Malware Analysis Report

2024-11-30 02:08

Sample ID 240328-2fa8baac9s
Target 612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc
SHA256 612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc
Tags
glupteba stealc zgrat discovery dropper evasion loader persistence rat rootkit spyware stealer trojan upx lumma rhadamanthys
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc

Threat Level: Known bad

The file 612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc was found to be: Known bad.

Malicious Activity Summary

glupteba stealc zgrat discovery dropper evasion loader persistence rat rootkit spyware stealer trojan upx lumma rhadamanthys

Glupteba

Rhadamanthys

Detects DLL dropped by Raspberry Robin.

Windows security bypass

ZGRat

Detect ZGRat V1

Stealc

Glupteba payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Lumma Stealer

Modifies boot configuration data using bcdedit

Modifies Windows Firewall

Drops file in Drivers directory

Downloads MZ/PE file

Possible attempt to disable PatchGuard

Reads user/profile data of local email clients

Loads dropped DLL

Reads data files stored by FTP clients

Executes dropped EXE

Windows security modification

UPX packed file

Reads user/profile data of web browsers

Drops startup file

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Manipulates WinMonFS driver.

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates connected drives

Manipulates WinMon driver.

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Unsigned PE

Program crash

Enumerates physical storage devices

Checks SCSI registry key(s)

Suspicious behavior: LoadsDriver

Runs ping.exe

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies system certificate store

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-28 22:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-28 22:30

Reported

2024-03-28 22:36

Platform

win7-20240221-en

Max time kernel

294s

Max time network

287s

Command Line

"C:\Users\Admin\AppData\Local\Temp\612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\o0ux229IUgMZfOZnJsn4PXgg.exe = "0" C:\Users\Admin\Pictures\o0ux229IUgMZfOZnJsn4PXgg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\AKPqkG1XdFQPyrpprX0gnGsC.exe = "0" C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\rDqQVjdJtztifq3NkTSYjW43.exe = "0" C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe N/A

ZGRat

rat zgrat

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\Winmon.sys C:\Windows\rss\csrss.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IP9l6p7MjDj80ZYBKlmvFR0P.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\A8vjjWWItIEFitEjYg56bE69.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\O2jnQWDTGnMr5SqtxFGpmU2g.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6mmV5oDRUNfppU7MeWh1owBE.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yJ8EaZ6Zw7PHyO0tonvxHyLs.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bvM5tzf8C09EVC2xwlTk1s3t.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aMH7ZC9LmJOMOyqpwqnsv22K.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VL0mSn1j6nd3j1Rz11atcWvI.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Za7OeW34cNHVdPhAmWPwEjiT.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
N/A N/A C:\Users\Admin\Pictures\0zd39W1gHkkSNhQHuOaQ1Q3z.exe N/A
N/A N/A C:\Users\Admin\Pictures\0zd39W1gHkkSNhQHuOaQ1Q3z.exe N/A
N/A N/A C:\Users\Admin\Pictures\0zd39W1gHkkSNhQHuOaQ1Q3z.exe N/A
N/A N/A C:\Users\Admin\Pictures\0zd39W1gHkkSNhQHuOaQ1Q3z.exe N/A
N/A N/A C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe N/A
N/A N/A C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\Pictures\0zd39W1gHkkSNhQHuOaQ1Q3z.exe N/A
N/A N/A C:\Users\Admin\Pictures\0zd39W1gHkkSNhQHuOaQ1Q3z.exe N/A
N/A N/A C:\Users\Admin\Pictures\0zd39W1gHkkSNhQHuOaQ1Q3z.exe N/A
N/A N/A C:\Users\Admin\Pictures\0zd39W1gHkkSNhQHuOaQ1Q3z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufs.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufs.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\rDqQVjdJtztifq3NkTSYjW43.exe = "0" C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\AKPqkG1XdFQPyrpprX0gnGsC.exe = "0" C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\o0ux229IUgMZfOZnJsn4PXgg.exe = "0" C:\Users\Admin\Pictures\o0ux229IUgMZfOZnJsn4PXgg.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\o0ux229IUgMZfOZnJsn4PXgg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Manipulates WinMon driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMon C:\Windows\rss\csrss.exe N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2000 set thread context of 2468 N/A C:\Users\Admin\AppData\Local\Temp\612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\o0ux229IUgMZfOZnJsn4PXgg.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\o0ux229IUgMZfOZnJsn4PXgg.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\o0ux229IUgMZfOZnJsn4PXgg.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20240328223117.cab C:\Windows\system32\makecab.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ufs.1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ufs.1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ufs.1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\ufs.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\ufs.0.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-622 = "Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-552 = "North Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time" C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time" C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time" C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-472 = "Ekaterinburg Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session C:\Windows\system32\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" C:\Windows\windefender.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe N/A
N/A N/A C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe N/A
N/A N/A C:\Users\Admin\Pictures\o0ux229IUgMZfOZnJsn4PXgg.exe N/A
N/A N/A C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe N/A
N/A N/A C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe N/A
N/A N/A C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe N/A
N/A N/A C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe N/A
N/A N/A C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe N/A
N/A N/A C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe N/A
N/A N/A C:\Users\Admin\Pictures\o0ux229IUgMZfOZnJsn4PXgg.exe N/A
N/A N/A C:\Users\Admin\Pictures\o0ux229IUgMZfOZnJsn4PXgg.exe N/A
N/A N/A C:\Users\Admin\Pictures\o0ux229IUgMZfOZnJsn4PXgg.exe N/A
N/A N/A C:\Users\Admin\Pictures\o0ux229IUgMZfOZnJsn4PXgg.exe N/A
N/A N/A C:\Users\Admin\Pictures\o0ux229IUgMZfOZnJsn4PXgg.exe N/A
N/A N/A C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe N/A
N/A N/A C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe N/A
N/A N/A C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe N/A
N/A N/A C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe N/A
N/A N/A C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufs.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\o0ux229IUgMZfOZnJsn4PXgg.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\o0ux229IUgMZfOZnJsn4PXgg.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2000 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2000 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2000 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2000 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2000 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2000 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2000 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2000 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2000 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2000 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2000 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2000 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2000 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe C:\Windows\system32\WerFault.exe
PID 2000 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe C:\Windows\system32\WerFault.exe
PID 2000 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe C:\Windows\system32\WerFault.exe
PID 2468 wrote to memory of 568 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\0zd39W1gHkkSNhQHuOaQ1Q3z.exe
PID 2468 wrote to memory of 568 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\0zd39W1gHkkSNhQHuOaQ1Q3z.exe
PID 2468 wrote to memory of 568 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\0zd39W1gHkkSNhQHuOaQ1Q3z.exe
PID 2468 wrote to memory of 568 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\0zd39W1gHkkSNhQHuOaQ1Q3z.exe
PID 2468 wrote to memory of 848 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\2mMfUGxyHICIaTRCXyxj5igi.exe
PID 2468 wrote to memory of 848 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\2mMfUGxyHICIaTRCXyxj5igi.exe
PID 2468 wrote to memory of 848 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\2mMfUGxyHICIaTRCXyxj5igi.exe
PID 2468 wrote to memory of 848 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\2mMfUGxyHICIaTRCXyxj5igi.exe
PID 2468 wrote to memory of 2060 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe
PID 2468 wrote to memory of 2060 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe
PID 2468 wrote to memory of 2060 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe
PID 2468 wrote to memory of 2060 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe
PID 2468 wrote to memory of 1492 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\o0ux229IUgMZfOZnJsn4PXgg.exe
PID 2468 wrote to memory of 1492 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\o0ux229IUgMZfOZnJsn4PXgg.exe
PID 2468 wrote to memory of 1492 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\o0ux229IUgMZfOZnJsn4PXgg.exe
PID 2468 wrote to memory of 1492 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\o0ux229IUgMZfOZnJsn4PXgg.exe
PID 2468 wrote to memory of 2308 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe
PID 2468 wrote to memory of 2308 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe
PID 2468 wrote to memory of 2308 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe
PID 2468 wrote to memory of 2308 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe
PID 2256 wrote to memory of 2368 N/A C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe C:\Windows\system32\cmd.exe
PID 2256 wrote to memory of 2368 N/A C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe C:\Windows\system32\cmd.exe
PID 2256 wrote to memory of 2368 N/A C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe C:\Windows\system32\cmd.exe
PID 2256 wrote to memory of 2368 N/A C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe C:\Windows\system32\cmd.exe
PID 568 wrote to memory of 2296 N/A C:\Users\Admin\Pictures\0zd39W1gHkkSNhQHuOaQ1Q3z.exe C:\Users\Admin\AppData\Local\Temp\ufs.0.exe
PID 568 wrote to memory of 2296 N/A C:\Users\Admin\Pictures\0zd39W1gHkkSNhQHuOaQ1Q3z.exe C:\Users\Admin\AppData\Local\Temp\ufs.0.exe
PID 568 wrote to memory of 2296 N/A C:\Users\Admin\Pictures\0zd39W1gHkkSNhQHuOaQ1Q3z.exe C:\Users\Admin\AppData\Local\Temp\ufs.0.exe
PID 568 wrote to memory of 2296 N/A C:\Users\Admin\Pictures\0zd39W1gHkkSNhQHuOaQ1Q3z.exe C:\Users\Admin\AppData\Local\Temp\ufs.0.exe
PID 2368 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2368 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2368 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2312 wrote to memory of 2292 N/A C:\Users\Admin\Pictures\o0ux229IUgMZfOZnJsn4PXgg.exe C:\Windows\system32\cmd.exe
PID 2312 wrote to memory of 2292 N/A C:\Users\Admin\Pictures\o0ux229IUgMZfOZnJsn4PXgg.exe C:\Windows\system32\cmd.exe
PID 2312 wrote to memory of 2292 N/A C:\Users\Admin\Pictures\o0ux229IUgMZfOZnJsn4PXgg.exe C:\Windows\system32\cmd.exe
PID 2312 wrote to memory of 2292 N/A C:\Users\Admin\Pictures\o0ux229IUgMZfOZnJsn4PXgg.exe C:\Windows\system32\cmd.exe
PID 2292 wrote to memory of 2388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2292 wrote to memory of 2388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2292 wrote to memory of 2388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1692 wrote to memory of 2880 N/A C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe C:\Windows\system32\cmd.exe
PID 1692 wrote to memory of 2880 N/A C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe C:\Windows\system32\cmd.exe
PID 1692 wrote to memory of 2880 N/A C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe C:\Windows\system32\cmd.exe
PID 1692 wrote to memory of 2880 N/A C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe C:\Windows\system32\cmd.exe
PID 2880 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2880 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2880 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1692 wrote to memory of 1600 N/A C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe C:\Windows\rss\csrss.exe
PID 1692 wrote to memory of 1600 N/A C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe C:\Windows\rss\csrss.exe
PID 1692 wrote to memory of 1600 N/A C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe C:\Windows\rss\csrss.exe
PID 1692 wrote to memory of 1600 N/A C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe C:\Windows\rss\csrss.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe

"C:\Users\Admin\AppData\Local\Temp\612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2000 -s 716

C:\Users\Admin\Pictures\0zd39W1gHkkSNhQHuOaQ1Q3z.exe

"C:\Users\Admin\Pictures\0zd39W1gHkkSNhQHuOaQ1Q3z.exe"

C:\Users\Admin\Pictures\2mMfUGxyHICIaTRCXyxj5igi.exe

"C:\Users\Admin\Pictures\2mMfUGxyHICIaTRCXyxj5igi.exe"

C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe

"C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe"

C:\Users\Admin\Pictures\o0ux229IUgMZfOZnJsn4PXgg.exe

"C:\Users\Admin\Pictures\o0ux229IUgMZfOZnJsn4PXgg.exe"

C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe

"C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240328223117.log C:\Windows\Logs\CBS\CbsPersist_20240328223117.cab

C:\Users\Admin\Pictures\o0ux229IUgMZfOZnJsn4PXgg.exe

"C:\Users\Admin\Pictures\o0ux229IUgMZfOZnJsn4PXgg.exe"

C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe

"C:\Users\Admin\Pictures\rDqQVjdJtztifq3NkTSYjW43.exe"

C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe

"C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Users\Admin\AppData\Local\Temp\ufs.0.exe

"C:\Users\Admin\AppData\Local\Temp\ufs.0.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\ufs.1.exe

"C:\Users\Admin\AppData\Local\Temp\ufs.1.exe"

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EHDHIDAEHC.exe"

C:\Users\Admin\AppData\Local\Temp\EHDHIDAEHC.exe

"C:\Users\Admin\AppData\Local\Temp\EHDHIDAEHC.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\EHDHIDAEHC.exe

C:\Windows\SysWOW64\PING.EXE

ping 2.2.2.2 -n 1 -w 3000

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 yip.su udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
US 172.67.169.89:443 yip.su tcp
US 8.8.8.8:53 shipofdestiny.com udp
US 8.8.8.8:53 piramidglobaltobacco.id udp
US 8.8.8.8:53 sty.ink udp
DE 185.172.128.144:80 185.172.128.144 tcp
AT 5.42.64.17:80 5.42.64.17 tcp
US 8.8.8.8:53 operandotwo.com udp
US 8.8.8.8:53 shipofdestiny.com udp
US 8.8.8.8:53 sty.ink udp
US 8.8.8.8:53 namemail.org udp
US 8.8.8.8:53 cu82342.tw1.ru udp
US 8.8.8.8:53 net.geo.opera.com udp
NL 185.26.182.111:80 net.geo.opera.com tcp
US 104.21.15.5:443 operandotwo.com tcp
US 172.67.200.219:443 sty.ink tcp
US 172.67.200.219:443 sty.ink tcp
US 104.21.32.142:443 shipofdestiny.com tcp
US 104.21.32.142:443 shipofdestiny.com tcp
RU 176.57.210.144:443 cu82342.tw1.ru tcp
NL 185.26.182.111:443 net.geo.opera.com tcp
SG 217.21.73.190:443 piramidglobaltobacco.id tcp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 95.101.143.19:80 apps.identrust.com tcp
US 8.8.8.8:53 lawyerbuyer.org udp
US 8.8.8.8:53 lawyerbuyer.org udp
US 172.67.170.65:443 lawyerbuyer.org tcp
US 172.67.170.65:443 lawyerbuyer.org tcp
US 8.8.8.8:53 guseman.org udp
US 104.21.80.30:443 guseman.org tcp
DE 185.172.128.65:80 185.172.128.65 tcp
DE 185.172.128.65:80 185.172.128.65 tcp
DE 185.172.128.144:80 185.172.128.144 tcp
DE 185.172.128.209:80 185.172.128.209 tcp
US 8.8.8.8:53 92d1555d-dff1-4eba-b030-d779e9baf510.uuid.dumperstats.org udp
US 8.8.8.8:53 udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
FR 185.93.2.244:80 download.iolo.net tcp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard20.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard20.blob.core.windows.net tcp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
DE 185.172.128.65:80 185.172.128.65 tcp
US 8.8.8.8:53 server15.dumperstats.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun.ipfire.org udp
US 162.159.135.233:443 cdn.discordapp.com tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
BG 185.82.216.111:443 server15.dumperstats.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
BG 185.82.216.111:443 server15.dumperstats.org tcp
N/A 127.0.0.1:31465 tcp
BG 185.82.216.111:443 server15.dumperstats.org tcp

Files

memory/2000-0-0x0000000000080000-0x0000000000096000-memory.dmp

memory/2000-1-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

memory/2000-2-0x000000001B590000-0x000000001B610000-memory.dmp

memory/2000-3-0x00000000006D0000-0x000000000072C000-memory.dmp

memory/2468-7-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2468-6-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2468-5-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2468-4-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2468-13-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2468-11-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2468-9-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2468-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2468-14-0x0000000074390000-0x0000000074A7E000-memory.dmp

memory/2468-15-0x00000000005F0000-0x0000000000630000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar41F7.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d150943e20deff0d3af6df0e77c49e9c
SHA1 59abe75dd23b4cbc72b7c534f3e51caf18099683
SHA256 b4580105c2ec53ce7eedcd81713dad6507cfc52ac6cda665d75c52db01093c67
SHA512 677c02b59f864fa529bac3b0c675a59435a5dc7128be1244758fb0c1b40f0839a0a101cc73a24364ba7c138fa4695f48add459fec83d4bd9979b6edd998160e6

\Users\Admin\Pictures\0zd39W1gHkkSNhQHuOaQ1Q3z.exe

MD5 7fcc0bae1fa98de1d16819e6f85de171
SHA1 d8ba9866840e0449ddb78d31d6bcf2762ed3e6e4
SHA256 28249276aafcf8911cc5fc8b6adebe10efb7141f3869ab2ec2f0bf5cffc1c82a
SHA512 58cf14e662f68b61339dd3517dae6c831a5094ef01eab8e5ee64cf85a23e26b3ffce43912ba62356fdf1a4bbeba7249f55de222154b729b8d85fa48744ddbe29

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 99cf7b6506ea0d7485b675565754e96d
SHA1 4094768195a7a13f196e9a8096ff694f625103e9
SHA256 a839e39de22476b8ca866a4a03e317070ca64a58dc17be6ad42e69464aacd140
SHA512 b9b993e58059e4b22f06dd7a477cf1da6e8daacf18d251d2e786454a4567230d1d46c9903e06a562f601740ed6b7e46875aea934499e50db3dc242acf7d019da

memory/568-160-0x0000000000C70000-0x0000000000D70000-memory.dmp

memory/568-161-0x0000000000230000-0x000000000029E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e9ab9a60be7f59e4b38fa274a1b2014d
SHA1 c07d0eab19083dbcec74dab2ab59bc127ff66824
SHA256 7b3808589d3bb7f2e3a5b64591ac52f0271138205cf664c0033b5dd9681d95ec
SHA512 390f288747a05e603b1292dcb5fdd7dc5dc13225390e586391fcebee679a3a925fed471b75e72c5a8eb11d05dd4311d7f545ed3c8a475bf27c14c3c2963c66bc

memory/568-176-0x0000000000400000-0x0000000000B0E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bccc938cc929506388be0bef73f525e6
SHA1 c314b95a46a9cc5d953445ea8210f9a0d5329cff
SHA256 dbceaab8100f59bb3f1930dbf4016dd2efddf2385735d4d3eab2e7430662dde9
SHA512 5246c79f24abc7fd35bc22e55ed4c1ed4b5f5e0183ec89fc874575fd1bad1c6c5537cbfc680c9c1a0e7bbcf6060fb3302a0f1f87412a0e8fd7a717584206bb04

