp\9DA4.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\49D4.exe

C:\Users\Admin\AppData\Local\Temp\49D4.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\66A4.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3336 -ip 3336

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 3396

C:\Users\Admin\AppData\Local\Temp\AA64.exe

C:\Users\Admin\AppData\Local\Temp\AA64.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 yip.su udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.169.89:443 yip.su tcp
US 104.20.68.143:443 pastebin.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 143.68.20.104.in-addr.arpa udp
US 8.8.8.8:53 89.169.67.172.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 midnight.bestsup.su udp
US 8.8.8.8:53 galandskiyher5.com udp
US 8.8.8.8:53 namecloudvideo.org udp
US 8.8.8.8:53 net.geo.opera.com udp
DE 185.172.128.126:80 185.172.128.126 tcp
US 15.204.49.148:80 15.204.49.148 tcp
US 172.67.171.112:80 midnight.bestsup.su tcp
US 104.21.65.148:443 namecloudvideo.org tcp
NL 185.26.182.112:80 net.geo.opera.com tcp
NL 185.26.182.112:443 net.geo.opera.com tcp
RU 194.87.206.12:80 galandskiyher5.com tcp
US 8.8.8.8:53 112.171.67.172.in-addr.arpa udp
US 8.8.8.8:53 148.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 126.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 112.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 148.49.204.15.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 shipbank.org udp
US 104.21.10.217:443 shipbank.org tcp
US 8.8.8.8:53 12.206.87.194.in-addr.arpa udp
US 8.8.8.8:53 217.10.21.104.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 iplogger.com udp
US 172.67.188.178:443 iplogger.com tcp
US 8.8.8.8:53 178.188.67.172.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
NL 185.26.182.123:443 autoupdate.geo.opera.com tcp
NL 185.26.182.123:443 autoupdate.geo.opera.com tcp
US 8.8.8.8:53 121.217.145.82.in-addr.arpa udp
US 8.8.8.8:53 123.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 download.opera.com udp
US 8.8.8.8:53 features.opera-api2.com udp
NL 82.145.216.15:443 features.opera-api2.com tcp
NL 82.145.216.24:443 download.opera.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 24.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 download3.operacdn.com udp
GB 95.101.143.176:443 download3.operacdn.com tcp
US 8.8.8.8:53 15.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 176.143.101.95.in-addr.arpa udp
DE 185.172.128.90:80 185.172.128.90 tcp
DE 185.172.128.145:80 185.172.128.145 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 185.172.128.187:80 185.172.128.187 tcp
US 8.8.8.8:53 145.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 187.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 e50a9521-59de-496e-b4eb-c06b6fdc2263.uuid.dumperstats.org udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 trad-einmyus.com udp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 8.8.8.8:53 sdfjhuz.com udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 server7.dumperstats.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun.sipgate.net udp
US 162.159.133.233:443 cdn.discordapp.com tcp
MX 187.209.127.200:80 sdfjhuz.com tcp
US 3.33.249.248:3478 stun.sipgate.net udp
BG 185.82.216.111:443 server7.dumperstats.org tcp
US 8.8.8.8:53 248.249.33.3.in-addr.arpa udp
US 8.8.8.8:53 200.127.209.187.in-addr.arpa udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
BG 185.82.216.111:443 server7.dumperstats.org tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 8.8.8.8:53 bitbucket.org udp
AU 104.192.141.1:443 bitbucket.org tcp
US 8.8.8.8:53 1.141.192.104.in-addr.arpa udp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 8.8.8.8:53 superemeboxlogosites.pro udp
US 104.21.44.94:443 superemeboxlogosites.pro tcp
US 8.8.8.8:53 94.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 wisemassiveharmonious.shop udp
US 172.67.181.250:443 wisemassiveharmonious.shop tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 8.8.8.8:53 250.181.67.172.in-addr.arpa udp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
US 172.67.181.250:443 wisemassiveharmonious.shop tcp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 80.232.23.103.in-addr.arpa udp
US 8.8.8.8:53 colorfulequalugliess.shop udp
US 104.21.19.68:443 colorfulequalugliess.shop tcp
US 8.8.8.8:53 68.19.21.104.in-addr.arpa udp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 104.21.19.68:443 colorfulequalugliess.shop tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 8.8.8.8:53 resergvearyinitiani.shop udp
BG 185.82.216.111:443 server7.dumperstats.org tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 172.67.217.100:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 100.217.67.172.in-addr.arpa udp
US 8.8.8.8:53 relevantvoicelesskw.shop udp
US 104.21.33.178:443 relevantvoicelesskw.shop tcp
US 8.8.8.8:53 technologyenterdo.shop udp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 178.33.21.104.in-addr.arpa udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 8.8.8.8:53 pooreveningfuseor.pw udp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 8.8.8.8:53 associationokeo.shop udp
HK 141.98.234.31:53 csvpbch.net udp
RU 194.87.206.12:80 trad-einmyus.com tcp
DE 185.172.128.145:80 185.172.128.145 tcp
US 172.67.147.18:443 associationokeo.shop tcp
US 172.67.147.18:443 associationokeo.shop tcp
US 8.8.8.8:53 31.234.98.141.in-addr.arpa udp
TR 195.16.74.230:80 csvpbch.net tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
FR 195.154.179.197:2023 tcp
US 8.8.8.8:53 230.74.16.195.in-addr.arpa udp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 8.8.8.8:53 18.147.67.172.in-addr.arpa udp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 8.8.8.8:53 valowaves.com udp
US 172.67.192.62:443 valowaves.com tcp
US 8.8.8.8:53 62.192.67.172.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
RU 194.87.206.12:80 trad-einmyus.com tcp
RU 194.87.206.12:80 trad-einmyus.com tcp
US 8.8.8.8:53 hadogarden.com udp
VN 103.216.113.30:443 hadogarden.com tcp

