Malware Analysis Report

2024-11-30 02:10

Sample ID 240328-2fgp4aac9w
Target 627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3
SHA256 627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3
Tags
glupteba stealc zgrat discovery dropper evasion loader persistence rat rootkit spyware stealer trojan upx lumma rhadamanthys
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3

Threat Level: Known bad

The file 627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3 was found to be: Known bad.

Malicious Activity Summary

glupteba stealc zgrat discovery dropper evasion loader persistence rat rootkit spyware stealer trojan upx lumma rhadamanthys

ZGRat

Glupteba

Lumma Stealer

Suspicious use of NtCreateUserProcessOtherParentProcess

Glupteba payload

Stealc

Detects DLL dropped by Raspberry Robin.

Windows security bypass

Detect ZGRat V1

Rhadamanthys

Modifies boot configuration data using bcdedit

Drops file in Drivers directory

Modifies Windows Firewall

Downloads MZ/PE file

Possible attempt to disable PatchGuard

Windows security modification

Reads user/profile data of local email clients

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Executes dropped EXE

UPX packed file

Drops startup file

Adds Run key to start application

Manipulates WinMonFS driver.

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Enumerates connected drives

Accesses cryptocurrency files/wallets, possible credential harvesting

Manipulates WinMon driver.

Suspicious use of SetThreadContext

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Enumerates physical storage devices

Program crash

Checks SCSI registry key(s)

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious behavior: LoadsDriver

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-28 22:31

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-28 22:31

Reported

2024-03-28 22:36

Platform

win7-20240221-en

Max time kernel

295s

Max time network

297s

Command Line

"C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\RwQz64k3zJzBPBN0q1AWhzIf.exe = "0" C:\Users\Admin\Pictures\RwQz64k3zJzBPBN0q1AWhzIf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\wkB0t9H9PRySj6BlgkmAzvPe.exe = "0" C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\BL9reFHBtoDJ7fd09lbMV8VH.exe = "0" C:\Users\Admin\Pictures\BL9reFHBtoDJ7fd09lbMV8VH.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\RwQz64k3zJzBPBN0q1AWhzIf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\RwQz64k3zJzBPBN0q1AWhzIf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\RwQz64k3zJzBPBN0q1AWhzIf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\RwQz64k3zJzBPBN0q1AWhzIf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\RwQz64k3zJzBPBN0q1AWhzIf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\RwQz64k3zJzBPBN0q1AWhzIf.exe N/A

ZGRat

rat zgrat

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\Winmon.sys C:\Windows\rss\csrss.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StVQkcIj1kM6BrBm9HQLnLAy.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ECMRY6UBUgSesO5w8MfiEqrq.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9o2MpUIbovv5h3t9EbqtAlKM.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3z9Ex5SJR6og1IDA25VGQBxU.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ayK9QRWu8gz63BYo93dooDtH.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VmQpn2hS6Th8AC1JrFmKPXHC.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mvKo54qCz2ADmr79EFnt2A7J.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sqWcnPcoqXdgEI5qeTBTbmFW.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jxGpNizh1ub7I7N7eI6bT8O1.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
N/A N/A C:\Users\Admin\Pictures\wjaILiGJearf81sAXi75tI3C.exe N/A
N/A N/A C:\Users\Admin\Pictures\wjaILiGJearf81sAXi75tI3C.exe N/A
N/A N/A C:\Users\Admin\Pictures\wjaILiGJearf81sAXi75tI3C.exe N/A
N/A N/A C:\Users\Admin\Pictures\wjaILiGJearf81sAXi75tI3C.exe N/A
N/A N/A C:\Users\Admin\Pictures\RwQz64k3zJzBPBN0q1AWhzIf.exe N/A
N/A N/A C:\Users\Admin\Pictures\RwQz64k3zJzBPBN0q1AWhzIf.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\Pictures\wjaILiGJearf81sAXi75tI3C.exe N/A
N/A N/A C:\Users\Admin\Pictures\wjaILiGJearf81sAXi75tI3C.exe N/A
N/A N/A C:\Users\Admin\Pictures\wjaILiGJearf81sAXi75tI3C.exe N/A
N/A N/A C:\Users\Admin\Pictures\wjaILiGJearf81sAXi75tI3C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1dg.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1dg.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\RwQz64k3zJzBPBN0q1AWhzIf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\RwQz64k3zJzBPBN0q1AWhzIf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\RwQz64k3zJzBPBN0q1AWhzIf.exe = "0" C:\Users\Admin\Pictures\RwQz64k3zJzBPBN0q1AWhzIf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\wkB0t9H9PRySj6BlgkmAzvPe.exe = "0" C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\BL9reFHBtoDJ7fd09lbMV8VH.exe = "0" C:\Users\Admin\Pictures\BL9reFHBtoDJ7fd09lbMV8VH.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\RwQz64k3zJzBPBN0q1AWhzIf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\RwQz64k3zJzBPBN0q1AWhzIf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\RwQz64k3zJzBPBN0q1AWhzIf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\RwQz64k3zJzBPBN0q1AWhzIf.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\RwQz64k3zJzBPBN0q1AWhzIf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\BL9reFHBtoDJ7fd09lbMV8VH.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Manipulates WinMon driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMon C:\Windows\rss\csrss.exe N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2872 set thread context of 2284 N/A C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\RwQz64k3zJzBPBN0q1AWhzIf.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\BL9reFHBtoDJ7fd09lbMV8VH.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\RwQz64k3zJzBPBN0q1AWhzIf.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20240328223142.cab C:\Windows\system32\makecab.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\RwQz64k3zJzBPBN0q1AWhzIf.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\BL9reFHBtoDJ7fd09lbMV8VH.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\BL9reFHBtoDJ7fd09lbMV8VH.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u1dg.1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u1dg.1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u1dg.1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\u1dg.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\u1dg.0.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-492 = "India Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time" C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-362 = "GTB Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-572 = "China Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time" C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-622 = "Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time" C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-421 = "Russian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time" C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-581 = "North Asia East Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" C:\Windows\windefender.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe N/A
N/A N/A C:\Users\Admin\Pictures\BL9reFHBtoDJ7fd09lbMV8VH.exe N/A
N/A N/A C:\Users\Admin\Pictures\RwQz64k3zJzBPBN0q1AWhzIf.exe N/A
N/A N/A C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe N/A
N/A N/A C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe N/A
N/A N/A C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe N/A
N/A N/A C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe N/A
N/A N/A C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe N/A
N/A N/A C:\Users\Admin\Pictures\RwQz64k3zJzBPBN0q1AWhzIf.exe N/A
N/A N/A C:\Users\Admin\Pictures\RwQz64k3zJzBPBN0q1AWhzIf.exe N/A
N/A N/A C:\Users\Admin\Pictures\RwQz64k3zJzBPBN0q1AWhzIf.exe N/A
N/A N/A C:\Users\Admin\Pictures\RwQz64k3zJzBPBN0q1AWhzIf.exe N/A
N/A N/A C:\Users\Admin\Pictures\RwQz64k3zJzBPBN0q1AWhzIf.exe N/A
N/A N/A C:\Users\Admin\Pictures\BL9reFHBtoDJ7fd09lbMV8VH.exe N/A
N/A N/A C:\Users\Admin\Pictures\BL9reFHBtoDJ7fd09lbMV8VH.exe N/A
N/A N/A C:\Users\Admin\Pictures\BL9reFHBtoDJ7fd09lbMV8VH.exe N/A
N/A N/A C:\Users\Admin\Pictures\BL9reFHBtoDJ7fd09lbMV8VH.exe N/A
N/A N/A C:\Users\Admin\Pictures\BL9reFHBtoDJ7fd09lbMV8VH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1dg.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\BL9reFHBtoDJ7fd09lbMV8VH.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\BL9reFHBtoDJ7fd09lbMV8VH.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\RwQz64k3zJzBPBN0q1AWhzIf.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\RwQz64k3zJzBPBN0q1AWhzIf.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2872 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2872 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2872 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2872 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2872 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2872 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2872 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2872 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2872 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2872 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2872 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2872 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2284 wrote to memory of 1276 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\BL9reFHBtoDJ7fd09lbMV8VH.exe
PID 2284 wrote to memory of 1276 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\BL9reFHBtoDJ7fd09lbMV8VH.exe
PID 2284 wrote to memory of 1276 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\BL9reFHBtoDJ7fd09lbMV8VH.exe
PID 2284 wrote to memory of 1276 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\BL9reFHBtoDJ7fd09lbMV8VH.exe
PID 2284 wrote to memory of 1636 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe
PID 2284 wrote to memory of 1636 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe
PID 2284 wrote to memory of 1636 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe
PID 2284 wrote to memory of 1636 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe
PID 2284 wrote to memory of 2396 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\RwQz64k3zJzBPBN0q1AWhzIf.exe
PID 2284 wrote to memory of 2396 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\RwQz64k3zJzBPBN0q1AWhzIf.exe
PID 2284 wrote to memory of 2396 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\RwQz64k3zJzBPBN0q1AWhzIf.exe
PID 2284 wrote to memory of 2396 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\RwQz64k3zJzBPBN0q1AWhzIf.exe
PID 2284 wrote to memory of 1780 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\wjaILiGJearf81sAXi75tI3C.exe
PID 2284 wrote to memory of 1780 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\wjaILiGJearf81sAXi75tI3C.exe
PID 2284 wrote to memory of 1780 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\wjaILiGJearf81sAXi75tI3C.exe
PID 2284 wrote to memory of 1780 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\wjaILiGJearf81sAXi75tI3C.exe
PID 2284 wrote to memory of 1440 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\ze9e3MmSfmTZkH2CKn3O39wk.exe
PID 2284 wrote to memory of 1440 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\ze9e3MmSfmTZkH2CKn3O39wk.exe
PID 2284 wrote to memory of 1440 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\ze9e3MmSfmTZkH2CKn3O39wk.exe
PID 2284 wrote to memory of 1440 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\ze9e3MmSfmTZkH2CKn3O39wk.exe
PID 1780 wrote to memory of 2892 N/A C:\Users\Admin\Pictures\wjaILiGJearf81sAXi75tI3C.exe C:\Users\Admin\AppData\Local\Temp\u1dg.0.exe
PID 1780 wrote to memory of 2892 N/A C:\Users\Admin\Pictures\wjaILiGJearf81sAXi75tI3C.exe C:\Users\Admin\AppData\Local\Temp\u1dg.0.exe
PID 1780 wrote to memory of 2892 N/A C:\Users\Admin\Pictures\wjaILiGJearf81sAXi75tI3C.exe C:\Users\Admin\AppData\Local\Temp\u1dg.0.exe
PID 1780 wrote to memory of 2892 N/A C:\Users\Admin\Pictures\wjaILiGJearf81sAXi75tI3C.exe C:\Users\Admin\AppData\Local\Temp\u1dg.0.exe
PID 2780 wrote to memory of 1620 N/A C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe C:\Windows\system32\cmd.exe
PID 2780 wrote to memory of 1620 N/A C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe C:\Windows\system32\cmd.exe
PID 2780 wrote to memory of 1620 N/A C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe C:\Windows\system32\cmd.exe
PID 2780 wrote to memory of 1620 N/A C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe C:\Windows\system32\cmd.exe
PID 612 wrote to memory of 1424 N/A C:\Users\Admin\Pictures\RwQz64k3zJzBPBN0q1AWhzIf.exe C:\Windows\system32\cmd.exe
PID 612 wrote to memory of 1424 N/A C:\Users\Admin\Pictures\RwQz64k3zJzBPBN0q1AWhzIf.exe C:\Windows\system32\cmd.exe
PID 612 wrote to memory of 1424 N/A C:\Users\Admin\Pictures\RwQz64k3zJzBPBN0q1AWhzIf.exe C:\Windows\system32\cmd.exe
PID 612 wrote to memory of 1424 N/A C:\Users\Admin\Pictures\RwQz64k3zJzBPBN0q1AWhzIf.exe C:\Windows\system32\cmd.exe
PID 1620 wrote to memory of 1044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1620 wrote to memory of 1044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1620 wrote to memory of 1044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1424 wrote to memory of 2212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1424 wrote to memory of 2212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1424 wrote to memory of 2212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2768 wrote to memory of 1976 N/A C:\Users\Admin\Pictures\BL9reFHBtoDJ7fd09lbMV8VH.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 1976 N/A C:\Users\Admin\Pictures\BL9reFHBtoDJ7fd09lbMV8VH.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 1976 N/A C:\Users\Admin\Pictures\BL9reFHBtoDJ7fd09lbMV8VH.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 1976 N/A C:\Users\Admin\Pictures\BL9reFHBtoDJ7fd09lbMV8VH.exe C:\Windows\system32\cmd.exe
PID 1976 wrote to memory of 1084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1976 wrote to memory of 1084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1976 wrote to memory of 1084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 612 wrote to memory of 672 N/A C:\Users\Admin\Pictures\RwQz64k3zJzBPBN0q1AWhzIf.exe C:\Windows\rss\csrss.exe
PID 612 wrote to memory of 672 N/A C:\Users\Admin\Pictures\RwQz64k3zJzBPBN0q1AWhzIf.exe C:\Windows\rss\csrss.exe
PID 612 wrote to memory of 672 N/A C:\Users\Admin\Pictures\RwQz64k3zJzBPBN0q1AWhzIf.exe C:\Windows\rss\csrss.exe
PID 612 wrote to memory of 672 N/A C:\Users\Admin\Pictures\RwQz64k3zJzBPBN0q1AWhzIf.exe C:\Windows\rss\csrss.exe
PID 672 wrote to memory of 2744 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 672 wrote to memory of 2744 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 672 wrote to memory of 2744 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe