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fb6ceb73a79ca5ed404726a5d2340717
SHA1 518c19a12ffb629be3359d0810a01ac93bea6f70
SHA256 0fccc824fff10c25b9cb7b83611e37af8b0539600ed6da50786f10f5a6b0776e
SHA512 7a2a1dc8f19dab46a39858953fe64c388a7dc7c8bfb292a85ea38fc26063be3b6b4097c880c86376ac6497b1fd37bfe0da6e8b0ec99e332ac327f9f9ab844ec9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 182f9b898ff075633af60fb85b4c4fe7
SHA1 d157410b25f3063d6fe1d2f63143c0ab8b17cdc9
SHA256 c162c107e137011a7ecea2e05228009a324f7feb3dc7ed7f3e0361f00a941c8e
SHA512 fdd838367edf961a7b07c779b739b9c338b99558d7ec0f46f3879ae9a1bf4fff2a84216ca2f7d3e5a2bf21a35dfbef6bf97960af9da79ced3e9da57141fbd05e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6fa4f47ca5b55eb0d517383bc8aac83c
SHA1 05b14dd4d1eb13cd4f379a3a298f65aefacd4955
SHA256 c2723bc5c9a0d94d955b2702a7c11e0a551770c21225b39501928e8f3ae8e72c
SHA512 c9c54914d0fad2e8f6b28923d4da605fc619c3641efe82e194f38056d6f19ac5a38363a7af7eef8899129770992f8902401c336f873f9064894a61ac09cfdf4e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 abfa15d66f2ac533a60737cb53965306
SHA1 193149a247f2ca777a4f9bf7ac597dad4870889b
SHA256 f83d99ae0e3507bd44673843e10317cefe07fee0b18bdcc426ca765ab41bcb8f
SHA512 fa742e0ccef3430515b2557f421af208dad16240cf04aced0eab97797b1e20bd1e43ac95b17e6635df89ee666a91ec645397de0281ea84f669545dab47814713

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

MD5 b57e543da6de4fbb05b4555667da9570
SHA1 4cc3b53cc3f71cb8e8de8304aaae0c8866c92ea1
SHA256 758b023ef6efb9dbf6b2e99c2338063c92f31f7dabfa9778c4da5bb020cc32dc
SHA512 01a4fe7edac34b9007b333f7312fd1367abf3fc044bd3dc47a38689d100687b41f7c25cdacb94b682f3991915c7d10838aefcb15c7dadf3113afea8c9fa91f24

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

MD5 f55da450a5fb287e1e0f0dcc965756ca
SHA1 7e04de896a3e666d00e687d33ffad93be83d349e
SHA256 31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0
SHA512 19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 77fa2e5f10a94917406fcf6678466bb6
SHA1 0ced973d3f4a713ded271991028aea44d954e92b
SHA256 508b21d2cd346c88e63283c52fc781cec6e0af8e12fc8529a4d97a6a40b203e1
SHA512 42513bb4808179871446275ef1e4c588498b936cdf7d8607eddc56254ae2a6b6737bf552263170fee85391e46593bb51978fb01c30d6f47d086685b50bdb7ace

\Users\Admin\Pictures\2mMfUGxyHICIaTRCXyxj5igi.exe

MD5 e2a6c1f58b137874e490b8d94382fcdb
SHA1 71529c5d708091b1e1a580227dc52e62a140edd1
SHA256 4801879a7afb9d03f7edcbe76cd9306cb024d80abc8512c4995aa97e8fd52437
SHA512 24d12ce668e5189a4ba80520a4eaf480d17d3a07d8d0d4312964968f8489143df225881ec70e39e0c62e381061626801ead72d70cea164e2c3870bfbd7bc4eff

memory/848-472-0x0000000000C90000-0x0000000000D90000-memory.dmp

memory/848-471-0x0000000000400000-0x0000000000B06000-memory.dmp

memory/2000-474-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

memory/848-473-0x0000000000220000-0x000000000026A000-memory.dmp

C:\Users\Admin\Pictures\AKPqkG1XdFQPyrpprX0gnGsC.exe

MD5 5f066ebf9264cad80bdb1384ce2a6b34
SHA1 a6bfd2df4ad14b8b0f90951b688a7de61f7d4bbc
SHA256 5c2b1d90d0299ff70ea73f89a9326628e602cf9f72c425b570ac5272279372e1
SHA512 0b0ce2214f57be9155b6eb7de144a96b09a9699fd75e82e4be525a4048a027c509c3f1495f111a3cc1c62b283deb150779d6458b13022095614d502a9805f1c5

memory/2060-506-0x00000000027C0000-0x0000000002BB8000-memory.dmp

memory/2000-507-0x000000001B590000-0x000000001B610000-memory.dmp

\Users\Admin\Pictures\o0ux229IUgMZfOZnJsn4PXgg.exe

MD5 6126c6923b352edf2507639b7fe78e8a
SHA1 1fd3edb62b8d44673772fb58a05c43d5360e8e5b
SHA256 98db3710f7b5e68beb18c0ec584909ad3c92d66bbf093164892d5cd00d1021dd
SHA512 93fcbbc0a3f42f9fab3c5e0a5cbc83308b5d93999fa89f449c2b50653860de2fe3dbb42fc463bf34f5f5e5e69390dae8b6a1dfed8e742dcb0059a445cf041736

memory/2468-520-0x0000000074390000-0x0000000074A7E000-memory.dmp

memory/2060-521-0x00000000027C0000-0x0000000002BB8000-memory.dmp

memory/1492-519-0x0000000002790000-0x0000000002B88000-memory.dmp

memory/2060-524-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1492-525-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2060-526-0x0000000002BC0000-0x00000000034AB000-memory.dmp

memory/1492-527-0x0000000002790000-0x0000000002B88000-memory.dmp

memory/2308-539-0x0000000002680000-0x0000000002A78000-memory.dmp

memory/2468-540-0x00000000005F0000-0x0000000000630000-memory.dmp

memory/2308-541-0x0000000002680000-0x0000000002A78000-memory.dmp

memory/2308-542-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2312-547-0x0000000002760000-0x0000000002B58000-memory.dmp

memory/2308-551-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/568-552-0x0000000000400000-0x0000000000B0E000-memory.dmp

memory/2256-553-0x00000000026B0000-0x0000000002AA8000-memory.dmp

memory/2256-550-0x00000000026B0000-0x0000000002AA8000-memory.dmp

memory/2312-548-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/568-554-0x0000000000C70000-0x0000000000D70000-memory.dmp

memory/2312-546-0x0000000002760000-0x0000000002B58000-memory.dmp

memory/1492-545-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2256-555-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1692-559-0x0000000002830000-0x0000000002C28000-memory.dmp

memory/1692-558-0x0000000002830000-0x0000000002C28000-memory.dmp

memory/2060-557-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1692-561-0x0000000000400000-0x0000000000ECD000-memory.dmp

\Users\Admin\AppData\Local\Temp\ufs.0.exe

MD5 4524e1a1e2725e159d68b3bca2c1b296
SHA1 0e3b226d0ebd227b911c5fc25d6a28478ed0a957
SHA256 12a5bac24e4e354bfc93a989c398df11ac5ec63c9d9834e0a9062bd8857cdda7
SHA512 870e0e4e86593a3f060643b043d41f2aa6108af8075f19c0ba6c9d276a28df5c6f6e02a6cd088eb88382af35a41bcd626ea5add747494d468158abb7e610f3ca

memory/2296-578-0x0000000000220000-0x0000000000247000-memory.dmp

memory/2296-577-0x0000000000BB0000-0x0000000000CB0000-memory.dmp

memory/2296-579-0x0000000000400000-0x0000000000AEA000-memory.dmp

memory/1692-588-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1600-589-0x0000000002810000-0x0000000002C08000-memory.dmp

memory/2256-592-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2312-590-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1600-593-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1600-591-0x0000000002810000-0x0000000002C08000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 13aaafe14eb60d6a718230e82c671d57
SHA1 e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256 f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512 ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

memory/2296-599-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/1652-602-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 5c399d34d8dc01741269ff1f1aca7554
SHA1 e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256 e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA512 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 f0616fa8bc54ece07e3107057f74e4db
SHA1 b33995c4f9a004b7d806c4bb36040ee844781fca
SHA256 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026
SHA512 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

memory/568-644-0x0000000000400000-0x0000000000B0E000-memory.dmp

memory/1652-650-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ufs.1.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/568-665-0x0000000000400000-0x0000000000B0E000-memory.dmp

memory/580-666-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b67364e9555c9b02de431039e212c12e
SHA1 7616e3e96ddd6d0dda709674b7f9ae0653668a36
SHA256 e191511c79bb9ec990358b470f9f21a21a8639bc1960cd6d04cf83d0927de8d6
SHA512 74e77fbcfadfef4e184038bacb4d277ca41437c60b5284ae3e488b532ce74ecba38b194e3b8bd8fec41d64428008e5feb85fa5bc55e529b8674679541accba55