Files

memory/2376-5-0x000001CA98BA0000-0x000001CA98BC2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bcmfbiq1.ket.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2376-10-0x00007FFEBC3F0000-0x00007FFEBCEB1000-memory.dmp

memory/2376-11-0x000001CA98B90000-0x000001CA98BA0000-memory.dmp

memory/2376-13-0x000001CA98B90000-0x000001CA98BA0000-memory.dmp

memory/2376-12-0x000001CA98B90000-0x000001CA98BA0000-memory.dmp

memory/1044-14-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2376-15-0x000001CA98B90000-0x000001CA98BA0000-memory.dmp

memory/1044-19-0x0000000074FE0000-0x0000000075790000-memory.dmp

memory/2376-18-0x00007FFEBC3F0000-0x00007FFEBCEB1000-memory.dmp

memory/1044-20-0x0000000004E40000-0x0000000004E50000-memory.dmp

C:\Users\Admin\Pictures\bHmJ1wZ6tbzrFqvg4RdLfrNb.exe

MD5 5b423612b36cde7f2745455c5dd82577
SHA1 0187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256 e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512 c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

C:\Users\Admin\Pictures\78VPQf30xfDaNqamK5tNzm7n.exe

MD5 dcbc8bd3271ca0306fc9df8e697ff007
SHA1 a7a9ff9ea23b34b84f4f8d8efc902b4db054a7d3
SHA256 fcbc2f82ce238090264e95583dc069a22f099ff04fb633d677de8088522714f1
SHA512 8a7206a55a38fe6a2aca9bbb8dcc759fe8786babea1e1ae9cfe45ac47d6b23afd4233572e2f81aa77bb6f199e71f65c0b00652d10feac2932499ffc6c11c3e30

memory/2640-45-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-VDFL2.tmp\78VPQf30xfDaNqamK5tNzm7n.tmp

MD5 70a69b5d64f2eebdc9d01f6176a40853
SHA1 b632d495a4415e233986118f3fb7876a38e74e6a
SHA256 b6db39a83b8bb8d4c9c47dd3e463be0eaac5f69bb11f3d50f62d37f10f721f27
SHA512 9df4cfa66db0d4394b9dc5267736f50c7c11fa29ead9e11166e843a133fff1effe18ddd30e67eecc869ef2d9cc825609c88912a3d7acce40741241fa06291e5a

memory/1892-51-0x0000000002350000-0x0000000002351000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-75KF3.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe

MD5 342f9cd3d30435d17ed1ad374e8914dc
SHA1 758d509d6e0a69d6a6ef5757e766c6b96e231879
SHA256 b38a01939394a63b2241726a903c38a5fa5a562c07de20ed45cd6c05e09adc05
SHA512 8bbd093934c7745cbc98e343ccdeaa8e0115c41c0d2acf573b000b0af2decc2a196f2c1d8aa7c82d58e34c271817227ad29e0a51f3889c9b7d7bcc90386fee88

C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe

MD5 493cca42fc91dfcceeb77853b3d60d95
SHA1 e35d0ef88f276029deefd6132946d5d5552661f4
SHA256 7dba1246ae2581acd450d6811e71074c31ef226c841c0c09cae4b1cef4e06ae7
SHA512 dcdba0c22613653a43e2c315920da3943dc2c4375ae28224e0b3d5f134c6a81e63335edc5e1582643585aea773ccb92441b73af314e8aa394d9e8afc7233d450