"C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"

C:\Users\Admin\Pictures\BL9reFHBtoDJ7fd09lbMV8VH.exe

"C:\Users\Admin\Pictures\BL9reFHBtoDJ7fd09lbMV8VH.exe"

C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe

"C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe"

C:\Users\Admin\Pictures\RwQz64k3zJzBPBN0q1AWhzIf.exe

"C:\Users\Admin\Pictures\RwQz64k3zJzBPBN0q1AWhzIf.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240328223142.log C:\Windows\Logs\CBS\CbsPersist_20240328223142.cab

C:\Users\Admin\Pictures\wjaILiGJearf81sAXi75tI3C.exe

"C:\Users\Admin\Pictures\wjaILiGJearf81sAXi75tI3C.exe"

C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe

"C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe"

C:\Users\Admin\Pictures\BL9reFHBtoDJ7fd09lbMV8VH.exe

"C:\Users\Admin\Pictures\BL9reFHBtoDJ7fd09lbMV8VH.exe"

C:\Users\Admin\Pictures\ze9e3MmSfmTZkH2CKn3O39wk.exe

"C:\Users\Admin\Pictures\ze9e3MmSfmTZkH2CKn3O39wk.exe"

C:\Users\Admin\Pictures\RwQz64k3zJzBPBN0q1AWhzIf.exe

"C:\Users\Admin\Pictures\RwQz64k3zJzBPBN0q1AWhzIf.exe"

C:\Users\Admin\AppData\Local\Temp\u1dg.0.exe

"C:\Users\Admin\AppData\Local\Temp\u1dg.0.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\u1dg.1.exe

"C:\Users\Admin\AppData\Local\Temp\u1dg.1.exe"

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\AFHDGDGIID.exe"

C:\Users\Admin\AppData\Local\Temp\AFHDGDGIID.exe

"C:\Users\Admin\AppData\Local\Temp\AFHDGDGIID.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\AFHDGDGIID.exe

C:\Windows\SysWOW64\PING.EXE

ping 2.2.2.2 -n 1 -w 3000

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 yip.su udp
US 104.20.67.143:443 pastebin.com tcp
US 104.21.79.77:443 yip.su tcp
US 8.8.8.8:53 piramidglobaltobacco.id udp
US 8.8.8.8:53 shipofdestiny.com udp
AT 5.42.64.17:80 5.42.64.17 tcp
DE 185.172.128.144:80 185.172.128.144 tcp
US 8.8.8.8:53 sty.ink udp
US 8.8.8.8:53 operandotwo.com udp
US 8.8.8.8:53 shipofdestiny.com udp
US 8.8.8.8:53 sty.ink udp
US 8.8.8.8:53 namemail.org udp
US 8.8.8.8:53 cu82342.tw1.ru udp
US 8.8.8.8:53 net.geo.opera.com udp
US 104.21.32.142:443 shipofdestiny.com tcp
NL 185.26.182.111:80 net.geo.opera.com tcp
US 172.67.200.219:443 sty.ink tcp
RU 176.57.210.144:443 cu82342.tw1.ru tcp
NL 185.26.182.111:443 net.geo.opera.com tcp
US 8.8.8.8:53 lawyerbuyer.org udp
US 172.67.170.65:443 lawyerbuyer.org tcp
US 104.21.32.142:443 shipofdestiny.com tcp
US 172.67.200.219:443 sty.ink tcp
US 172.67.160.247:443 operandotwo.com tcp
SG 217.21.73.190:443 piramidglobaltobacco.id tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 95.101.143.19:80 apps.identrust.com tcp
US 172.67.170.65:443 lawyerbuyer.org tcp
US 8.8.8.8:53 guseman.org udp
US 172.67.173.167:443 guseman.org tcp
DE 185.172.128.90:80 185.172.128.90 tcp
DE 185.172.128.65:80 185.172.128.65 tcp
DE 185.172.128.65:80 185.172.128.65 tcp
US 8.8.8.8:53 iplogger.com udp
US 172.67.188.178:443 iplogger.com tcp
DE 185.172.128.144:80 185.172.128.144 tcp
DE 185.172.128.209:80 185.172.128.209 tcp
US 8.8.8.8:53 833cd42f-ca78-4eee-ac3c-da59f5523e5b.uuid.dumperstats.org udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 download.iolo.net udp
US 8.8.8.8:53 download.iolo.net udp
FR 185.93.2.246:80 download.iolo.net tcp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
DE 185.172.128.209:80 185.172.128.209 tcp
DE 185.172.128.65:80 185.172.128.65 tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard20.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard20.blob.core.windows.net tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun.sipgate.net udp
US 8.8.8.8:53 server4.dumperstats.org udp
US 15.197.250.192:3478 stun.sipgate.net udp
US 162.159.129.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server4.dumperstats.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.111:443 server4.dumperstats.org tcp

Files

memory/2284-2-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2284-5-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2284-9-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2284-7-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2284-10-0x0000000074690000-0x0000000074D7E000-memory.dmp

memory/2284-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2284-3-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2284-11-0x0000000004E50000-0x0000000004E90000-memory.dmp

memory/2284-1-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2284-0-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar398E.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c0c1f2cf646fd358a5723b3be0cefc09
SHA1 9287f32e719be04646274c3e86988d644a009061
SHA256 b64d92a76f683fe1332985d8f0830f682609146c32a22d137664ea8cb232b497
SHA512 78ad3c5c1150f32b392332202e41ee33eaaa7667be61f1214ed2ffbd8cb9aa9aa12a780bdfd29ad1f228a51e03e3bd49374a48af674c7d87d953ddb10ae97449