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 a71df0da9cf583851dabb1807aa81c09
SHA1 89e2780bd65f11dbeccce441d1e158d8721340c5
SHA256 75791c9e1cfb73b8eac4a54c4231975e9a4d452160311ae493d88ad2daa0bba0
SHA512 0eb36277a28f428877006a766d65342919beaedb84bbad80e2ae79398c0d3c73cdce6873e463fa5c7db428c633a3acc13c96d43416798e296de0ed5d6c9e5e3d

memory/1600-728-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2296-727-0x0000000000400000-0x0000000000AEA000-memory.dmp

memory/580-738-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/2296-739-0x0000000000BB0000-0x0000000000CB0000-memory.dmp

memory/2296-746-0x0000000000400000-0x0000000000AEA000-memory.dmp

memory/1600-747-0x0000000000400000-0x0000000000ECD000-memory.dmp

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

memory/580-762-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/1640-764-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

memory/1640-763-0x0000000000830000-0x0000000004128000-memory.dmp

memory/1640-768-0x000000001EBD0000-0x000000001EC50000-memory.dmp

memory/1640-769-0x000000001EF70000-0x000000001F080000-memory.dmp

memory/1640-771-0x0000000000570000-0x000000000057C000-memory.dmp

memory/1640-770-0x00000000002A0000-0x00000000002B0000-memory.dmp

memory/1640-772-0x0000000000560000-0x0000000000574000-memory.dmp

memory/1640-773-0x0000000005AB0000-0x0000000005AD4000-memory.dmp

memory/1640-781-0x00000000003C0000-0x00000000003EA000-memory.dmp

memory/1640-782-0x000000001E140000-0x000000001E1F2000-memory.dmp

memory/1640-784-0x0000000005AD0000-0x0000000005B32000-memory.dmp

memory/1640-783-0x0000000005990000-0x0000000005A0A000-memory.dmp

memory/1640-780-0x00000000003A0000-0x00000000003AA000-memory.dmp

memory/1640-785-0x00000000003B0000-0x00000000003BA000-memory.dmp

memory/1640-789-0x000000001FE00000-0x0000000020100000-memory.dmp

memory/1640-792-0x000000001EBD0000-0x000000001EC50000-memory.dmp

memory/1640-791-0x000000001EBD0000-0x000000001EC50000-memory.dmp

memory/1640-794-0x000000001E6A0000-0x000000001E6C2000-memory.dmp

memory/1640-793-0x0000000005A20000-0x0000000005A2A000-memory.dmp

memory/1640-798-0x000000001E6C0000-0x000000001E6CC000-memory.dmp

memory/1640-797-0x000000001EBD0000-0x000000001EC50000-memory.dmp

memory/1640-802-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

memory/1640-807-0x000000001EBD0000-0x000000001EC50000-memory.dmp

memory/1640-809-0x0000000000510000-0x000000000051A000-memory.dmp

memory/1640-808-0x0000000000510000-0x000000000051A000-memory.dmp

memory/2296-810-0x0000000000400000-0x0000000000AEA000-memory.dmp

memory/1640-811-0x000000001EBD0000-0x000000001EC50000-memory.dmp

memory/1600-812-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\049b7335d372bd07248452d0b58e37cfb8420ac5b148b226adcb19ae95655a7b\8ca5b49aa6234bb0a6791bfa64796b65.tmp

MD5 f5dc21b613bdb1a461c2c9ed9929733e
SHA1 9d0972ae8042a6663ff73b0700be9d407bacf2b2
SHA256 3fb5b624e3b11b7f568ffd8fdbfc1f0d045154d160930f2bf0c887cc2de98f31
SHA512 4c3ab279b0d06d34a9e1edb75d76379b25350d53373d57fd30f0e36aea0d357cda721802c9555a1dad47995c2fdad0157ce2ac3744985363585766994fe296ad

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

memory/2296-836-0x0000000000400000-0x0000000000AEA000-memory.dmp

memory/1600-837-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1600-844-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1600-852-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2296-859-0x0000000000400000-0x0000000000AEA000-memory.dmp

\Users\Admin\AppData\Local\Temp\EHDHIDAEHC.exe

MD5 fe380780b5c35bd6d54541791151c2be
SHA1 7fe3a583cf91474c733f85cebf3c857682e269e1
SHA256 b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53
SHA512 ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c

memory/1600-869-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1600-870-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 fafbf2197151d5ce947872a4b0bcbe16
SHA1 a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020
SHA256 feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71
SHA512 acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

MD5 d98e78fd57db58a11f880b45bb659767
SHA1 ab70c0d3bd9103c07632eeecee9f51d198ed0e76
SHA256 414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0
SHA512 aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

memory/1600-886-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-28 22:30

Reported

2024-03-28 22:36

Platform

win10-20240221-en

Max time kernel

261s

Max time network

301s

Command Line

sihost.exe

Signatures

Detects DLL dropped by Raspberry Robin.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Rhadamanthys

stealer rhadamanthys

Stealc

stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4112 created 2148 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe c:\windows\system32\sihost.exe