C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe

MD5 dd87da918d5d5f4a99b8175177f0a717
SHA1 3ca356a3372dc58b1163b9a4762a27ad3ce462c4
SHA256 bcf3e7098b45a1e2acd515b8d311f2dfba69d19a2a54cffa1f32a2f26a9efa4f
SHA512 1d192e122fc8bb3bb1431ffefd5fb62d504f82acdde34794b069270522ccc5dc039de95b0820a8cc506c967017df46ff7b79f0b4fd97cecd0055a86fc8bf8268

C:\Users\Admin\Pictures\KzalldW4RFwV6q6yKJmc2zUy.exe

MD5 5e00f94fcd7359ca6ace8e7851b9a7b1
SHA1 87dd3211e6f43e9d71124dab4775b015cd6a0934
SHA256 d4e129f95bb994e76c7f01fac3ba587c40b25fd651f1ee995a457af1ea564d7a
SHA512 0dd6eef26ae250b2b8c57c4458b2c2bda1279b881dbb4d183b80e3b6bd31ae4a7370669e3ba84455dce8b882904a0078fa4e3926e8dffc3a2a2e9e0fb761cced

C:\Users\Admin\AppData\Local\Website HTML to PDF\websitehtml2pdf.exe

MD5 45ca3b76495f71a78cbefde1c71a0df7
SHA1 cfaeb0ad9636c360a9b0752c355558a1c722dfbc
SHA256 1009aa12173dccebc7e666cf20e1d66d7950aa2a0da98897f1c5ebd33878b12e
SHA512 05f3b4de18e2ecc2e9b838b69cdd2d820ab8a07cc76a0249fa8ce74ecbed4db9531d7a69415656b2ebe62d297d41f6532ce2af8a34e5968cc3b12b24a9325e8a

memory/4424-101-0x0000000000400000-0x00000000005EF000-memory.dmp

C:\Users\Admin\AppData\Local\Website HTML to PDF\websitehtml2pdf.exe

MD5 cb7dd894ebf1d432839a1a0e191fed10
SHA1 b8ce279e932184a13808cf1fb56a91c6e219682e
SHA256 be6f41d71d6fb3e159f3890bf385980e5a610228774cfdc31bb443efd1c4d371
SHA512 959608efe527ab7d091f3c6b853a0b600f10a6f593995f0089ad2bf55ae6c8de54bef0145109873d2428e657a555bca570318e7ded82264c79ffe8f1dac777bf

memory/3312-109-0x0000000001B90000-0x0000000001B9B000-memory.dmp

memory/4424-107-0x0000000000400000-0x00000000005EF000-memory.dmp

memory/4424-104-0x0000000000400000-0x00000000005EF000-memory.dmp

memory/3892-110-0x0000000003930000-0x0000000003D2E000-memory.dmp

memory/3312-111-0x0000000001DD0000-0x0000000001ED0000-memory.dmp

memory/3312-114-0x0000000000400000-0x0000000001A32000-memory.dmp

memory/4252-115-0x0000000000400000-0x00000000005EF000-memory.dmp

memory/3892-116-0x0000000000400000-0x0000000001E16000-memory.dmp

memory/3892-117-0x0000000003E30000-0x000000000471B000-memory.dmp

memory/2096-118-0x0000000004690000-0x00000000046C6000-memory.dmp

memory/1044-119-0x0000000074FE0000-0x0000000075790000-memory.dmp

memory/2096-120-0x0000000004D00000-0x0000000005328000-memory.dmp

memory/2096-121-0x0000000074FE0000-0x0000000075790000-memory.dmp

memory/2096-122-0x0000000004680000-0x0000000004690000-memory.dmp

memory/1044-124-0x0000000004E40000-0x0000000004E50000-memory.dmp

memory/2096-123-0x0000000004680000-0x0000000004690000-memory.dmp

memory/2096-125-0x0000000004C60000-0x0000000004C82000-memory.dmp

memory/2096-126-0x0000000005430000-0x0000000005496000-memory.dmp

memory/2096-127-0x00000000055D0000-0x0000000005636000-memory.dmp

memory/2096-137-0x00000000058A0000-0x0000000005BF4000-memory.dmp

memory/2096-138-0x0000000005C50000-0x0000000005C6E000-memory.dmp

memory/2096-139-0x0000000005CA0000-0x0000000005CEC000-memory.dmp

memory/3416-140-0x0000000003150000-0x0000000003166000-memory.dmp

memory/2096-145-0x0000000006200000-0x0000000006244000-memory.dmp

memory/3312-142-0x0000000000400000-0x0000000001A32000-memory.dmp

memory/3312-144-0x0000000001B90000-0x0000000001B9B000-memory.dmp

memory/2096-146-0x0000000004680000-0x0000000004690000-memory.dmp

memory/2096-147-0x0000000006D70000-0x0000000006DE6000-memory.dmp

memory/2096-148-0x00000000076A0000-0x0000000007D1A000-memory.dmp

memory/2096-149-0x0000000007020000-0x000000000703A000-memory.dmp

memory/2640-150-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1892-151-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/2096-153-0x00000000071D0000-0x0000000007202000-memory.dmp