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4a9b0e2471e576481b03dd7b773e63b0
SHA1 e50ae339c75b17dc72f598d6c91381ac74e2639b
SHA256 9ced18c7b4a52d5b208ad69f35a1f2d669457502e0be8a3106212358bda94720
SHA512 8bd8e909d5debe3c9fa7e5dd2eb5af726ba4fb8c439919b2c0c6acaea91366872cfbc0ac3befcff9eaedb54007d97b80598f7518933db1d92a534b837b57be8f

C:\Users\Admin\Pictures\BL9reFHBtoDJ7fd09lbMV8VH.exe

MD5 5f066ebf9264cad80bdb1384ce2a6b34
SHA1 a6bfd2df4ad14b8b0f90951b688a7de61f7d4bbc
SHA256 5c2b1d90d0299ff70ea73f89a9326628e602cf9f72c425b570ac5272279372e1
SHA512 0b0ce2214f57be9155b6eb7de144a96b09a9699fd75e82e4be525a4048a027c509c3f1495f111a3cc1c62b283deb150779d6458b13022095614d502a9805f1c5

memory/1276-260-0x0000000002640000-0x0000000002A38000-memory.dmp

memory/1276-280-0x0000000002640000-0x0000000002A38000-memory.dmp

memory/1276-292-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1276-313-0x0000000002A40000-0x000000000332B000-memory.dmp

C:\Users\Admin\Pictures\wkB0t9H9PRySj6BlgkmAzvPe.exe

MD5 6126c6923b352edf2507639b7fe78e8a
SHA1 1fd3edb62b8d44673772fb58a05c43d5360e8e5b
SHA256 98db3710f7b5e68beb18c0ec584909ad3c92d66bbf093164892d5cd00d1021dd
SHA512 93fcbbc0a3f42f9fab3c5e0a5cbc83308b5d93999fa89f449c2b50653860de2fe3dbb42fc463bf34f5f5e5e69390dae8b6a1dfed8e742dcb0059a445cf041736

memory/1636-326-0x0000000002780000-0x0000000002B78000-memory.dmp

memory/1636-327-0x0000000002780000-0x0000000002B78000-memory.dmp

memory/1636-328-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2396-341-0x0000000002780000-0x0000000002B78000-memory.dmp

C:\Users\Admin\Pictures\wjaILiGJearf81sAXi75tI3C.exe

MD5 7fcc0bae1fa98de1d16819e6f85de171
SHA1 d8ba9866840e0449ddb78d31d6bcf2762ed3e6e4
SHA256 28249276aafcf8911cc5fc8b6adebe10efb7141f3869ab2ec2f0bf5cffc1c82a
SHA512 58cf14e662f68b61339dd3517dae6c831a5094ef01eab8e5ee64cf85a23e26b3ffce43912ba62356fdf1a4bbeba7249f55de222154b729b8d85fa48744ddbe29

memory/2284-352-0x0000000074690000-0x0000000074D7E000-memory.dmp

memory/1780-353-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/1780-354-0x0000000000B80000-0x0000000000BEE000-memory.dmp

memory/1780-355-0x0000000000400000-0x0000000000B0E000-memory.dmp

memory/2396-356-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2284-358-0x0000000004E50000-0x0000000004E90000-memory.dmp

memory/2396-357-0x0000000002780000-0x0000000002B78000-memory.dmp

memory/1636-361-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2768-363-0x0000000002880000-0x0000000002C78000-memory.dmp

memory/2780-366-0x0000000002800000-0x0000000002BF8000-memory.dmp

memory/2780-360-0x0000000002800000-0x0000000002BF8000-memory.dmp

memory/1276-372-0x0000000002640000-0x0000000002A38000-memory.dmp

memory/1276-365-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1636-364-0x0000000002780000-0x0000000002B78000-memory.dmp

memory/2780-373-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Users\Admin\Pictures\ze9e3MmSfmTZkH2CKn3O39wk.exe

MD5 e2a6c1f58b137874e490b8d94382fcdb
SHA1 71529c5d708091b1e1a580227dc52e62a140edd1
SHA256 4801879a7afb9d03f7edcbe76cd9306cb024d80abc8512c4995aa97e8fd52437
SHA512 24d12ce668e5189a4ba80520a4eaf480d17d3a07d8d0d4312964968f8489143df225881ec70e39e0c62e381061626801ead72d70cea164e2c3870bfbd7bc4eff

memory/2768-384-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2768-388-0x0000000002880000-0x0000000002C78000-memory.dmp

memory/1440-387-0x0000000000400000-0x0000000000B06000-memory.dmp

memory/1440-391-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/1440-390-0x0000000000B10000-0x0000000000B5A000-memory.dmp

memory/1440-389-0x0000000000294000-0x00000000002BF000-memory.dmp

memory/612-396-0x00000000027E0000-0x0000000002BD8000-memory.dmp

memory/2396-395-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2892-416-0x0000000000C40000-0x0000000000D40000-memory.dmp

memory/2892-415-0x0000000000400000-0x0000000000AEA000-memory.dmp

memory/2892-414-0x0000000000220000-0x0000000000247000-memory.dmp

memory/612-413-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u1dg.0.exe

MD5 4524e1a1e2725e159d68b3bca2c1b296
SHA1 0e3b226d0ebd227b911c5fc25d6a28478ed0a957
SHA256 12a5bac24e4e354bfc93a989c398df11ac5ec63c9d9834e0a9062bd8857cdda7
SHA512 870e0e4e86593a3f060643b043d41f2aa6108af8075f19c0ba6c9d276a28df5c6f6e02a6cd088eb88382af35a41bcd626ea5add747494d468158abb7e610f3ca

memory/612-410-0x00000000027E0000-0x0000000002BD8000-memory.dmp

memory/612-425-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/612-426-0x00000000027E0000-0x0000000002BD8000-memory.dmp

memory/672-427-0x0000000002670000-0x0000000002A68000-memory.dmp

memory/1780-428-0x0000000000400000-0x0000000000B0E000-memory.dmp

memory/2780-429-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2768-430-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/672-431-0x0000000002670000-0x0000000002A68000-memory.dmp

memory/672-432-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2768-433-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2780-434-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 13aaafe14eb60d6a718230e82c671d57
SHA1 e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256 f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512 ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 5c399d34d8dc01741269ff1f1aca7554
SHA1 e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256 e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA512 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 f0616fa8bc54ece07e3107057f74e4db
SHA1 b33995c4f9a004b7d806c4bb36040ee844781fca
SHA256 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026
SHA512 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2968-457-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2892-460-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6a7dfcabf26351d1dd1713a6ee4dffa2
SHA1 2681aadf5ecfeb0ce854a70b0ba941b7425591e8
SHA256 4f5c906db05b31e58932b1fe4ceaadf37f2be2ef7998111bbd19cee7ac7d0c3c
SHA512 2c32718dd00a9064c7008466827cfb41998b6cb7446988104506ce970cd8bec9bc1a6592de01a6ed83bc9d1f6dfd92712cb5136a79965b663bd14142d63da402

memory/1780-503-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2892-518-0x0000000000400000-0x0000000000AEA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u1dg.1.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/1780-533-0x0000000000400000-0x0000000000B0E000-memory.dmp

memory/1780-534-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/672-535-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/3012-538-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 98825408ce95a3ade3d871c9a1ea7ac0
SHA1 f4fbe33f1436440540a5aa6f8429982a8670ee8b
SHA256 e8d42ed61cdc0262e8bc44e73391db430e8ba222f2fc59b91c204138a325b09e
SHA512 85911d91e6a8bbfc1bd99db024eedb70ee5540d3dbd2e90aafa2973285997af65835e260df419ce47915454496a1203ff01ac1e47f11ee90a613988745e729ba

memory/1440-566-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2892-570-0x0000000000400000-0x0000000000AEA000-memory.dmp

memory/672-571-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/3012-572-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/2892-573-0x0000000000C40000-0x0000000000D40000-memory.dmp

memory/672-583-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/3012-592-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/1800-596-0x00000000002C0000-0x0000000003BB8000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/1800-605-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

memory/2892-606-0x0000000000400000-0x0000000000AEA000-memory.dmp

memory/1800-608-0x000000001EB40000-0x000000001EBC0000-memory.dmp

memory/1800-609-0x000000001EA30000-0x000000001EB40000-memory.dmp

memory/1800-611-0x0000000003D10000-0x0000000003D1C000-memory.dmp

memory/1800-610-0x0000000003BF0000-0x0000000003C00000-memory.dmp

memory/1800-612-0x0000000003C00000-0x0000000003C14000-memory.dmp

memory/1800-613-0x000000001DFF0000-0x000000001E014000-memory.dmp

memory/1800-622-0x000000001F540000-0x000000001F5F2000-memory.dmp

memory/1800-624-0x000000001E670000-0x000000001E6D2000-memory.dmp

memory/1800-623-0x0000000005AB0000-0x0000000005B2A000-memory.dmp

memory/1800-621-0x0000000005990000-0x00000000059BA000-memory.dmp

memory/1800-620-0x000000001E440000-0x000000001E44A000-memory.dmp

memory/1800-625-0x0000000005B30000-0x0000000005B3A000-memory.dmp

memory/1800-629-0x000000001FBB0000-0x000000001FEB0000-memory.dmp

memory/1800-631-0x000000001EBC0000-0x000000001EBCA000-memory.dmp

memory/1800-632-0x000000001EB40000-0x000000001EBC0000-memory.dmp

memory/1800-633-0x000000001EB40000-0x000000001EBC0000-memory.dmp

memory/1800-635-0x000000001F5F0000-0x000000001F612000-memory.dmp

memory/1800-634-0x000000001F430000-0x000000001F43A000-memory.dmp

memory/1800-639-0x000000001EB40000-0x000000001EBC0000-memory.dmp

memory/1800-638-0x000000001F610000-0x000000001F61C000-memory.dmp

memory/672-640-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1800-649-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

memory/1800-652-0x000000001EB40000-0x000000001EBC0000-memory.dmp

memory/1800-653-0x000000001EBC0000-0x000000001EBCA000-memory.dmp

memory/1800-654-0x000000001EB40000-0x000000001EBC0000-memory.dmp

memory/2892-656-0x0000000000400000-0x0000000000AEA000-memory.dmp

memory/672-658-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\049b7335d372bd07248452d0b58e37cfb8420ac5b148b226adcb19ae95655a7b\0113d36d94f74f08bf8e5dd9e4a7f704.tmp