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\YWs5UTxZr5AenkLAi1KwKNOi.exe = "0" C:\Users\Admin\Pictures\YWs5UTxZr5AenkLAi1KwKNOi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\jj90xFDYYdmnsryuuFbp6pnu.exe = "0" C:\Users\Admin\Pictures\jj90xFDYYdmnsryuuFbp6pnu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\CqOtShqdfSVnXipfjt58rIU4.exe = "0" C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UNbP6USxHNfT6vKup2NsyeA8.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\au0TrLn35OhxNHxFZenTTi4K.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DyhyMTGmG6OTTcv1yn9wYY3z.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\frH58nCLHKpLUXA4bLboSFzW.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ndjbqTGA41DU4KUqTm9wnYzf.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\R188zyb51enl0ft6YOflYJ1j.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7dMpc4I4VTLHUrepCrsqwJaM.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cKLFK3rYwiCWt21gIBbWSMds.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QpFXC2yFdNjznsIFWhCFLGbf.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pTaL3ZxRxBqdVVb76Xo8KRt0.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b0TJJlFYjzcAtYM0XvkBsb5b.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\vZhkWfk1KYIKmH5xpBHIuX0s.exe N/A
N/A N/A C:\Users\Admin\Pictures\qNtH4wYOnE3DxYcBJ1DP3uVO.exe N/A
N/A N/A C:\Users\Admin\Pictures\7pPqcQ1NvLfzcuazweVkDUiS.exe N/A
N/A N/A C:\Users\Admin\Pictures\jj90xFDYYdmnsryuuFbp6pnu.exe N/A
N/A N/A C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3ks.0.exe N/A
N/A N/A C:\Users\Admin\Pictures\YWs5UTxZr5AenkLAi1KwKNOi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3ks.1.exe N/A
N/A N/A C:\Users\Admin\Pictures\QIPYx01QHg4rpj0Z7G8BhZqI.exe N/A
N/A N/A C:\Users\Admin\Pictures\QIPYx01QHg4rpj0Z7G8BhZqI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\QIPYx01QHg4rpj0Z7G8BhZqI.exe N/A
N/A N/A C:\Users\Admin\Pictures\QIPYx01QHg4rpj0Z7G8BhZqI.exe N/A
N/A N/A C:\Users\Admin\Pictures\QIPYx01QHg4rpj0Z7G8BhZqI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EBGDAAKJJD.exe N/A
N/A N/A C:\Users\Admin\Pictures\jj90xFDYYdmnsryuuFbp6pnu.exe N/A
N/A N/A C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe N/A
N/A N/A C:\Users\Admin\Pictures\YWs5UTxZr5AenkLAi1KwKNOi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282231401\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282231401\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282231401\assistant\assistant_installer.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\CqOtShqdfSVnXipfjt58rIU4.exe = "0" C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\jj90xFDYYdmnsryuuFbp6pnu.exe = "0" C:\Users\Admin\Pictures\jj90xFDYYdmnsryuuFbp6pnu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\YWs5UTxZr5AenkLAi1KwKNOi.exe = "0" C:\Users\Admin\Pictures\YWs5UTxZr5AenkLAi1KwKNOi.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\YWs5UTxZr5AenkLAi1KwKNOi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\jj90xFDYYdmnsryuuFbp6pnu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\Pictures\QIPYx01QHg4rpj0Z7G8BhZqI.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\QIPYx01QHg4rpj0Z7G8BhZqI.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Pictures\QIPYx01QHg4rpj0Z7G8BhZqI.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\QIPYx01QHg4rpj0Z7G8BhZqI.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\YWs5UTxZr5AenkLAi1KwKNOi.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\jj90xFDYYdmnsryuuFbp6pnu.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\YWs5UTxZr5AenkLAi1KwKNOi.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\YWs5UTxZr5AenkLAi1KwKNOi.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\jj90xFDYYdmnsryuuFbp6pnu.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\jj90xFDYYdmnsryuuFbp6pnu.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u3ks.1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u3ks.1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u3ks.1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\u3ks.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\u3ks.0.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\Pictures\jj90xFDYYdmnsryuuFbp6pnu.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\Pictures\jj90xFDYYdmnsryuuFbp6pnu.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-492 = "India Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\Pictures\jj90xFDYYdmnsryuuFbp6pnu.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\Pictures\YWs5UTxZr5AenkLAi1KwKNOi.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\Pictures\jj90xFDYYdmnsryuuFbp6pnu.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\Pictures\jj90xFDYYdmnsryuuFbp6pnu.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace C:\Windows\system32\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\Pictures\jj90xFDYYdmnsryuuFbp6pnu.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\Pictures\jj90xFDYYdmnsryuuFbp6pnu.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\Pictures\YWs5UTxZr5AenkLAi1KwKNOi.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\Pictures\YWs5UTxZr5AenkLAi1KwKNOi.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\Pictures\YWs5UTxZr5AenkLAi1KwKNOi.exe N/A
Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace\Session C:\Windows\system32\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-362 = "GTB Standard Time" C:\Windows\windefender.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Users\Admin\Pictures\QIPYx01QHg4rpj0Z7G8BhZqI.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\QIPYx01QHg4rpj0Z7G8BhZqI.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\QIPYx01QHg4rpj0Z7G8BhZqI.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\qNtH4wYOnE3DxYcBJ1DP3uVO.exe N/A
N/A N/A C:\Users\Admin\Pictures\qNtH4wYOnE3DxYcBJ1DP3uVO.exe N/A
N/A N/A C:\Users\Admin\Pictures\qNtH4wYOnE3DxYcBJ1DP3uVO.exe N/A
N/A N/A C:\Users\Admin\Pictures\qNtH4wYOnE3DxYcBJ1DP3uVO.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3ks.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3ks.0.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3ks.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3ks.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\Pictures\jj90xFDYYdmnsryuuFbp6pnu.exe N/A
N/A N/A C:\Users\Admin\Pictures\jj90xFDYYdmnsryuuFbp6pnu.exe N/A
N/A N/A C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe N/A
N/A N/A C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe N/A
N/A N/A C:\Users\Admin\Pictures\YWs5UTxZr5AenkLAi1KwKNOi.exe N/A
N/A N/A C:\Users\Admin\Pictures\YWs5UTxZr5AenkLAi1KwKNOi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\jj90xFDYYdmnsryuuFbp6pnu.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\jj90xFDYYdmnsryuuFbp6pnu.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\YWs5UTxZr5AenkLAi1KwKNOi.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\YWs5UTxZr5AenkLAi1KwKNOi.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3276 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 3276 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 3276 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 3276 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 3276 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 3276 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 3276 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 3276 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 3276 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 3276 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 3276 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 324 wrote to memory of 4636 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\vZhkWfk1KYIKmH5xpBHIuX0s.exe
PID 324 wrote to memory of 4636 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\vZhkWfk1KYIKmH5xpBHIuX0s.exe
PID 324 wrote to memory of 4636 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\vZhkWfk1KYIKmH5xpBHIuX0s.exe
PID 324 wrote to memory of 4724 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\qNtH4wYOnE3DxYcBJ1DP3uVO.exe
PID 324 wrote to memory of 4724 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\qNtH4wYOnE3DxYcBJ1DP3uVO.exe
PID 324 wrote to memory of 4724 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\qNtH4wYOnE3DxYcBJ1DP3uVO.exe
PID 324 wrote to memory of 2072 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\7pPqcQ1NvLfzcuazweVkDUiS.exe
PID 324 wrote to memory of 2072 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\7pPqcQ1NvLfzcuazweVkDUiS.exe
PID 324 wrote to memory of 2072 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\7pPqcQ1NvLfzcuazweVkDUiS.exe
PID 324 wrote to memory of 1844 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\jj90xFDYYdmnsryuuFbp6pnu.exe
PID 324 wrote to memory of 1844 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\jj90xFDYYdmnsryuuFbp6pnu.exe
PID 324 wrote to memory of 1844 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\jj90xFDYYdmnsryuuFbp6pnu.exe
PID 324 wrote to memory of 220 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe
PID 324 wrote to memory of 220 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe
PID 324 wrote to memory of 220 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe
PID 2072 wrote to memory of 4112 N/A C:\Users\Admin\Pictures\7pPqcQ1NvLfzcuazweVkDUiS.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2072 wrote to memory of 4112 N/A C:\Users\Admin\Pictures\7pPqcQ1NvLfzcuazweVkDUiS.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2072 wrote to memory of 4112 N/A C:\Users\Admin\Pictures\7pPqcQ1NvLfzcuazweVkDUiS.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2072 wrote to memory of 4112 N/A C:\Users\Admin\Pictures\7pPqcQ1NvLfzcuazweVkDUiS.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2072 wrote to memory of 4112 N/A C:\Users\Admin\Pictures\7pPqcQ1NvLfzcuazweVkDUiS.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2072 wrote to memory of 4112 N/A C:\Users\Admin\Pictures\7pPqcQ1NvLfzcuazweVkDUiS.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2072 wrote to memory of 4112 N/A C:\Users\Admin\Pictures\7pPqcQ1NvLfzcuazweVkDUiS.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2072 wrote to memory of 4112 N/A C:\Users\Admin\Pictures\7pPqcQ1NvLfzcuazweVkDUiS.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2072 wrote to memory of 4112 N/A C:\Users\Admin\Pictures\7pPqcQ1NvLfzcuazweVkDUiS.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2072 wrote to memory of 4112 N/A C:\Users\Admin\Pictures\7pPqcQ1NvLfzcuazweVkDUiS.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2072 wrote to memory of 4112 N/A C:\Users\Admin\Pictures\7pPqcQ1NvLfzcuazweVkDUiS.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4636 wrote to memory of 4412 N/A C:\Users\Admin\Pictures\vZhkWfk1KYIKmH5xpBHIuX0s.exe \??\c:\windows\system32\svchost.exe
PID 4636 wrote to memory of 4412 N/A C:\Users\Admin\Pictures\vZhkWfk1KYIKmH5xpBHIuX0s.exe \??\c:\windows\system32\svchost.exe
PID 4636 wrote to memory of 4412 N/A C:\Users\Admin\Pictures\vZhkWfk1KYIKmH5xpBHIuX0s.exe \??\c:\windows\system32\svchost.exe
PID 4112 wrote to memory of 4720 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\QIPYx01QHg4rpj0Z7G8BhZqI.exe
PID 4112 wrote to memory of 4720 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\QIPYx01QHg4rpj0Z7G8BhZqI.exe
PID 4112 wrote to memory of 4720 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\QIPYx01QHg4rpj0Z7G8BhZqI.exe
PID 4112 wrote to memory of 4720 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\QIPYx01QHg4rpj0Z7G8BhZqI.exe
PID 4112 wrote to memory of 4720 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\Pictures\QIPYx01QHg4rpj0Z7G8BhZqI.exe
PID 324 wrote to memory of 2428 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\YWs5UTxZr5AenkLAi1KwKNOi.exe
PID 324 wrote to memory of 2428 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\YWs5UTxZr5AenkLAi1KwKNOi.exe
PID 324 wrote to memory of 2428 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\YWs5UTxZr5AenkLAi1KwKNOi.exe
PID 4636 wrote to memory of 3432 N/A C:\Users\Admin\Pictures\vZhkWfk1KYIKmH5xpBHIuX0s.exe C:\Users\Admin\AppData\Local\Temp\u3ks.1.exe
PID 4636 wrote to memory of 3432 N/A C:\Users\Admin\Pictures\vZhkWfk1KYIKmH5xpBHIuX0s.exe C:\Users\Admin\AppData\Local\Temp\u3ks.1.exe
PID 4636 wrote to memory of 3432 N/A C:\Users\Admin\Pictures\vZhkWfk1KYIKmH5xpBHIuX0s.exe C:\Users\Admin\AppData\Local\Temp\u3ks.1.exe
PID 220 wrote to memory of 4440 N/A C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 220 wrote to memory of 4440 N/A C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 220 wrote to memory of 4440 N/A C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2428 wrote to memory of 3676 N/A C:\Users\Admin\Pictures\YWs5UTxZr5AenkLAi1KwKNOi.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2428 wrote to memory of 3676 N/A C:\Users\Admin\Pictures\YWs5UTxZr5AenkLAi1KwKNOi.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2428 wrote to memory of 3676 N/A C:\Users\Admin\Pictures\YWs5UTxZr5AenkLAi1KwKNOi.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1844 wrote to memory of 4124 N/A C:\Users\Admin\Pictures\jj90xFDYYdmnsryuuFbp6pnu.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1844 wrote to memory of 4124 N/A C:\Users\Admin\Pictures\jj90xFDYYdmnsryuuFbp6pnu.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1844 wrote to memory of 4124 N/A C:\Users\Admin\Pictures\jj90xFDYYdmnsryuuFbp6pnu.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 324 wrote to memory of 4720 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\QIPYx01QHg4rpj0Z7G8BhZqI.exe
PID 324 wrote to memory of 4720 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\QIPYx01QHg4rpj0Z7G8BhZqI.exe
PID 324 wrote to memory of 4720 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\QIPYx01QHg4rpj0Z7G8BhZqI.exe
PID 4720 wrote to memory of 2784 N/A C:\Users\Admin\Pictures\QIPYx01QHg4rpj0Z7G8BhZqI.exe C:\Users\Admin\Pictures\QIPYx01QHg4rpj0Z7G8BhZqI.exe

Uses Task Scheduler COM API

persistence

Processes

c:\windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe

"C:\Users\Admin\AppData\Local\Temp\612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"

C:\Users\Admin\Pictures\vZhkWfk1KYIKmH5xpBHIuX0s.exe

"C:\Users\Admin\Pictures\vZhkWfk1KYIKmH5xpBHIuX0s.exe"

C:\Users\Admin\Pictures\qNtH4wYOnE3DxYcBJ1DP3uVO.exe

"C:\Users\Admin\Pictures\qNtH4wYOnE3DxYcBJ1DP3uVO.exe"