memory/2096-152-0x000000007F230000-0x000000007F240000-memory.dmp

memory/2096-159-0x000000006F580000-0x000000006F5CC000-memory.dmp

memory/2096-165-0x000000006F1F0000-0x000000006F544000-memory.dmp

C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe

MD5 a617720e66ae0396ae34fa47336198eb
SHA1 4d0fba0526fc2d6adf3e1ab38a578ca0eda9f3c7
SHA256 3b278b7cda267add420f93e2785e28097571d033ae6459fbf210bbc4ec05ab11
SHA512 a97475111d49085f16b4821ec13843e50167af26a98ce3a5221cd9727bfd3e0532cc4561d5d724618563bb403a97ff9687aafce3940f2db650944603802194b4

memory/2096-176-0x00000000071B0000-0x00000000071CE000-memory.dmp

C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe

MD5 3a7c324eb1b48273084c205cad814bd6
SHA1 0ed79ab96ca300470fd045b71f64c60cf2a767e0
SHA256 61915b7f9d843e4b4070ed8020ab980c8042dd99e1336f8fb70d50bbcd4ba089
SHA512 84360fb3dbf6e17989348916cc958892aa388cfaeb1603308963da5ca8e58f1d4ab752c6b52bed0c33440563a10f9487972cb71cb2b69819a7109bf63facfbeb

memory/2096-179-0x0000000007210000-0x00000000072B3000-memory.dmp

memory/3036-181-0x00000000000A0000-0x00000000005D8000-memory.dmp

memory/2096-183-0x0000000007300000-0x000000000730A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403120310306913036.dll

MD5 7275cd1d05589fd14be76b1e4120a0ed
SHA1 d032c889b7987f830d41a9dc2d5913b84dba5873
SHA256 f516d5c8ad15c98a6800fd63d80bfa67871e33e6c35d516843fcd7aa91fbb3da
SHA512 4728efa8c2f73dc97fe660898913771e122f939f05434fe391764823776d05c7bccbe17feda3b12a37ae18c8fad241136aef37781a747096e203df9478d92057

memory/2096-184-0x0000000007410000-0x00000000074A6000-memory.dmp

C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe

MD5 2dd20c67e2194bf94eeb258f02053529
SHA1 6d93c9a2762384f9af365046c42ddd19ab62b3ad
SHA256 16d5536f9cf5f8719a326d6f6fb5a25ede5c03d974dfb0b6bf27914bf25bf43f
SHA512 f6ea21ea99a07c8b8107c74bfddf990922a5710f77be1d154017a0095ce0f8e3af1ecef55266f2cc7ba3f23e3a767c97104d9e05823f02fbbb6b81664a83e44c

memory/1892-187-0x0000000002350000-0x0000000002351000-memory.dmp

memory/2096-191-0x0000000007310000-0x0000000007321000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403120310314414064.dll

MD5 fb3e7d99bbe35d4977d44f1d0bd51a5a
SHA1 e7f264c2a9a4bd9d8609550dd37ce5b73bb63f34
SHA256 5dc3cd55b4419ca4116264ca7434a31a7ca8bf7f28512e802a6dd46b984b8d66
SHA512 ec9df6013cac0269c0c4af22bede5028bd2a3967b01688d9c452a2155829587eb1cc22d482e90ef06af6bc06f45a81815a73df807711bc9d9c03099cb4dca0a6

C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe

MD5 691c0daf7b2ced11929d27c70eb4c548
SHA1 2e69124e0435b1b338efeb63fc4e8b2c32d812da
SHA256 a67ba664295395a9d65b1a9e94781a14312d9a59d6f098e80bcc4ab046e461ae
SHA512 447d92b1afbb44c68e91ced169d299e73387a2bf1619363ce5d3d47ef8cda3d99334d420e51e7a0f7d63ff6a9fc2d9234d188c53424e940a3e06ba9e5ab080e5

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\QpRFSrNhS5ZTsUqX4PTlrHTi.exe

MD5 a9d3c5b67a2edf51d4a29312903acebc
SHA1 523c89ff58ff41733eb5106fe01e9eab4a444466
SHA256 5299b628b7690b10e619e9a2bc316a5f569858b031ffac7988664b482a5452f4
SHA512 3d0922e65e458db42bd3799ee3e8ad7b8b46077012fe5ab4eddcf7bbf134b204be5a27dbbb139ea6299770845015cd6feb85767646d3863370c13c93ade6ad29