MD5 1247bf55de9853dd02001a105dd9676d
SHA1 d224a31b9de5c6a5d7bd0b06834a2c12f3f22c41
SHA256 f9697009e2e2784d2aea0eb87781aabe8e987562fc820e4e93ae93e4dea1d6bc
SHA512 af4aa06c1c8e848618027032afb2d59ddc16015f8dd9d7b007374509564e52c3d04afac06b82885a6752acc684175062579a3a248c6ebf05fcf606946ec55417

memory/672-665-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/672-672-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2892-677-0x0000000000400000-0x0000000000AEA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AFHDGDGIID.exe

MD5 fe380780b5c35bd6d54541791151c2be
SHA1 7fe3a583cf91474c733f85cebf3c857682e269e1
SHA256 b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53
SHA512 ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c

memory/672-687-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/672-693-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/672-699-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 fafbf2197151d5ce947872a4b0bcbe16
SHA1 a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020
SHA256 feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71
SHA512 acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

MD5 d98e78fd57db58a11f880b45bb659767
SHA1 ab70c0d3bd9103c07632eeecee9f51d198ed0e76
SHA256 414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0
SHA512 aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-28 22:31

Reported

2024-03-28 22:36

Platform

win10-20240221-en

Max time kernel

310s

Max time network

297s

Command Line

sihost.exe

Signatures

Detects DLL dropped by Raspberry Robin.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Rhadamanthys

stealer rhadamanthys

Stealc

stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3988 created 2836 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe c:\windows\system32\sihost.exe