C:\Users\Admin\Pictures\7pPqcQ1NvLfzcuazweVkDUiS.exe

"C:\Users\Admin\Pictures\7pPqcQ1NvLfzcuazweVkDUiS.exe"

C:\Users\Admin\Pictures\jj90xFDYYdmnsryuuFbp6pnu.exe

"C:\Users\Admin\Pictures\jj90xFDYYdmnsryuuFbp6pnu.exe"

C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe

"C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 836

C:\Users\Admin\AppData\Local\Temp\u3ks.0.exe

"C:\Users\Admin\AppData\Local\Temp\u3ks.0.exe"

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 184

C:\Users\Admin\Pictures\YWs5UTxZr5AenkLAi1KwKNOi.exe

"C:\Users\Admin\Pictures\YWs5UTxZr5AenkLAi1KwKNOi.exe"

C:\Users\Admin\AppData\Local\Temp\u3ks.1.exe

"C:\Users\Admin\AppData\Local\Temp\u3ks.1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\Pictures\QIPYx01QHg4rpj0Z7G8BhZqI.exe

"C:\Users\Admin\Pictures\QIPYx01QHg4rpj0Z7G8BhZqI.exe" --silent --allusers=0

C:\Users\Admin\Pictures\QIPYx01QHg4rpj0Z7G8BhZqI.exe

C:\Users\Admin\Pictures\QIPYx01QHg4rpj0Z7G8BhZqI.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2a0,0x2a4,0x2a8,0x27c,0x2ac,0x6d00e1d0,0x6d00e1dc,0x6d00e1e8

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\QIPYx01QHg4rpj0Z7G8BhZqI.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\QIPYx01QHg4rpj0Z7G8BhZqI.exe" --version

C:\Users\Admin\Pictures\QIPYx01QHg4rpj0Z7G8BhZqI.exe

"C:\Users\Admin\Pictures\QIPYx01QHg4rpj0Z7G8BhZqI.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4720 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240328223140" --session-guid=24b3a1b9-2282-4901-9ecd-b7d76ca750a7 --server-tracking-blob=ZDI2NGExMTJlZThlYjRmNWY4YWZhYjJhOWM0YTkyMjU3Zjk5NzI3ZDI3NGFmOWM1YTUyMzdkMWI3ZWZiZjMxZTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N180NTYiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMCIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTE2NjUwNzQuNjY3NyIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N180NTYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6IjE0ODQ5OWJkLTYyMmEtNGIzOC1hNjFmLTMxNDc4MGM3NDE1MCJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=B004000000000000

C:\Users\Admin\Pictures\QIPYx01QHg4rpj0Z7G8BhZqI.exe

C:\Users\Admin\Pictures\QIPYx01QHg4rpj0Z7G8BhZqI.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2b0,0x2b4,0x2b8,0x280,0x2bc,0x6c68e1d0,0x6c68e1dc,0x6c68e1e8

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EBGDAAKJJD.exe"

C:\Users\Admin\AppData\Local\Temp\EBGDAAKJJD.exe

"C:\Users\Admin\AppData\Local\Temp\EBGDAAKJJD.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\EBGDAAKJJD.exe

C:\Windows\SysWOW64\PING.EXE

ping 2.2.2.2 -n 1 -w 3000

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s seclogon

C:\Users\Admin\Pictures\jj90xFDYYdmnsryuuFbp6pnu.exe

"C:\Users\Admin\Pictures\jj90xFDYYdmnsryuuFbp6pnu.exe"

C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe

"C:\Users\Admin\Pictures\CqOtShqdfSVnXipfjt58rIU4.exe"

C:\Users\Admin\Pictures\YWs5UTxZr5AenkLAi1KwKNOi.exe

"C:\Users\Admin\Pictures\YWs5UTxZr5AenkLAi1KwKNOi.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282231401\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282231401\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282231401\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282231401\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282231401\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282231401\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0xe70040,0xe7004c,0xe70058

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 yip.su udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
US 172.67.169.89:443 yip.su tcp
DE 185.172.128.144:80 185.172.128.144 tcp
US 8.8.8.8:53 piramidglobaltobacco.id udp
US 8.8.8.8:53 shipofdestiny.com udp
AT 5.42.64.17:80 5.42.64.17 tcp
US 8.8.8.8:53 sty.ink udp
US 8.8.8.8:53 operandotwo.com udp
US 8.8.8.8:53 namemail.org udp
US 8.8.8.8:53 cu82342.tw1.ru udp
US 8.8.8.8:53 net.geo.opera.com udp
NL 185.26.182.111:80 net.geo.opera.com tcp
US 172.67.200.219:443 sty.ink tcp
US 172.67.200.219:443 sty.ink tcp
US 172.67.160.247:443 operandotwo.com tcp
US 104.21.32.142:443 shipofdestiny.com tcp
US 104.21.32.142:443 shipofdestiny.com tcp
RU 176.57.210.144:443 cu82342.tw1.ru tcp
US 8.8.8.8:53 89.169.67.172.in-addr.arpa udp
US 8.8.8.8:53 143.68.20.104.in-addr.arpa udp
US 8.8.8.8:53 144.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 219.200.67.172.in-addr.arpa udp
US 8.8.8.8:53 111.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 247.160.67.172.in-addr.arpa udp
US 8.8.8.8:53 142.32.21.104.in-addr.arpa udp
US 8.8.8.8:53 17.64.42.5.in-addr.arpa udp
SG 217.21.73.190:443 piramidglobaltobacco.id tcp
NL 185.26.182.111:443 net.geo.opera.com tcp
US 8.8.8.8:53 lawyerbuyer.org udp
US 104.21.63.71:443 lawyerbuyer.org tcp
US 8.8.8.8:53 guseman.org udp
US 172.67.173.167:443 guseman.org tcp
US 104.21.63.71:443 lawyerbuyer.org tcp
US 8.8.8.8:53 herdbescuitinjurywu.shop udp
US 172.67.206.194:443 herdbescuitinjurywu.shop tcp
US 138.91.171.81:80 tcp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 194.206.67.172.in-addr.arpa udp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
DE 185.172.128.65:80 185.172.128.65 tcp
DE 185.172.128.65:80 185.172.128.65 tcp
US 172.67.206.194:443 herdbescuitinjurywu.shop tcp
US 8.8.8.8:53 65.128.172.185.in-addr.arpa udp
US 172.67.206.194:443 herdbescuitinjurywu.shop tcp
DE 185.172.128.144:80 185.172.128.144 tcp
DE 185.172.128.209:80 185.172.128.209 tcp
US 8.8.8.8:53 209.128.172.185.in-addr.arpa udp
US 172.67.206.194:443 herdbescuitinjurywu.shop tcp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 download.iolo.net udp
FR 143.244.56.49:443 download.iolo.net tcp
US 8.8.8.8:53 49.56.244.143.in-addr.arpa udp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
NL 185.26.182.123:443 autoupdate.geo.opera.com tcp
NL 185.26.182.123:443 autoupdate.geo.opera.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 121.217.145.82.in-addr.arpa udp
US 8.8.8.8:53 123.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 features.opera-api2.com udp
US 8.8.8.8:53 download.opera.com udp
NL 82.145.216.23:443 download.opera.com tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 23.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 download3.operacdn.com udp
NL 185.26.182.94:443 features.opera-api2.com tcp
US 8.8.8.8:53 94.182.26.185.in-addr.arpa udp
GB 104.86.111.8:443 download3.operacdn.com tcp
US 8.8.8.8:53 8.111.86.104.in-addr.arpa udp
US 20.157.87.45:80 svc.iolo.com tcp
DE 185.172.128.65:80 185.172.128.65 tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 150.155.9.20.in-addr.arpa udp
US 8.8.8.8:53 download5.operacdn.com udp
US 104.18.11.89:443 download5.operacdn.com tcp
US 8.8.8.8:53 89.11.18.104.in-addr.arpa udp
US 8.8.8.8:53 66.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 00ab51ed-e6f3-4dae-91f8-0aa2c68f0147.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 93.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 server13.thestatsfiles.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun.ipfire.org udp
US 162.159.134.233:443 cdn.discordapp.com tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
BG 185.82.216.96:443 server13.thestatsfiles.ru tcp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.96:443 server13.thestatsfiles.ru tcp
BG 185.82.216.96:443 server13.thestatsfiles.ru tcp
N/A 127.0.0.1:31465 tcp

Files

memory/3276-0-0x00000198AD410000-0x00000198AD426000-memory.dmp

memory/3276-1-0x00007FFD674F0000-0x00007FFD67EDC000-memory.dmp

memory/3276-2-0x00000198C7A30000-0x00000198C7A40000-memory.dmp

memory/3276-3-0x00000198C7B40000-0x00000198C7B9C000-memory.dmp

memory/324-4-0x0000000000400000-0x0000000000408000-memory.dmp

memory/324-5-0x0000000073460000-0x0000000073B4E000-memory.dmp

memory/324-6-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

C:\Users\Admin\Pictures\Dgj5a6AQe9yuiNuvR5Jl48DW.exe

MD5 5b423612b36cde7f2745455c5dd82577
SHA1 0187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256 e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512 c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