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403120310318324360.dll

MD5 ace36922049eb9e8e5b0cd4d51bcf679
SHA1 e0a32671bf8d8ded09582fbe82f5192b957438e8
SHA256 4ea144b2d573d779ea022f0d13c4b3adbfa28e0203add17dc0ca6aa15b96dcda
SHA512 8807dd3994a05dc72323ab2e6fb18f3312a3ea91b22b9c4fc8124d6b81de98acd2b53c95325fb5a3ec70339cbde14ce69cd8f858615196bd1e0f911846466b3b

memory/4360-203-0x00000000000E0000-0x0000000000618000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403120310318324360.dll

MD5 88d2324df04f936e2fb6ddd13f642b1e
SHA1 3d34e91cba87a7f55886fb84b508a021a8d4092f
SHA256 a55c5532dfa54f71b14c076b73012b222476db713571d9bdb33df9246b965544
SHA512 dc619e3c37fdc1be292bc92f84b5c8aa10a5dcb32000b647b8f2f72f05e0994cb8ea92c6a8b200831126915ae778ab9fc515be9bd24e303ed1db7baf62126dd5

memory/4064-204-0x00000000000A0000-0x00000000005D8000-memory.dmp

memory/3892-192-0x0000000000400000-0x0000000001E16000-memory.dmp

memory/3892-207-0x0000000003930000-0x0000000003D2E000-memory.dmp

C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe

MD5 c8dfa45bbb3b1aa56b0da03a34bcda42
SHA1 ced063cda49f7cd6a57b87255b36480d8af11470
SHA256 c6a70c72e1c2e149bf0f9632d5831d561ffe8bd09011e0516c21cff2a5c433d4
SHA512 9cdff1c057357543c17f750b2b0431305b47cfe7fa945bd828d0def15e0f3cbe7016047fe220e2686472beaf2e30e3d291d2143debf48b5084dba1bca3588ee0

memory/3700-211-0x00000000000A0000-0x00000000005D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403120310323013700.dll

MD5 5480dbac32a258c5a7051f61a081dc0f
SHA1 a7aaff6515a52f2d799f1149ed3f9548af5a5cca
SHA256 c64a94b8da9f0ff1954c95b14729ace2c19da91c08f8680ee94ca824b16defae
SHA512 5f73aa2604483d1e846e3a750ed538a95319b384d35af65bfa03c63f984e7e96b01a7ff1aba7cb1da08c94a57bb97901a7e7168d5697be830caf41fbcb14daf7

C:\Users\Admin\Pictures\QpRFSrNhS5ZTsUqX4PTlrHTi.exe

MD5 5d28e9408515ad80cc098ba9263d4182
SHA1 5c9d08c1751a4cb129dfd51be1577574db1490c6
SHA256 44d5c215d2f4bfcb395f5b675ff7a717779caac7a28bfa7dfb067e89367957b1
SHA512 3c727094d35dd51878cdc4c7305dd9541cda59b564ff7310c7363220f875d1c67e615a298a5f2d9f00cc20ba94d41c9885539e4c8c9cdd9b97a2e2799a1c263a

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403120310329722804.dll

MD5 9e65368cef81e2ba2e0a46a979cf5e7f
SHA1 4c39ef6a1bfec6f95d3f2eec772fde5ec9e24592
SHA256 fa093b0851f26c62cdf97205ce76d76dd2e724111734c3a0389618404bf6be29
SHA512 ae53f5b312a44502fccf0acce63364044d47cbab85f8588779f1f7bfca28025533f6379ed49f33d22ee4eb256eb42ef26ce711015fa93d7eeec92fa98106c809

memory/4252-214-0x0000000000400000-0x00000000005EF000-memory.dmp

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 4934866bdb1e2785b849ecc04e00ddc9
SHA1 02f04b6ca29ed244b8ea233e73eb6f268a6302aa
SHA256 e8e97b5487ce4d4f5cb836a9a11af89816a7403ec57194dc715b2c64e5c0e817
SHA512 16c7ef61f4bfc2fdb1d33c7e5c0c70b9603d6a7385c32b27ca39e6a7fc2d544d97b04664421134155985e5f9ca6035895b7e5d6b68d2ba19d04a5303c94fa940