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\8duB4vJFti0MccS3P0b1yBfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\8duB4vJFti0MccS3P0b1yBfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\8duB4vJFti0MccS3P0b1yBfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\8duB4vJFti0MccS3P0b1yBfc.exe = "0" C:\Users\Admin\Pictures\8duB4vJFti0MccS3P0b1yBfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\hC5saQRAyMr63nC82AkSuGif.exe = "0" C:\Users\Admin\Pictures\hC5saQRAyMr63nC82AkSuGif.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\8duB4vJFti0MccS3P0b1yBfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\8duB4vJFti0MccS3P0b1yBfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\8duB4vJFti0MccS3P0b1yBfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\11emSo9fRwPir9zLupewJQjF.exe = "0" C:\Users\Admin\Pictures\11emSo9fRwPir9zLupewJQjF.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\97BQ92Y9yji78nsPSl8cbilw.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fsHglJfBd8Pwf1n4jCJIJHe5.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sf46BVyNLFLUwBMWJUni20M5.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CuTBZUH77SBM1aZg2Y4deuSc.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CUztXvidwtSBfhb8WmcYz0jm.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kPbAz88JrjAuD9hQA0q74YIA.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\n6hQzlici3lE8DXbUTkoVhxy.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\V5kdJ9rbdZCW4f4X9ZdDJpjd.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COntRxOsNq7ZDM9tJFlPmlFp.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\N7YdnrwlSZl9U1cie1VfVFg2.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\G0GSnRlMLpHzmsNXexozRxkC.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\VEjs7BHKobrHLWTnmEi4ZVQ9.exe N/A
N/A N/A C:\Users\Admin\Pictures\11emSo9fRwPir9zLupewJQjF.exe N/A
N/A N/A C:\Users\Admin\Pictures\6pxZv0d6Ft4FVyufZDbPQueI.exe N/A
N/A N/A C:\Users\Admin\Pictures\NATm03L4tio3l6eJ4UvPOAzN.exe N/A
N/A N/A C:\Users\Admin\Pictures\8duB4vJFti0MccS3P0b1yBfc.exe N/A
N/A N/A C:\Users\Admin\Pictures\hC5saQRAyMr63nC82AkSuGif.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ui8.0.exe N/A
N/A N/A C:\Users\Admin\Pictures\d3Rtt3xNbHaK0tIcIC38VKvf.exe N/A
N/A N/A C:\Users\Admin\Pictures\d3Rtt3xNbHaK0tIcIC38VKvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\d3Rtt3xNbHaK0tIcIC38VKvf.exe N/A
N/A N/A C:\Users\Admin\Pictures\d3Rtt3xNbHaK0tIcIC38VKvf.exe N/A
N/A N/A C:\Users\Admin\Pictures\d3Rtt3xNbHaK0tIcIC38VKvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ui8.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ECAFHIIJJE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282232141\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282232141\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282232141\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\Pictures\8duB4vJFti0MccS3P0b1yBfc.exe N/A
N/A N/A C:\Users\Admin\Pictures\hC5saQRAyMr63nC82AkSuGif.exe N/A
N/A N/A C:\Users\Admin\Pictures\11emSo9fRwPir9zLupewJQjF.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\8duB4vJFti0MccS3P0b1yBfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\8duB4vJFti0MccS3P0b1yBfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\8duB4vJFti0MccS3P0b1yBfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\8duB4vJFti0MccS3P0b1yBfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\8duB4vJFti0MccS3P0b1yBfc.exe = "0" C:\Users\Admin\Pictures\8duB4vJFti0MccS3P0b1yBfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\11emSo9fRwPir9zLupewJQjF.exe = "0" C:\Users\Admin\Pictures\11emSo9fRwPir9zLupewJQjF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\8duB4vJFti0MccS3P0b1yBfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\8duB4vJFti0MccS3P0b1yBfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\hC5saQRAyMr63nC82AkSuGif.exe = "0" C:\Users\Admin\Pictures\hC5saQRAyMr63nC82AkSuGif.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2772066395-907917261-1982757236-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\8duB4vJFti0MccS3P0b1yBfc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2772066395-907917261-1982757236-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\11emSo9fRwPir9zLupewJQjF.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2772066395-907917261-1982757236-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\hC5saQRAyMr63nC82AkSuGif.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2772066395-907917261-1982757236-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\Pictures\d3Rtt3xNbHaK0tIcIC38VKvf.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Pictures\d3Rtt3xNbHaK0tIcIC38VKvf.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\d3Rtt3xNbHaK0tIcIC38VKvf.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Pictures\d3Rtt3xNbHaK0tIcIC38VKvf.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\11emSo9fRwPir9zLupewJQjF.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\8duB4vJFti0MccS3P0b1yBfc.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\hC5saQRAyMr63nC82AkSuGif.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\11emSo9fRwPir9zLupewJQjF.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\hC5saQRAyMr63nC82AkSuGif.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\hC5saQRAyMr63nC82AkSuGif.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\11emSo9fRwPir9zLupewJQjF.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\8duB4vJFti0MccS3P0b1yBfc.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\8duB4vJFti0MccS3P0b1yBfc.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ui8.1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ui8.1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ui8.1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\ui8.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\ui8.0.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\Pictures\hC5saQRAyMr63nC82AkSuGif.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\Pictures\hC5saQRAyMr63nC82AkSuGif.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\Pictures\11emSo9fRwPir9zLupewJQjF.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\Pictures\11emSo9fRwPir9zLupewJQjF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\Pictures\hC5saQRAyMr63nC82AkSuGif.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\Pictures\hC5saQRAyMr63nC82AkSuGif.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\Pictures\hC5saQRAyMr63nC82AkSuGif.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Users\Admin\Pictures\11emSo9fRwPir9zLupewJQjF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\Pictures\11emSo9fRwPir9zLupewJQjF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\Pictures\hC5saQRAyMr63nC82AkSuGif.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\Pictures\hC5saQRAyMr63nC82AkSuGif.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\Pictures\11emSo9fRwPir9zLupewJQjF.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\Pictures\hC5saQRAyMr63nC82AkSuGif.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\Pictures\11emSo9fRwPir9zLupewJQjF.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\Pictures\hC5saQRAyMr63nC82AkSuGif.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\d3Rtt3xNbHaK0tIcIC38VKvf.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\d3Rtt3xNbHaK0tIcIC38VKvf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Users\Admin\Pictures\d3Rtt3xNbHaK0tIcIC38VKvf.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\6pxZv0d6Ft4FVyufZDbPQueI.exe N/A
N/A N/A C:\Users\Admin\Pictures\6pxZv0d6Ft4FVyufZDbPQueI.exe N/A
N/A N/A C:\Users\Admin\Pictures\6pxZv0d6Ft4FVyufZDbPQueI.exe N/A
N/A N/A C:\Users\Admin\Pictures\6pxZv0d6Ft4FVyufZDbPQueI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ui8.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ui8.0.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ui8.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ui8.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\Pictures\11emSo9fRwPir9zLupewJQjF.exe N/A
N/A N/A C:\Users\Admin\Pictures\11emSo9fRwPir9zLupewJQjF.exe N/A
N/A N/A C:\Users\Admin\Pictures\8duB4vJFti0MccS3P0b1yBfc.exe N/A
N/A N/A C:\Users\Admin\Pictures\8duB4vJFti0MccS3P0b1yBfc.exe N/A
N/A N/A C:\Users\Admin\Pictures\hC5saQRAyMr63nC82AkSuGif.exe N/A
N/A N/A C:\Users\Admin\Pictures\hC5saQRAyMr63nC82AkSuGif.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\11emSo9fRwPir9zLupewJQjF.exe N/A
N/A N/A C:\Users\Admin\Pictures\11emSo9fRwPir9zLupewJQjF.exe N/A
N/A N/A C:\Users\Admin\Pictures\11emSo9fRwPir9zLupewJQjF.exe N/A
N/A N/A C:\Users\Admin\Pictures\11emSo9fRwPir9zLupewJQjF.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\8duB4vJFti0MccS3P0b1yBfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\hC5saQRAyMr63nC82AkSuGif.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\11emSo9fRwPir9zLupewJQjF.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\11emSo9fRwPir9zLupewJQjF.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\8duB4vJFti0MccS3P0b1yBfc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\hC5saQRAyMr63nC82AkSuGif.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2380 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2380 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2380 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2380 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2380 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2380 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2380 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2380 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1292 wrote to memory of 656 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\VEjs7BHKobrHLWTnmEi4ZVQ9.exe
PID 1292 wrote to memory of 656 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\VEjs7BHKobrHLWTnmEi4ZVQ9.exe
PID 1292 wrote to memory of 656 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\VEjs7BHKobrHLWTnmEi4ZVQ9.exe
PID 1292 wrote to memory of 4860 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\11emSo9fRwPir9zLupewJQjF.exe
PID 1292 wrote to memory of 4860 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\11emSo9fRwPir9zLupewJQjF.exe
PID 1292 wrote to memory of 4860 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\11emSo9fRwPir9zLupewJQjF.exe
PID 1292 wrote to memory of 3240 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\6pxZv0d6Ft4FVyufZDbPQueI.exe
PID 1292 wrote to memory of 3240 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\6pxZv0d6Ft4FVyufZDbPQueI.exe
PID 1292 wrote to memory of 3240 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\6pxZv0d6Ft4FVyufZDbPQueI.exe
PID 1292 wrote to memory of 3548 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\NATm03L4tio3l6eJ4UvPOAzN.exe
PID 1292 wrote to memory of 3548 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\NATm03L4tio3l6eJ4UvPOAzN.exe
PID 1292 wrote to memory of 3548 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\NATm03L4tio3l6eJ4UvPOAzN.exe
PID 1292 wrote to memory of 1452 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\8duB4vJFti0MccS3P0b1yBfc.exe
PID 1292 wrote to memory of 1452 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\8duB4vJFti0MccS3P0b1yBfc.exe
PID 1292 wrote to memory of 1452 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\8duB4vJFti0MccS3P0b1yBfc.exe
PID 1292 wrote to memory of 1620 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\hC5saQRAyMr63nC82AkSuGif.exe
PID 1292 wrote to memory of 1620 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\hC5saQRAyMr63nC82AkSuGif.exe
PID 1292 wrote to memory of 1620 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\hC5saQRAyMr63nC82AkSuGif.exe
PID 3548 wrote to memory of 1444 N/A C:\Users\Admin\Pictures\NATm03L4tio3l6eJ4UvPOAzN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3548 wrote to memory of 1444 N/A C:\Users\Admin\Pictures\NATm03L4tio3l6eJ4UvPOAzN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3548 wrote to memory of 1444 N/A C:\Users\Admin\Pictures\NATm03L4tio3l6eJ4UvPOAzN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3548 wrote to memory of 3988 N/A C:\Users\Admin\Pictures\NATm03L4tio3l6eJ4UvPOAzN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3548 wrote to memory of 3988 N/A C:\Users\Admin\Pictures\NATm03L4tio3l6eJ4UvPOAzN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3548 wrote to memory of 3988 N/A C:\Users\Admin\Pictures\NATm03L4tio3l6eJ4UvPOAzN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3548 wrote to memory of 3988 N/A C:\Users\Admin\Pictures\NATm03L4tio3l6eJ4UvPOAzN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3548 wrote to memory of 3988 N/A C:\Users\Admin\Pictures\NATm03L4tio3l6eJ4UvPOAzN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3548 wrote to memory of 3988 N/A C:\Users\Admin\Pictures\NATm03L4tio3l6eJ4UvPOAzN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3548 wrote to memory of 3988 N/A C:\Users\Admin\Pictures\NATm03L4tio3l6eJ4UvPOAzN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3548 wrote to memory of 3988 N/A C:\Users\Admin\Pictures\NATm03L4tio3l6eJ4UvPOAzN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3548 wrote to memory of 3988 N/A C:\Users\Admin\Pictures\NATm03L4tio3l6eJ4UvPOAzN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3548 wrote to memory of 3988 N/A C:\Users\Admin\Pictures\NATm03L4tio3l6eJ4UvPOAzN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3548 wrote to memory of 3988 N/A C:\Users\Admin\Pictures\NATm03L4tio3l6eJ4UvPOAzN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 656 wrote to memory of 1892 N/A C:\Users\Admin\Pictures\VEjs7BHKobrHLWTnmEi4ZVQ9.exe C:\Users\Admin\AppData\Local\Temp\ui8.0.exe
PID 656 wrote to memory of 1892 N/A C:\Users\Admin\Pictures\VEjs7BHKobrHLWTnmEi4ZVQ9.exe C:\Users\Admin\AppData\Local\Temp\ui8.0.exe
PID 656 wrote to memory of 1892 N/A C:\Users\Admin\Pictures\VEjs7BHKobrHLWTnmEi4ZVQ9.exe C:\Users\Admin\AppData\Local\Temp\ui8.0.exe
PID 1292 wrote to memory of 4288 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\d3Rtt3xNbHaK0tIcIC38VKvf.exe
PID 1292 wrote to memory of 4288 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\d3Rtt3xNbHaK0tIcIC38VKvf.exe
PID 1292 wrote to memory of 4288 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\d3Rtt3xNbHaK0tIcIC38VKvf.exe
PID 4288 wrote to memory of 520 N/A C:\Users\Admin\Pictures\d3Rtt3xNbHaK0tIcIC38VKvf.exe C:\Users\Admin\Pictures\d3Rtt3xNbHaK0tIcIC38VKvf.exe
PID 4288 wrote to memory of 520 N/A C:\Users\Admin\Pictures\d3Rtt3xNbHaK0tIcIC38VKvf.exe C:\Users\Admin\Pictures\d3Rtt3xNbHaK0tIcIC38VKvf.exe
PID 4288 wrote to memory of 520 N/A C:\Users\Admin\Pictures\d3Rtt3xNbHaK0tIcIC38VKvf.exe C:\Users\Admin\Pictures\d3Rtt3xNbHaK0tIcIC38VKvf.exe
PID 3988 wrote to memory of 2864 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 3988 wrote to memory of 2864 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 3988 wrote to memory of 2864 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 3988 wrote to memory of 2864 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 3988 wrote to memory of 2864 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 4288 wrote to memory of 2920 N/A C:\Users\Admin\Pictures\d3Rtt3xNbHaK0tIcIC38VKvf.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\d3Rtt3xNbHaK0tIcIC38VKvf.exe
PID 4288 wrote to memory of 2920 N/A C:\Users\Admin\Pictures\d3Rtt3xNbHaK0tIcIC38VKvf.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\d3Rtt3xNbHaK0tIcIC38VKvf.exe
PID 4288 wrote to memory of 2920 N/A C:\Users\Admin\Pictures\d3Rtt3xNbHaK0tIcIC38VKvf.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\d3Rtt3xNbHaK0tIcIC38VKvf.exe
PID 4288 wrote to memory of 4532 N/A C:\Users\Admin\Pictures\d3Rtt3xNbHaK0tIcIC38VKvf.exe C:\Users\Admin\Pictures\d3Rtt3xNbHaK0tIcIC38VKvf.exe
PID 4288 wrote to memory of 4532 N/A C:\Users\Admin\Pictures\d3Rtt3xNbHaK0tIcIC38VKvf.exe C:\Users\Admin\Pictures\d3Rtt3xNbHaK0tIcIC38VKvf.exe
PID 4288 wrote to memory of 4532 N/A C:\Users\Admin\Pictures\d3Rtt3xNbHaK0tIcIC38VKvf.exe C:\Users\Admin\Pictures\d3Rtt3xNbHaK0tIcIC38VKvf.exe
PID 4532 wrote to memory of 4676 N/A C:\Users\Admin\Pictures\d3Rtt3xNbHaK0tIcIC38VKvf.exe C:\Users\Admin\Pictures\d3Rtt3xNbHaK0tIcIC38VKvf.exe
PID 4532 wrote to memory of 4676 N/A C:\Users\Admin\Pictures\d3Rtt3xNbHaK0tIcIC38VKvf.exe C:\Users\Admin\Pictures\d3Rtt3xNbHaK0tIcIC38VKvf.exe
PID 4532 wrote to memory of 4676 N/A C:\Users\Admin\Pictures\d3Rtt3xNbHaK0tIcIC38VKvf.exe C:\Users\Admin\Pictures\d3Rtt3xNbHaK0tIcIC38VKvf.exe
PID 4860 wrote to memory of 4384 N/A C:\Users\Admin\Pictures\11emSo9fRwPir9zLupewJQjF.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

c:\windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe

"C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Users\Admin\Pictures\VEjs7BHKobrHLWTnmEi4ZVQ9.exe