C:\Users\Admin\Pictures\6TDIGTROmXCbTPNzo6KGMJMz.exe

MD5 fb1374b164c73b45fb5eae9f38d586f4
SHA1 bb3c3d651fe8f6955dd234a990e9bbf03c8688ed
SHA256 50b8fbe5a4f74829808694aa4d3a4665bc22755999d8cae649ff19edfee86eec
SHA512 8dd1fda4b1857194eac4233c7bdb4619d8ebc57054c58e000781d7cbb36deccf1fd5961f917b109174af04e22d4bae64815ce5e9a42d9b973ef3ed46358f14ad

C:\Users\Admin\Pictures\6AL166J5APM1bdN3RnllKpMJ.exe

MD5 1bc3401e74975ac17968481f4ea109a2
SHA1 a46c2dd8032f771924f2a6ea048f596d98894753
SHA256 552e2265686724b77887c809714b97ad70f0d9e6c0be4bf8519d6071c819deb9
SHA512 26d047f527aea9ff219a954a5a96a55de89d331885f9113fb532e8e184c49d2dcae94c2cdb005cdf305e73877959c592b635e506b9b1eb60831546b1d0805e95

C:\Users\Admin\Pictures\vZhkWfk1KYIKmH5xpBHIuX0s.exe

MD5 7fcc0bae1fa98de1d16819e6f85de171
SHA1 d8ba9866840e0449ddb78d31d6bcf2762ed3e6e4
SHA256 28249276aafcf8911cc5fc8b6adebe10efb7141f3869ab2ec2f0bf5cffc1c82a
SHA512 58cf14e662f68b61339dd3517dae6c831a5094ef01eab8e5ee64cf85a23e26b3ffce43912ba62356fdf1a4bbeba7249f55de222154b729b8d85fa48744ddbe29

memory/4636-42-0x0000000000D80000-0x0000000000E80000-memory.dmp

memory/4636-43-0x0000000002620000-0x000000000268E000-memory.dmp

memory/4636-44-0x0000000000400000-0x0000000000B0E000-memory.dmp

C:\Users\Admin\Pictures\qNtH4wYOnE3DxYcBJ1DP3uVO.exe

MD5 e2a6c1f58b137874e490b8d94382fcdb
SHA1 71529c5d708091b1e1a580227dc52e62a140edd1
SHA256 4801879a7afb9d03f7edcbe76cd9306cb024d80abc8512c4995aa97e8fd52437
SHA512 24d12ce668e5189a4ba80520a4eaf480d17d3a07d8d0d4312964968f8489143df225881ec70e39e0c62e381061626801ead72d70cea164e2c3870bfbd7bc4eff

C:\Users\Admin\Pictures\hmgrh3rLQoRkUEJr0u3Iz3DU.exe

MD5 08109775e229793caa016b61cd0d0356
SHA1 01e26212fbf20720d1461f656cdb9a79d966f246
SHA256 3e67a3f678d77c49f9a435e11061b7a5b3aa1d477eb4419462b8b2246dfa1f4d
SHA512 f0f0b1d0baa877b454e7e36fce4a19c7546ac893fc241a516d5a61943ecef926c724babe3056f998a6a42c8e8fb7007118540b4caf8472812b7e5dcc8f502aa4

memory/4724-59-0x0000000000C50000-0x0000000000D50000-memory.dmp

memory/4724-61-0x0000000000BA0000-0x0000000000BEA000-memory.dmp

C:\Users\Admin\Pictures\7pPqcQ1NvLfzcuazweVkDUiS.exe

MD5 7960d8afbbac06f216cceeb1531093bb
SHA1 008221bf66a0749447cffcb86f2d1ec80e23fc76
SHA256 f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84
SHA512 35d12e81eb892aeb2237049beca61a81469dea5b1c9b7a0b9f49fbf95a95c756509d9e76c732fb10b504f9f9692e1fbe83ea2fd09d791f793a928c01974b8147

C:\Users\Admin\Pictures\jj90xFDYYdmnsryuuFbp6pnu.exe

MD5 6126c6923b352edf2507639b7fe78e8a
SHA1 1fd3edb62b8d44673772fb58a05c43d5360e8e5b
SHA256 98db3710f7b5e68beb18c0ec584909ad3c92d66bbf093164892d5cd00d1021dd
SHA512 93fcbbc0a3f42f9fab3c5e0a5cbc83308b5d93999fa89f449c2b50653860de2fe3dbb42fc463bf34f5f5e5e69390dae8b6a1dfed8e742dcb0059a445cf041736

memory/4724-66-0x0000000000400000-0x0000000000B06000-memory.dmp

memory/2072-68-0x0000000000870000-0x00000000008DE000-memory.dmp

memory/4724-69-0x0000000000B70000-0x0000000000B71000-memory.dmp

memory/2072-70-0x0000000073460000-0x0000000073B4E000-memory.dmp

memory/2072-74-0x0000000005220000-0x0000000005230000-memory.dmp

memory/1844-82-0x0000000002F70000-0x000000000385B000-memory.dmp

memory/4112-83-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1844-84-0x0000000002A70000-0x0000000002E6C000-memory.dmp

memory/4112-87-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1844-88-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/4112-90-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2072-89-0x0000000002C00000-0x0000000004C00000-memory.dmp

memory/220-91-0x0000000002A10000-0x0000000002E0C000-memory.dmp

memory/3276-92-0x00007FFD674F0000-0x00007FFD67EDC000-memory.dmp

memory/220-93-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/4724-94-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/4724-96-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/4724-95-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/4724-100-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/4724-101-0x00000000028D0000-0x0000000002910000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u3ks.0.exe

MD5 4524e1a1e2725e159d68b3bca2c1b296
SHA1 0e3b226d0ebd227b911c5fc25d6a28478ed0a957
SHA256 12a5bac24e4e354bfc93a989c398df11ac5ec63c9d9834e0a9062bd8857cdda7
SHA512 870e0e4e86593a3f060643b043d41f2aa6108af8075f19c0ba6c9d276a28df5c6f6e02a6cd088eb88382af35a41bcd626ea5add747494d468158abb7e610f3ca

memory/4724-104-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/4112-105-0x0000000003680000-0x0000000003A80000-memory.dmp

memory/4724-106-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/4724-108-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/4112-107-0x0000000003680000-0x0000000003A80000-memory.dmp

memory/4724-109-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/4724-110-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/4724-111-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/4724-112-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/4724-114-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/4724-113-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/4112-115-0x00007FFD796B0000-0x00007FFD7988B000-memory.dmp

memory/4724-116-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/4724-119-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/4724-121-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/4112-122-0x0000000076FA0000-0x0000000077162000-memory.dmp

memory/4724-124-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/4724-125-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/4724-127-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/4724-128-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/4724-131-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/4724-132-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/4724-133-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/4724-135-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/4724-136-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/4724-137-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/4724-139-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/4724-140-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/4724-141-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/4724-145-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/4724-146-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/4724-148-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/4724-147-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/4724-138-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/4724-134-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/4724-130-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/4724-129-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/4724-126-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/4720-154-0x0000000004040000-0x0000000004440000-memory.dmp

memory/4720-123-0x00000000004C0000-0x00000000004C9000-memory.dmp

memory/4724-118-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/4720-160-0x00007FFD796B0000-0x00007FFD7988B000-memory.dmp

memory/4720-164-0x0000000076FA0000-0x0000000077162000-memory.dmp

C:\Users\Admin\Pictures\YWs5UTxZr5AenkLAi1KwKNOi.exe

MD5 5f066ebf9264cad80bdb1384ce2a6b34
SHA1 a6bfd2df4ad14b8b0f90951b688a7de61f7d4bbc
SHA256 5c2b1d90d0299ff70ea73f89a9326628e602cf9f72c425b570ac5272279372e1
SHA512 0b0ce2214f57be9155b6eb7de144a96b09a9699fd75e82e4be525a4048a027c509c3f1495f111a3cc1c62b283deb150779d6458b13022095614d502a9805f1c5

memory/4636-176-0x0000000000400000-0x0000000000B0E000-memory.dmp

memory/4724-190-0x0000000000400000-0x0000000000B06000-memory.dmp

memory/4412-200-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/1844-202-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u3ks.1.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/220-235-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/4636-238-0x0000000000400000-0x0000000000B0E000-memory.dmp

memory/4412-280-0x0000000000400000-0x0000000000AEA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kryldxxi.qnf.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/1844-490-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/220-502-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2428-512-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/3432-517-0x0000000000400000-0x00000000008AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 f152b09880d68cbf0ff5722e96c5a6bb
SHA1 557b770f8f1cd10be2bba2077a8fa6666c15f04c
SHA256 741435123ea37187659d43159faf33be079430ca635361ca2f705bcd6d831b28
SHA512 ac9ea99fbb8b1efab7e2bdfc18774565aad63da9153f1f0fa4ab934566583f3188a23682296c90eed4baaa584c599a55a015a431ca12569e2a8e1e70a59108b3

C:\Users\Admin\Pictures\QIPYx01QHg4rpj0Z7G8BhZqI.exe

MD5 d8eeaee3599694b6a4c03fa121da1ad9
SHA1 1b827152fea138646a52ec006712bf5d82894ac4
SHA256 761aeb88c547e1ba71fee7958b2f7102572b1a36e2d74ac9c9b0217d49e3ad0b
SHA512 56b8676bb9c21ab66046e61eaa1954d47d86c88f873fa4b5d185f998758daffc9bb1e4ba82ba5515e4d19ee1894ee67889334cc58a5472e1443561a107498092