memory/2804-222-0x00000000000A0000-0x00000000005D8000-memory.dmp

memory/2096-226-0x0000000007380000-0x000000000738E000-memory.dmp

memory/2096-227-0x0000000007390000-0x00000000073A4000-memory.dmp

memory/2096-228-0x00000000073E0000-0x00000000073FA000-memory.dmp

memory/2096-229-0x00000000073D0000-0x00000000073D8000-memory.dmp

memory/2096-232-0x0000000074FE0000-0x0000000075790000-memory.dmp

C:\Users\Admin\Pictures\bU55r6fDNC2XYnpI7x2nz64X.exe

MD5 bbb4f916a5e85d2bff453a56b5518286
SHA1 79903b71f2d2c97826363ee300a2a0092619499b
SHA256 019e2ef50921d74016528779a42f6b3907f382b1cb85d673d4c2d9b7242000a3
SHA512 a522614e44769502086d42b9dc510e04ab4f5a8487a169a4f8d6160413a96c23dfff914f5b248a110e33695d457f5e3765da82048fb2e49ca7209e860ec61ed4

memory/3180-235-0x0000000003B00000-0x0000000003EFA000-memory.dmp

memory/3180-236-0x0000000000400000-0x0000000001E16000-memory.dmp

memory/4732-239-0x0000000002C50000-0x0000000002C60000-memory.dmp

memory/4732-240-0x0000000002C50000-0x0000000002C60000-memory.dmp

memory/4732-242-0x0000000074FE0000-0x0000000075790000-memory.dmp

memory/4732-253-0x0000000002C50000-0x0000000002C60000-memory.dmp

C:\Users\Admin\Pictures\NgMVolUFzFH9Z7ZfaZ9pkhwr.exe

MD5 740fb81d15d6d4f40a29f5ec98a5ac54
SHA1 0ddaed0062cc06c59f825b6834665cd445841136
SHA256 af9c753736f87b7ab8424b12a6e4efc007f371f39fab9cde7d58ccd1f2b81bce
SHA512 85450dbea4dbb43c15b6097ab2033ac0303fd249942ce92fc32a7ec6e4a8cbddfccf808f9dc8911f113797fbb01457e6b144691fd9ea8990264227b859a171d0

C:\Users\Admin\AppData\Local\Temp\nsuDEE8.tmp\INetC.dll

MD5 2b342079303895c50af8040a91f30f71
SHA1 b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA256 2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512 550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

C:\Users\Admin\AppData\Local\Temp\syncUpd.exe

MD5 45d22efe66c3573da47197ff44dd54f2
SHA1 5c426bc365f775fbb433e2219c0dd2d146fc4cfc
SHA256 e1cd1d1df222eeb723bc22f7ae326c151ea73ae6ef7c571516efe0dc1e2546fb
SHA512 f22efc1de7fa66019e82040298c5285e06a8d5e1d9ac1478aaf478b99814002ba027056db3528d9d5ef451e542b70cfe2a12f17503fdce9c9f779dfe92c0524f

memory/3892-298-0x0000000000400000-0x0000000001E16000-memory.dmp

memory/4252-299-0x0000000000400000-0x00000000005EF000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5242aebb59a00b194def179aea6372c4
SHA1 a32116b7c50240668780799d5de13487584bf260
SHA256 928e08cc429ab94c465aa4787b5aa95d7b14268262b28e57bbeab7397bb2765b
SHA512 4c4e8db96580d3011beef69711ece8116e452789e025e942dc30f3d79d8053f2599bf531a01b80db2df54bcf07847968e3d7a03a666dc351c6c55d1d0182c7a6

memory/3180-328-0x0000000000400000-0x0000000001E16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 f0e775924790a1e58dd6931f5e10366f
SHA1 2dbfe7446d6216db704a0b9fd7fbef1574b1ba75
SHA256 2e01c1110d9379cc3d7fc8f70763e861791bd3d7456244496d5fb833c3f4c142
SHA512 b81c2a7d61c3e1ba6551139d2056d8c5c87f4e277cc3499fa9b8f4ddbf30e337b2b22b74ee6bfb71917e324385135fdd1819deb3796835b7380f29d709c5b35c

memory/4624-336-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b4d04f430441f32d425a28138355abde
SHA1 85c5dbbe7204bb80dd46e5803e57a676b5d3fded
SHA256 7a2be1c73ea22d2438ecaddb3a4ec15aebe0610567ba7cda0044836091ec3249
SHA512 8e10152e72c2c7fef63962f7058571efec6a0bc2ddf04837766f3c679ed4ef9c54e3b80c448ac52f0325baf672d945abcaa69c0c94730ecad70bb46fddacc9a3

memory/3336-381-0x0000000000400000-0x0000000001A32000-memory.dmp

memory/4252-393-0x0000000000400000-0x00000000005EF000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 6a6794d2bd787d66c3cb6e2eace60116
SHA1 c65d7ef43b9f2b240c30bf06bc8af3ef548ee0f1
SHA256 3115b47ffda9e3dcfa246462c88e48749fe5947bfc478f3dd9312d3cbbb779c2
SHA512 437faa764d0f298a62671ae33cbec527f4b5b383af2ced463ca7f19af03c71bb090bf2b44f87a510838e12fa1ee0d90c5a586ae1bea13af01ecbc5f7cea783f2