"C:\Users\Admin\Pictures\VEjs7BHKobrHLWTnmEi4ZVQ9.exe"

C:\Users\Admin\Pictures\11emSo9fRwPir9zLupewJQjF.exe

"C:\Users\Admin\Pictures\11emSo9fRwPir9zLupewJQjF.exe"

C:\Users\Admin\Pictures\6pxZv0d6Ft4FVyufZDbPQueI.exe

"C:\Users\Admin\Pictures\6pxZv0d6Ft4FVyufZDbPQueI.exe"

C:\Users\Admin\Pictures\NATm03L4tio3l6eJ4UvPOAzN.exe

"C:\Users\Admin\Pictures\NATm03L4tio3l6eJ4UvPOAzN.exe"

C:\Users\Admin\Pictures\8duB4vJFti0MccS3P0b1yBfc.exe

"C:\Users\Admin\Pictures\8duB4vJFti0MccS3P0b1yBfc.exe"

C:\Users\Admin\Pictures\hC5saQRAyMr63nC82AkSuGif.exe

"C:\Users\Admin\Pictures\hC5saQRAyMr63nC82AkSuGif.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\ui8.0.exe

"C:\Users\Admin\AppData\Local\Temp\ui8.0.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 836

C:\Users\Admin\Pictures\d3Rtt3xNbHaK0tIcIC38VKvf.exe

"C:\Users\Admin\Pictures\d3Rtt3xNbHaK0tIcIC38VKvf.exe" --silent --allusers=0

C:\Users\Admin\Pictures\d3Rtt3xNbHaK0tIcIC38VKvf.exe

C:\Users\Admin\Pictures\d3Rtt3xNbHaK0tIcIC38VKvf.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2a4,0x2a8,0x2ac,0x2a0,0x2b0,0x6dd6e1d0,0x6dd6e1dc,0x6dd6e1e8

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 632

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\d3Rtt3xNbHaK0tIcIC38VKvf.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\d3Rtt3xNbHaK0tIcIC38VKvf.exe" --version

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 640

C:\Users\Admin\Pictures\d3Rtt3xNbHaK0tIcIC38VKvf.exe

"C:\Users\Admin\Pictures\d3Rtt3xNbHaK0tIcIC38VKvf.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4288 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240328223214" --session-guid=b99013dc-d177-4169-8b97-41361c62d2d9 --server-tracking-blob=ZTAyODc2Y2YwMjM1N2ZiZTRiNTNjOWRhODhjYjAwYTIwMTM5MzkyM2I5NDlkMjdhY2ZhMTYzOTljYTg5YWViNTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N180NTYiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMCIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTE2NjUxMTUuMTE1NSIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N180NTYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6IjZjYmVlNjFlLTM0OTctNGQ2MC1hMDhiLWJkY2RlODA0ZDMzOSJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=AC04000000000000

C:\Users\Admin\Pictures\d3Rtt3xNbHaK0tIcIC38VKvf.exe

C:\Users\Admin\Pictures\d3Rtt3xNbHaK0tIcIC38VKvf.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2a0,0x2b0,0x2b4,0x27c,0x2b8,0x6cfbe1d0,0x6cfbe1dc,0x6cfbe1e8

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\ui8.1.exe

"C:\Users\Admin\AppData\Local\Temp\ui8.1.exe"

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\ECAFHIIJJE.exe"

C:\Users\Admin\AppData\Local\Temp\ECAFHIIJJE.exe

"C:\Users\Admin\AppData\Local\Temp\ECAFHIIJJE.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282232141\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282232141\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\ECAFHIIJJE.exe

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282232141\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282232141\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282232141\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282232141\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0xf00040,0xf0004c,0xf00058

C:\Windows\SysWOW64\PING.EXE

ping 2.2.2.2 -n 1 -w 3000

C:\Users\Admin\Pictures\8duB4vJFti0MccS3P0b1yBfc.exe

"C:\Users\Admin\Pictures\8duB4vJFti0MccS3P0b1yBfc.exe"

C:\Users\Admin\Pictures\hC5saQRAyMr63nC82AkSuGif.exe

"C:\Users\Admin\Pictures\hC5saQRAyMr63nC82AkSuGif.exe"

C:\Users\Admin\Pictures\11emSo9fRwPir9zLupewJQjF.exe

"C:\Users\Admin\Pictures\11emSo9fRwPir9zLupewJQjF.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k smphost

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 yip.su udp
US 104.20.68.143:443 pastebin.com tcp
US 172.67.169.89:443 yip.su tcp
US 8.8.8.8:53 piramidglobaltobacco.id udp
US 8.8.8.8:53 shipofdestiny.com udp
US 8.8.8.8:53 sty.ink udp
US 8.8.8.8:53 operandotwo.com udp
DE 185.172.128.144:80 185.172.128.144 tcp
AT 5.42.64.17:80 5.42.64.17 tcp
US 8.8.8.8:53 namemail.org udp
US 8.8.8.8:53 cu82342.tw1.ru udp
US 8.8.8.8:53 net.geo.opera.com udp
SG 217.21.73.190:443 piramidglobaltobacco.id tcp
US 172.67.160.247:443 operandotwo.com tcp
US 172.67.200.219:443 sty.ink tcp
US 172.67.200.219:443 sty.ink tcp
US 172.67.152.98:443 shipofdestiny.com tcp
NL 185.26.182.111:80 net.geo.opera.com tcp
US 172.67.152.98:443 shipofdestiny.com tcp
RU 176.57.210.144:443 cu82342.tw1.ru tcp
NL 185.26.182.111:443 net.geo.opera.com tcp
US 8.8.8.8:53 lawyerbuyer.org udp
US 172.67.170.65:443 lawyerbuyer.org tcp
US 172.67.170.65:443 lawyerbuyer.org tcp
US 8.8.8.8:53 143.68.20.104.in-addr.arpa udp
US 8.8.8.8:53 89.169.67.172.in-addr.arpa udp
US 8.8.8.8:53 144.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 247.160.67.172.in-addr.arpa udp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 219.200.67.172.in-addr.arpa udp
US 8.8.8.8:53 98.152.67.172.in-addr.arpa udp
US 8.8.8.8:53 17.64.42.5.in-addr.arpa udp
US 8.8.8.8:53 190.73.21.217.in-addr.arpa udp
US 8.8.8.8:53 111.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 65.170.67.172.in-addr.arpa udp
US 8.8.8.8:53 guseman.org udp
US 104.21.80.30:443 guseman.org tcp
US 8.8.8.8:53 30.80.21.104.in-addr.arpa udp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 144.210.57.176.in-addr.arpa udp
DE 185.172.128.65:80 185.172.128.65 tcp
DE 185.172.128.65:80 185.172.128.65 tcp
US 8.8.8.8:53 65.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 herdbescuitinjurywu.shop udp
US 104.21.69.91:443 herdbescuitinjurywu.shop tcp
US 8.8.8.8:53 91.69.21.104.in-addr.arpa udp
DE 185.172.128.144:80 185.172.128.144 tcp
US 104.21.69.91:443 herdbescuitinjurywu.shop tcp
US 104.21.69.91:443 herdbescuitinjurywu.shop tcp
DE 185.172.128.209:80 185.172.128.209 tcp
US 8.8.8.8:53 209.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 241.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
NL 82.145.216.19:443 autoupdate.geo.opera.com tcp
NL 82.145.216.19:443 autoupdate.geo.opera.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 104.21.69.91:443 herdbescuitinjurywu.shop tcp
US 8.8.8.8:53 121.217.145.82.in-addr.arpa udp
US 8.8.8.8:53 19.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 features.opera-api2.com udp
NL 82.145.216.16:443 features.opera-api2.com tcp
US 8.8.8.8:53 download.opera.com udp
NL 82.145.216.23:443 download.opera.com tcp
US 8.8.8.8:53 download3.operacdn.com udp
GB 92.122.154.88:443 download3.operacdn.com tcp
US 8.8.8.8:53 73.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 16.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 23.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 88.154.122.92.in-addr.arpa udp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 45.87.157.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 download.iolo.net udp
FR 143.244.56.51:443 download.iolo.net tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 51.56.244.143.in-addr.arpa udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
DE 185.172.128.65:80 185.172.128.65 tcp
NL 82.145.216.23:443 download.opera.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 download5.operacdn.com udp
US 104.18.10.89:443 download5.operacdn.com tcp
US 8.8.8.8:53 89.10.18.104.in-addr.arpa udp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 148.155.9.20.in-addr.arpa udp
US 8.8.8.8:53 066af6e9-d33f-4cce-b6d4-25f4277765e4.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 server4.thestatsfiles.ru udp
US 8.8.8.8:53 stun.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
GB 142.251.29.127:19302 stun.l.google.com udp
BG 185.82.216.96:443 server4.thestatsfiles.ru tcp
US 8.8.8.8:53 127.29.251.142.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp

Files

memory/1292-0-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1292-1-0x0000000073270000-0x000000007395E000-memory.dmp

memory/1292-2-0x00000000057B0000-0x00000000057C0000-memory.dmp

C:\Users\Admin\Pictures\Qb8XDl0MHb7lUP23URhWCHNx.exe

MD5 48997520cbfd3e0f57773cdc7b845ef3
SHA1 9735af5321d5f3a1394cf00fc18524c76b65e12d
SHA256 fbd55d6571a493f02e768f7be4b8c236391abcd98c2f740f6cdc7127cb7f1eed
SHA512 d66a6734bb6b3463011bed2aed5900dfca06e0a13727457a6892435f0caa22cf3e6ec4d5c28d3be3fc3c7370b8999e381416c44b93c423f3b3eec8019a645399

C:\Users\Admin\Pictures\C8pXwzG3oMAcM3Jp6RLFZNQg.exe

MD5 5b423612b36cde7f2745455c5dd82577
SHA1 0187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256 e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512 c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

C:\Users\Admin\Pictures\07xzw2YbJ7czz1olzvSlPYY4.exe

MD5 3be5307f5ae3a7d6fdaa4bfdb1274c4f
SHA1 da9a4080f6678cc100469d92b35146529aa64a83
SHA256 190a8e29da12e0f89ad3cadd90ce55d225680f71b849d5638f8940ede7787dda
SHA512 bd56d2b5822a6d2300afbbe6cf0daf3c53c67db55ab6f226c048dac0dd4e364fb6812d07f1f9a210d3bcf343087c4574a0362d659ab6c1a85aa3940ecb43d02c

C:\Users\Admin\Pictures\VEjs7BHKobrHLWTnmEi4ZVQ9.exe

MD5 7fcc0bae1fa98de1d16819e6f85de171
SHA1 d8ba9866840e0449ddb78d31d6bcf2762ed3e6e4
SHA256 28249276aafcf8911cc5fc8b6adebe10efb7141f3869ab2ec2f0bf5cffc1c82a
SHA512 58cf14e662f68b61339dd3517dae6c831a5094ef01eab8e5ee64cf85a23e26b3ffce43912ba62356fdf1a4bbeba7249f55de222154b729b8d85fa48744ddbe29

C:\Users\Admin\Pictures\jBH86tm4tFdfX1FQU56bRhhJ.exe

MD5 839b7906480bd333cacaf23317ef2882
SHA1 c103945852ceeaa1cbfd8958ebaf4eae89dbd780
SHA256 1ecbbe2524056c114f733c721bec59304d0ed6b44421549a1bc1ab23843e2857
SHA512 4a2892efdf8f7b2a488167940d85a6ae2651dc814ff28b50f6eeefe232f11a7ffbe4f85675197656433a88256bee7fae444af3be9edb580c371973846aa38b72

memory/656-35-0x0000000000CC0000-0x0000000000DC0000-memory.dmp

memory/656-36-0x0000000002760000-0x00000000027CE000-memory.dmp

memory/656-37-0x0000000000400000-0x0000000000B0E000-memory.dmp

C:\Users\Admin\Pictures\11emSo9fRwPir9zLupewJQjF.exe

MD5 6126c6923b352edf2507639b7fe78e8a
SHA1 1fd3edb62b8d44673772fb58a05c43d5360e8e5b
SHA256 98db3710f7b5e68beb18c0ec584909ad3c92d66bbf093164892d5cd00d1021dd
SHA512 93fcbbc0a3f42f9fab3c5e0a5cbc83308b5d93999fa89f449c2b50653860de2fe3dbb42fc463bf34f5f5e5e69390dae8b6a1dfed8e742dcb0059a445cf041736

memory/4860-50-0x0000000002AF0000-0x0000000002EF0000-memory.dmp

C:\Users\Admin\Pictures\6pxZv0d6Ft4FVyufZDbPQueI.exe

MD5 e2a6c1f58b137874e490b8d94382fcdb
SHA1 71529c5d708091b1e1a580227dc52e62a140edd1
SHA256 4801879a7afb9d03f7edcbe76cd9306cb024d80abc8512c4995aa97e8fd52437
SHA512 24d12ce668e5189a4ba80520a4eaf480d17d3a07d8d0d4312964968f8489143df225881ec70e39e0c62e381061626801ead72d70cea164e2c3870bfbd7bc4eff

C:\Users\Admin\AppData\Local\afGJsXYTPDEn79WSeNFDEUvi.exe

MD5 5f066ebf9264cad80bdb1384ce2a6b34
SHA1 a6bfd2df4ad14b8b0f90951b688a7de61f7d4bbc
SHA256 5c2b1d90d0299ff70ea73f89a9326628e602cf9f72c425b570ac5272279372e1
SHA512 0b0ce2214f57be9155b6eb7de144a96b09a9699fd75e82e4be525a4048a027c509c3f1495f111a3cc1c62b283deb150779d6458b13022095614d502a9805f1c5

C:\Users\Admin\Pictures\NATm03L4tio3l6eJ4UvPOAzN.exe

MD5 7960d8afbbac06f216cceeb1531093bb
SHA1 008221bf66a0749447cffcb86f2d1ec80e23fc76
SHA256 f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84
SHA512 35d12e81eb892aeb2237049beca61a81469dea5b1c9b7a0b9f49fbf95a95c756509d9e76c732fb10b504f9f9692e1fbe83ea2fd09d791f793a928c01974b8147

memory/3548-66-0x00000000007A0000-0x000000000080E000-memory.dmp

memory/4860-68-0x0000000002FF0000-0x00000000038DB000-memory.dmp

memory/3240-77-0x0000000000400000-0x0000000000B06000-memory.dmp

memory/3240-69-0x0000000000B70000-0x0000000000BBA000-memory.dmp

memory/3240-83-0x0000000000CA0000-0x0000000000CE0000-memory.dmp

memory/3240-87-0x0000000000CA0000-0x0000000000CE0000-memory.dmp

memory/3988-88-0x0000000000400000-0x000000000046D000-memory.dmp

memory/3240-89-0x0000000000CA0000-0x0000000000CE0000-memory.dmp

memory/3988-93-0x0000000000400000-0x000000000046D000-memory.dmp

memory/3240-94-0x0000000000CA0000-0x0000000000CE0000-memory.dmp

memory/3240-92-0x0000000000CA0000-0x0000000000CE0000-memory.dmp

memory/4860-97-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/3240-81-0x0000000000CA0000-0x0000000000CE0000-memory.dmp

memory/3548-98-0x0000000073270000-0x000000007395E000-memory.dmp

memory/3548-99-0x0000000005170000-0x0000000005180000-memory.dmp

memory/3240-101-0x0000000005170000-0x0000000005180000-memory.dmp

memory/3240-100-0x0000000005170000-0x0000000005180000-memory.dmp

memory/3240-102-0x0000000005170000-0x0000000005180000-memory.dmp

memory/3240-103-0x0000000005170000-0x0000000005180000-memory.dmp

memory/3240-104-0x0000000002A10000-0x0000000002A11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ui8.0.exe

MD5 4524e1a1e2725e159d68b3bca2c1b296
SHA1 0e3b226d0ebd227b911c5fc25d6a28478ed0a957
SHA256 12a5bac24e4e354bfc93a989c398df11ac5ec63c9d9834e0a9062bd8857cdda7
SHA512 870e0e4e86593a3f060643b043d41f2aa6108af8075f19c0ba6c9d276a28df5c6f6e02a6cd088eb88382af35a41bcd626ea5add747494d468158abb7e610f3ca

memory/3240-109-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/3240-110-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/3240-111-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/3240-112-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/3240-113-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/3240-116-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/3240-114-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/3240-115-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/3240-105-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/3240-117-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/3240-119-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/3240-120-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/3240-118-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/3240-123-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/3240-122-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/3240-121-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/3240-124-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/3240-125-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/3240-126-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/3240-128-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/3240-129-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/3240-127-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/3988-130-0x0000000000400000-0x000000000046D000-memory.dmp

memory/3240-131-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1452-132-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/3240-133-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/3240-134-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/656-135-0x0000000000400000-0x0000000000B0E000-memory.dmp

memory/3240-136-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/3240-137-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/3988-142-0x0000000003A30000-0x0000000003E30000-memory.dmp

memory/3988-145-0x0000000003A30000-0x0000000003E30000-memory.dmp

memory/3240-143-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Users\Admin\Pictures\d3Rtt3xNbHaK0tIcIC38VKvf.exe

MD5 d17f0599859bd27adf641232d6354170
SHA1 97dd58215a9e4a2845104782032bb80eace141df
SHA256 c984ef206db41846570b7c588a4def5c071f3cba444746f30d3f49ee4149721d
SHA512 68d243d70b98d9c1d511d581aa67df61165e7c4188460cd1ed46e421dd4b8332653a71b2cdac420c564c1676dac4760a84076aacfc0a9a0979caf3d5f60e3fd2