\Users\Admin\AppData\Local\Temp\Opera_installer_2403282231364774720.dll

MD5 117176ddeaf70e57d1747704942549e4
SHA1 75e3ab6b3469d93cce9ea2f7e22b71b987ccdf2b
SHA256 3c5b34de987116a4d3240e319c0da89a951c96b81e6705476a0fea27b22b20af
SHA512 ca2a356929c92d314aab63d7f3b246d72783212dfa3a4507f28d41a51ca0eedc78e85b1cd453aa8e02c12509f847a0216bb702154f903291c804c8a98ec378b9

memory/4116-627-0x0000000001780000-0x000000000182E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 a3787bef9c43b9a6b0dd90945cf0274f
SHA1 7d9b1e193fa67119cfd73d0b5c242d4734bb0516
SHA256 4fa1686a3855923d89d119cf6155b00031c6f2ae51e68be3c39f8ef7b9c9329a
SHA512 f458d3e4775cc5add0271e587f244f4e13f13e514340137a9c37b4dfe16eff1fd9803ebc383f751c82afb6f515ae7216afccd032476604f1f7afa9d4b1d39247

memory/4412-928-0x0000000000400000-0x0000000000AEA000-memory.dmp

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

memory/3432-944-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/4412-949-0x0000000000400000-0x0000000000AEA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 7247129cd0644457905b7d6bf17fd078
SHA1 dbf9139b5a1b72141f170d2eae911bbbe7e128c8
SHA256 dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4
SHA512 9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 55d0e82a4af1868f0fff53eb6c48f59b
SHA1 581a182aad6a0a9f5cc47c91334333f74da5c753
SHA256 637bc2d2fca925b014d7a5467dde95ec0afadbd2eae6ff4e966e663c218fa9a6
SHA512 171039e175e165fffd9906d59ad69de332bed89c4073f4f2c29a4ba1ccf4a1e9b0d216286684daebe2a49a2961f659d8e7d74afec335c41127f145ecc29c7b3e

memory/3432-1216-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/4412-1221-0x0000000000400000-0x0000000000AEA000-memory.dmp

memory/4412-1277-0x0000000000400000-0x0000000000AEA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8c1a32e3fb85d39d0bfafef4d4137142
SHA1 034a11b0558270c332483256cb431054349c64d9
SHA256 de9cc05267cc48a3f00936e482683e8004827e9d0d75a50d198188f6d23b6750
SHA512 b29bc20dbf53ca706ac622d7c522a8c075ec4f3f3d99c93340b75f2a1ab7e6359f56fd65195ac61eb92ad32a85a68d142a62a605b5cff07a5763748ea83fa47a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4bf2ed40e33939583d1c964f2ccb4e62
SHA1 d2b778445eda9d95468d9686f127c9e872514dc0
SHA256 f475309f1ea317b27ec4c0b1df2e194c56da0fa7dc71d1424e9bac032fefbc38
SHA512 5499c2f74bb61bbb4435bcc5ffe08730272634082833245a9e2c6e00ea523a083383beb1294d1716373a5b7d625552da520ff6b6d3beaca4516bc7d39423ddc1

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 db01a2c1c7e70b2b038edf8ad5ad9826
SHA1 540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256 413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512 c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

C:\Users\Admin\AppData\Local\Temp\EBGDAAKJJD.exe

MD5 fe380780b5c35bd6d54541791151c2be
SHA1 7fe3a583cf91474c733f85cebf3c857682e269e1
SHA256 b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53
SHA512 ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c

memory/1844-1337-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/220-1340-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2428-1348-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/4616-1434-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/4500-1439-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/5088-1448-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282231401\opera_package

MD5 401c352990789be2f40fe8f9c5c7a5ac
SHA1 d7c1e902487511d3f4e1a57abdee8a94d5483ed4
SHA256 f62f4ebc7eca46d9cddfb02cc0305da5efdd6f3601fb0f53da555e19558869a3
SHA512 efc6d4224e3721e91efb2ea8f4b74685cba607260c69d08eac26866c52b8127080a42799d9f76ab1661b8ca63c946fcf35dddf0a63ab3cd258ea44a27dd769c8

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d966ccbe0e06b54ebd3976444f374e27
SHA1 7463a7c697cab1160e6f76b9014eb126ae11d826
SHA256 2254cbcdd723d65695d352af298eb97e9da7171c6a595ab285175234281de18f
SHA512 fbe3b176c06f54a5741994a5a3ea82f31301c4669ba76dee65eeb19e1c17c73a9516b49f4c7c46a1ca08cfe19ad94474bb61b0f270264c90d7030e14fbd95b60

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 1c19c16e21c97ed42d5beabc93391fc5
SHA1 8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA256 1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA512 7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 745b12fe0851ebabf552ea86190c445c
SHA1 b7613633810977ae8ef45f4ba9a70b937472a956
SHA256 c9e40cc797e4a2cd16255d6da53928e225c8e82b295a40e0e34529bc78ba30c4
SHA512 44e663ea37562b5e73a20a99c88cc0dcb8713647c4abd2dc020f28adf427c2475df6e94c0f1394c783e5152a78d8aeb2ea70f562ad2883995f018271e07f30a9

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 7aac7c53b58a8b0a0b23552816658244
SHA1 296b3e96334a230b623c91284b3efb223fca218e
SHA256 d9619d2067c02e6cdbe31e2971cd22d05e4f4051ad4257f1011030c656188bc2
SHA512 4230577e5cd538dd5c333de1f0cb2c6086c0fbe100c1bbd8bf6a8e6700acef62487e9ecd97f9e7a6da7a9f95c9bffdc023aa68daa062df275cc9909208c85045

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282231401\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe

MD5 20d293b9bf23403179ca48086ba88867
SHA1 dedf311108f607a387d486d812514a2defbd1b9e
SHA256 fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348
SHA512 5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282231401\assistant\assistant_installer.exe

MD5 b3f05009b53af6435e86cfd939717e82
SHA1 770877e7c5f03e8d684984fe430bdfcc2cf41b26
SHA256 3ea8d40fcede1fc03e5603246d75d13e8d44d7229d4c390c39a55534053027f7
SHA512 d2dee80aaa79b19f1eb1db85079a05f621780e06bfea9e838b62d757ba29399f9090ec7c6ff553377c9b712f3ba8dd812cdff39f3e28829928e86746a8ac6b27

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282231401\assistant\dbgcore.DLL

MD5 8b6f64e5d3a608b434079e50a1277913
SHA1 03f431fabf1c99a48b449099455c1575893d9f32
SHA256 926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2
SHA512 c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c

\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282231401\assistant\dbghelp.dll

MD5 925ea07f594d3fce3f73ede370d92ef7
SHA1 f67ea921368c288a9d3728158c3f80213d89d7c2
SHA256 6d02ebd4ec9a6093f21cd8ccefb9445fa0ab7b1f69ac868a5cfc5d28ed8d2de9
SHA512 a809851da820d9fdd8fb860a8f549311dcc2579df2c6f6fba74f50d5d8bf94baa834b09fb5476ac248f18d1deb6b47d4fdd6d658889d5d45ca8774a9264483d2

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 57fa6e8abffcc82023026e498c824916
SHA1 e9a45cb6eb1d1e87c85bd8d05032778dce6d624d
SHA256 b7e41f5fdbf2192876425b262e65cf281116d092717921048ddde8bd510973fd
SHA512 6078ebd61ca864ab35693bd9b4b592ab566099b0662bf8e8a2d97bdc5cbc20b8ea65becaf89f374f30da622c9b5e810490675e41a39ee0a166eee15e96d0b80b

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 efe95f9363b53f4948b4f5f07e14bd1f
SHA1 9b199d5807653dbdc3e6195098a342f184389a8b
SHA256 52fe94e9000a4a7e98194b5270dc787c2b50dd0019fa4f9db31d2276e5d42f78
SHA512 d3b207e21b4e7ea6cbfed4ecf72851902b2eec01323d8d972fa7b85a3d75beef39ef7d6650ae40bdc956a58b36bbe64efb0c9eb3009e72ce4a55b5ebdb3dcbf3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 939bcea3f97e1b888cdffa5f75fed0e9
SHA1 e1300cafd267e2a9085fcc59c0014d96524666b9
SHA256 7692c67e33c6a78ac677d03a786067af2844d088f044e1eef0c4e7456bcf2039
SHA512 243beab987d5320e1d0698d3df367999df857c205a74e34118f0442a702c48e360ed1adb8946bd4adebce25af33c01fca51e88b220abceee3fb24b64ad69ecf5

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 84af1f29f3911fb1f585736258238401
SHA1 2a7cb486962ab502c61a3158368954f5bb8cd533
SHA256 b0313cadd8081f87a69693613aeb1c4eb0f84b7737bdbf8f5e1f1a12444c8a16
SHA512 479abec95b9f3ffe07c949580687d584e91075ce1f6d1e96a849e9aba6c398667441676c624c613a7e9e322c1e488672cefd9baf48c46f9644937abae52741e0

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1504625c2f27fba285544e5ce3430a2a
SHA1 ca84c82a7a7155b0f540af5dd9b54395601aa3ea
SHA256 b39bcbe00679ba456ee01686fc06872da73ad7b5fd180463a1646e59bb4b0ac1
SHA512 2dd23f889082f7da57f75a9f2818dcb6e948d34b7991672075f225367971dd9f92bbadb42c61f61101faca0b529392374fb320d845b2059a90a683e7f3d1dc49