C:\Windows\rss\csrss.exe

MD5 0161f912b8a3a0ef079cb8be65e6804c
SHA1 20e0fa38a02e3ebbfbe2341c9d73f60e223bcd7a
SHA256 0830c5dbe1249d52a7ba4b3010e1007ad6e21433ec743c669ba4de8510349f54
SHA512 e5fe0ddb37a74bb82aac33227a17573e2a549ea06f398bdb7cfb6dd6a5a2afb5d45c44661ca59d54222f4f99ae3119371c39ab3418a64a4dfbb512f6598b446e

memory/3180-406-0x0000000000400000-0x0000000001E16000-memory.dmp

memory/2780-410-0x0000000000400000-0x0000000000930000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3f22f6a5188ccddf29449ab37e514965
SHA1 ee6b5e4c7174789712fa3316364ab2d5c91fba0d
SHA256 7bcb5baa6cd02436adafbbaf608a2754fb7a669e05e8ac28e88f72ed9ecbfca2
SHA512 a0d24970aa66e4c1d5d4b42092b25fe54870a400912782eb3f969122b2988f6a20e84ba545c3595b2c2d636e0b124dad4406b4f8a3c9bc4823e97584305faa22

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 91e692720a6d134d3b342702288a74e4
SHA1 b9361ca17568ee7862b47ada846b34d419b4a781
SHA256 c0693d6b3b7db1438661c360da925942827df1b4e6072fc6b621c164187511c5
SHA512 d4724dc98307eb9769e48985515ccc1fa0e3f0a421e9adeb0503eebd17b359010606e9f662de015f8ad3451fd08e24e675178b9a2b5e87c3123d305a13639239

memory/4252-470-0x0000000000400000-0x00000000005EF000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 73932071b3a20b2732830da6cc7617fc
SHA1 6e59af7de04c90e1ba1a8b4ed262aae47da26488
SHA256 9670c92530eff9a520e8b6e5e8fdace1a49abf0060f9f761b2e313956eed078e
SHA512 38e1e87e6e994e35fca6d7d96d11d140c9c6789ae3fcd891501442b21d19908988c41db0073c7552a3aac425d3f20d17e48894fc458b3cb3b0254ed231c4885a

memory/3292-487-0x0000000000400000-0x0000000001E16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\Local\Temp\4949.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

memory/4252-522-0x0000000000400000-0x00000000005EF000-memory.dmp

memory/3292-527-0x0000000000400000-0x0000000001E16000-memory.dmp

memory/3336-538-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120310321\opera_package

MD5 bcce07fff6654d6e6f30b512f8dd831d
SHA1 db8d16b3a39a70da7175ee0ec3c508e147afc7e0
SHA256 05776e2d7ae5028cf53abec4dcdfd2d8046fb8f2d87ebd49a6a795597e17511a
SHA512 0d5c7054ad147b2446893d3d920b8d824de6564207a25c840b12a807e09e502c40b5b5d4216731af49a567fd9087ba4584d2a3fe686c231e27b6b808f7b71b65

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120310321\additional_file0.tmp

MD5 b4f66061c002a666d0c610cf75107ee1
SHA1 6fb437c96a1f596e5635c0eb780695f5c4cb0fac
SHA256 eb0de8a36e422d060a384563171844d9d9dc2cfb198d0e55a4162a84952b5727
SHA512 872458a9401619bf7e9b5320cc2a3123e1c8f1ac8abaac6fdd461b9e0c4d4b3767a2b12e8941d6d0a75764b96098cef516b71ba8324cda052f5996cc8e61dda2

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120310321\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe

MD5 20d293b9bf23403179ca48086ba88867
SHA1 dedf311108f607a387d486d812514a2defbd1b9e
SHA256 fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348
SHA512 5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120310321\assistant\assistant_installer.exe

MD5 140a1b4c3cfaf026bdab2a40c7c9ba26
SHA1 cdf556c613174f6e3c6628c126ed18c5d6b0f20f
SHA256 5359fed507c46216c1ddb386903710577a8b2ec0dfe1584d79e0a5b5e5d14e2a
SHA512 67ffa5fa38437456b83ad352240ef813440dfe817e484ed9c3e4ac85953ede3e764066dc14a4ff362da711e3beb7b173f1403641b02922e783a942a92d0106b5