\Users\Admin\AppData\Local\Temp\Opera_installer_2403282232075014288.dll

MD5 117176ddeaf70e57d1747704942549e4
SHA1 75e3ab6b3469d93cce9ea2f7e22b71b987ccdf2b
SHA256 3c5b34de987116a4d3240e319c0da89a951c96b81e6705476a0fea27b22b20af
SHA512 ca2a356929c92d314aab63d7f3b246d72783212dfa3a4507f28d41a51ca0eedc78e85b1cd453aa8e02c12509f847a0216bb702154f903291c804c8a98ec378b9

memory/3988-151-0x00007FFC71B20000-0x00007FFC71CFB000-memory.dmp

memory/3240-154-0x0000000000400000-0x0000000000B06000-memory.dmp

memory/1452-161-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/3240-162-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/1892-163-0x0000000000C20000-0x0000000000C47000-memory.dmp

memory/1892-166-0x0000000000400000-0x0000000000AEA000-memory.dmp

memory/3240-172-0x0000000000D50000-0x0000000000E50000-memory.dmp

memory/3548-174-0x00000000029A0000-0x00000000049A0000-memory.dmp

memory/1620-167-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1452-175-0x0000000002D10000-0x000000000310C000-memory.dmp

memory/1452-176-0x0000000003110000-0x00000000039FB000-memory.dmp

memory/1620-177-0x0000000002C70000-0x0000000003073000-memory.dmp

memory/2864-159-0x0000000002A80000-0x0000000002A89000-memory.dmp

memory/1892-179-0x0000000000D70000-0x0000000000E70000-memory.dmp

memory/2864-181-0x00000000045C0000-0x00000000049C0000-memory.dmp

memory/2864-185-0x00007FFC71B20000-0x00007FFC71CFB000-memory.dmp

memory/2864-187-0x00000000740D0000-0x0000000074292000-memory.dmp

memory/2864-182-0x00000000045C0000-0x00000000049C0000-memory.dmp

memory/3988-156-0x00000000740D0000-0x0000000074292000-memory.dmp

memory/4860-148-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 3cf83e6fbf2d6b63bf16ebb4c00592b6
SHA1 3811d449ea81d6e5f86387d219dc77d085b3e078
SHA256 e2b523b762ed63d2a80dbbd7d1e8afce3e8fb8300d4094d4c029bef5567da553
SHA512 3084fdd561af68fa5d829b19a6d05086dba56b270be9de84fa311f9e47128bd92c2ee4f55f6bd7015a291c75c496ddf9825f37e6fe28332b1688afb9e23838ca

memory/4860-222-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1452-226-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1620-227-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1892-239-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ui8.1.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/1452-275-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/656-284-0x0000000000400000-0x0000000000B0E000-memory.dmp

memory/1620-285-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3laic31s.ly4.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/1892-437-0x0000000000400000-0x0000000000AEA000-memory.dmp

memory/4860-453-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1452-454-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1620-455-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1892-456-0x0000000000400000-0x0000000000AEA000-memory.dmp

memory/4760-457-0x0000000000400000-0x00000000008AD000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 4f55956474371975d82e00e73c2c6edc
SHA1 3451674f56ef4a6fc871666c625075ac2ec06b6d
SHA256 cec98b650778b9b89b5dd1dc97e62a2beaf3d67ccc73abf21284311e27f87b69
SHA512 ffed5eeddc8d2b16ad142d5d7ce93f892e39c7e8e5e83afa37f211bb98233382ec0f3c2e2aebf31d5676f3e4fd3ee5e378256bf8f7c381afe273f5c0d8647038

memory/1892-690-0x0000000000400000-0x0000000000AEA000-memory.dmp

memory/4760-691-0x0000000000400000-0x00000000008AD000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 8402122bd3031729eac35671cb9b966d
SHA1 42776cd72dd547e43a348e5e41dd07d963d1ee78
SHA256 8b891e59805be9fda0fa9a6f2131fdb0075fa57da508f0d07041a3ee36a9108d
SHA512 c2ee95f7b0b46fc8bbe21c686a9ad60b8e88296ffddd8f79583ec2801de133b7c1c7c8b8819af59ebe2bc86bbb9974d99ab09c99c2fb6c8a6930774476e4c2ae

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 7247129cd0644457905b7d6bf17fd078
SHA1 dbf9139b5a1b72141f170d2eae911bbbe7e128c8
SHA256 dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4
SHA512 9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282232141\opera_package

MD5 401c352990789be2f40fe8f9c5c7a5ac
SHA1 d7c1e902487511d3f4e1a57abdee8a94d5483ed4
SHA256 f62f4ebc7eca46d9cddfb02cc0305da5efdd6f3601fb0f53da555e19558869a3
SHA512 efc6d4224e3721e91efb2ea8f4b74685cba607260c69d08eac26866c52b8127080a42799d9f76ab1661b8ca63c946fcf35dddf0a63ab3cd258ea44a27dd769c8

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 bfd30bc6dfbdfd68538605542c6934cb
SHA1 fb6fba93af87ad21126575b2eea12ae9024068e3
SHA256 c0a3d01a2dee1492b43ef091a0149a3adfe74ff402c606aef9ae4c45a6ecba4e
SHA512 8ff91befa015912e2b6f91711e557af45f30fd6224524e6bf062343439b0e3aa8e94099a5a09ad8c7d1c1813a7d262cf45d896cca14965f7098852d7890ae6d9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 ad86063955874cc5094d73cc96a3610e
SHA1 620b39efed6603c11a501cfc4c83857915f0b078
SHA256 19daa99c9c95c429b8a7c56915c49fdba74ed575497c2d6b81d92a5b7cd7a4b6
SHA512 64d129b3290761c573343f3034f49b202f55517bf432e611473c7338d3e8f1d3d7765bd147dd612db15005632df6b0f6a523ac9c4be8753ea94b218bdb71c9ec

C:\Users\Admin\AppData\Local\Temp\ECAFHIIJJE.exe

MD5 fe380780b5c35bd6d54541791151c2be
SHA1 7fe3a583cf91474c733f85cebf3c857682e269e1
SHA256 b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53
SHA512 ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282232141\additional_file0.tmp

MD5 20d293b9bf23403179ca48086ba88867
SHA1 dedf311108f607a387d486d812514a2defbd1b9e
SHA256 fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348
SHA512 5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282232141\assistant\assistant_installer.exe

MD5 b3f05009b53af6435e86cfd939717e82
SHA1 770877e7c5f03e8d684984fe430bdfcc2cf41b26
SHA256 3ea8d40fcede1fc03e5603246d75d13e8d44d7229d4c390c39a55534053027f7
SHA512 d2dee80aaa79b19f1eb1db85079a05f621780e06bfea9e838b62d757ba29399f9090ec7c6ff553377c9b712f3ba8dd812cdff39f3e28829928e86746a8ac6b27

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282232141\assistant\dbghelp.dll

MD5 925ea07f594d3fce3f73ede370d92ef7
SHA1 f67ea921368c288a9d3728158c3f80213d89d7c2
SHA256 6d02ebd4ec9a6093f21cd8ccefb9445fa0ab7b1f69ac868a5cfc5d28ed8d2de9
SHA512 a809851da820d9fdd8fb860a8f549311dcc2579df2c6f6fba74f50d5d8bf94baa834b09fb5476ac248f18d1deb6b47d4fdd6d658889d5d45ca8774a9264483d2

\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282232141\assistant\dbgcore.dll

MD5 8b6f64e5d3a608b434079e50a1277913
SHA1 03f431fabf1c99a48b449099455c1575893d9f32
SHA256 926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2
SHA512 c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 db01a2c1c7e70b2b038edf8ad5ad9826
SHA1 540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256 413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512 c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 685761c7ee094ac246146fb67d977f63
SHA1 a667f047e37c02dfdbedc3e6417526cf77221e4e
SHA256 0e1eff6f6e78e877429d52709a94105909561edf3c0c81717721116f6c9caf46
SHA512 4c72f860739cf530bc3fb21e3c2627ce69a805b47803b6121fb4bb1c31512c58947a02e79882515126eef7424959eba7d3c4159c1166a85878a84e48191d913f

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4a25daf911a27542e713db47b8770d8e
SHA1 a330b69cb242a70c769420825866134358da5346
SHA256 fab2db9af87bdc39132639e54574ac600c152597e6eb21a882fa9528324c5c87
SHA512 9f84a884a2e6c9a30e49e85ac13a826904011ed51fb803c5d389102f0002756bdd189c7c75b0fc847da09f8d422237d463d9f78cfb3ae15d3c8cb6582cedf329

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f9a9b94dc1c4685c44596bf3f52116c0
SHA1 7774d173704ad1746eed8e13eec80e2b4b3598d2
SHA256 b96177c257c99d5f3c2df4fd801d1799b60ecf6d8bc72f09341202dab7d1bf4d
SHA512 b2adbdbd5ea972138c43034595e028c3ed82c6acdfa0832bae8720dcbd383ab1db904af1c396e20f8bf02010efc2d0be28dec57624fb1fa6082daca76945366c

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4a2e0fe64d76d1d66013c94803a25fb2
SHA1 86696d35fa725c45e2c536c2d797ef3ffccc6c5a
SHA256 e8e0fbb6393031ae4d70676a37458cada5f0d46dbeb11875b9c8dabec9522d9a
SHA512 c5e5b88f1a7465e33701918d9c0c07a6056b8423efb2912a2ecac3a2f74229391cb78e958dec86bc4daad51c7967656dd77e5cd9b3923ac4ece0b33e253ab4d1

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1bdd05cc000d399e71363c1f505a0e57
SHA1 7070437f62fb2118d77c586ffb580eb1084a682a
SHA256 04234ca859b6d85712c5931c41704bfc746b415ca80d9c7fbeae649dafbce6c2
SHA512 df856f0468fa8090b816a5e6f001332f72a3613368a5be3432645d31cee498c29e08c32ecbf142115a8f71178202f060f1387dd684e97bc049791322878fcf2e