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120310321\assistant\dbghelp.dll

MD5 c538d4fec85bdbf51d33f9c872f1f245
SHA1 eb0b7a72a053dababf130ef2ae3d28c5a524d28d
SHA256 78967dff43e4672f077aa8f5fb406b61e8a03f015103993532f392327e8912d6
SHA512 ac3d1c564711cf3b6ef6176c14f72482b9ad25801f12824ee427ff87d06492a51fad85f3ede1519094c39c6fe15725b0f98b56d18eb690f7d8c5886b45cefde1

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120310321\assistant\dbghelp.dll

MD5 942a65c5cc08a7a1a8c517f2215bbd49
SHA1 c144cc4e06c5464f9f9a99744b21ad5492914b0d
SHA256 324dcd1f390b110d625178fe95e67f21661094da8c93a314099622734071fc24
SHA512 4e5d01e8ec9e49b7383a3226ac4cb868a6d9a347ff925c85d32c122722a8b3e62de7645ece3df1aa8b891ede4d6617da43ef325acc282452e6b9fff75f3fb8e2

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120310321\assistant\dbgcore.dll

MD5 8b6f64e5d3a608b434079e50a1277913
SHA1 03f431fabf1c99a48b449099455c1575893d9f32
SHA256 926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2
SHA512 c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c

C:\Users\Admin\AppData\Local\Temp\76D2.exe

MD5 d204d78acc5a68472862c384018dd1a3
SHA1 5c91a06e04474e91f0a21d9d609d365f83990b03
SHA256 531d078ecb17cb4e48ce6927034f46848dcc9ed807df82b6a44941662fd4ec63
SHA512 4187092e3127b5523ad66e56f25df9247839c1006fa9da063ee04a6bc11a0cb9a8edc764096fb47135cabe64259752a5abc9eba75eed1acf8ef95b8b1d452b6e

C:\Users\Admin\AppData\Local\Temp\76D2.exe

MD5 fd4dcc56cf861be40cbd4d6f308b5a6a
SHA1 de94b1cad8dc1e4462d2c1085caea30dcc00f5aa
SHA256 308f200200224da6fba05e26d89d27dade8c3fe42dda166c79e303d89eead13c
SHA512 5b9a9945f649389d6a6f15cb7e912e4e7b0429dc53a37056d42ad007ed40ace02805b68560197ca239fea9ad05a8e6a66772d4cd456e9eebaa167b7d88420dc7

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120310321\assistant\dbghelp.dll

MD5 9f9634667934511222ecfec8a1b23369
SHA1 69d80187a3cf4b93ba9ad86c6983fcb33a01b92c
SHA256 4eb93a4fcb213817fb03168fc4c3b4f22860624218a14399fc586194ae55464b
SHA512 bdfeccfdaad0d8414f09c92470d546fd23f8568b3c00048526af560bf4da8035735bd0d59feb23a7b0b87a2d142f5a93b0232ef3efb08414374d4d97abfb81c8

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403120310321\assistant\assistant_installer.exe

MD5 81e948af3529ca7d4caa57aa1ce378d2
SHA1 7d798af140eaba747121a146ddb521979ede7a02
SHA256 27109f6b9f4d1d4b2adc5f9fac3a88e7437cfb25e1e6df19950ccba73da1eeb7
SHA512 db87dbd8a263bec5714fdffdd605d31a5de7089626d0a7967ba15bb1d11def2e10eb81d821794b0b7e46452e57e572e32c5234f5b85e9d385da90f3943057b3d

C:\Users\Admin\AppData\Local\Temp\76D2.exe

MD5 109125669dc1ccce29f0c630d2d985eb
SHA1 2d1b211ff69b6d3ff178ee9716263631e8f39027
SHA256 1718fb956c30c4a56490ecfc903ef34ed514ec13c1101d44ff4cf87095e5b064
SHA512 92bbf2eb15f7083bf5b3d376e15289c5d5e027b38100ec7cf5db6f811fde1a8e21ef32c87b9dd5120c096fdfcb7307fe4987e5c92d81fbd2c2807bb076074ea9

C:\Users\Admin\AppData\Local\Temp\76D2.exe

MD5 a81c90a9781956177068a5619f70a113
SHA1 56924f0cd9bf19f10ec0957ce632c366d515ffb1
SHA256 4322b6cf84bceef8352105631f6e9b1afa3f7f31fe20bf1f0ba80b1e73ad5013
SHA512 9f32f41ecfe191007f35ee74de025ef03c6f199cf2583e82ea7d925229769635b41e72eb5868e2eccd142627f1d49e9202ec3fe4ed40b006f40bbdbb26086854

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b