Malware Analysis Report

2024-11-30 02:07

Sample ID 240328-2lt8daaf2y
Target adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8
SHA256 adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8
Tags
glupteba stealc discovery dropper evasion loader persistence rootkit spyware stealer trojan upx lumma rhadamanthys
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8

Threat Level: Known bad

The file adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8 was found to be: Known bad.

Malicious Activity Summary

glupteba stealc discovery dropper evasion loader persistence rootkit spyware stealer trojan upx lumma rhadamanthys

Lumma Stealer

Glupteba payload

UAC bypass

Stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Detects DLL dropped by Raspberry Robin.

Windows security bypass

Glupteba

Rhadamanthys

Downloads MZ/PE file

Modifies Windows Firewall

Reads user/profile data of web browsers

Executes dropped EXE

Windows security modification

Reads data files stored by FTP clients

UPX packed file

Loads dropped DLL

Reads user/profile data of local email clients

Drops startup file

Adds Run key to start application

Checks whether UAC is enabled

Manipulates WinMonFS driver.

Modifies boot configuration data using bcdedit

Checks installed software on the system

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Modifies system certificate store

System policy modification

Suspicious use of SendNotifyMessage

Modifies data under HKEY_USERS

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Checks SCSI registry key(s)

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-28 22:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-28 22:40

Reported

2024-03-28 22:45

Platform

win7-20240221-en

Max time kernel

287s

Max time network

304s

Command Line

"C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\38fZKclz2tUQR2znmzg6Yczm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\38fZKclz2tUQR2znmzg6Yczm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Mtch7ty5lIeyhzV9Oq7fQeFk.exe = "0" C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\kk83gnNms4TKo0AcDvyIaBgF.exe = "0" C:\Users\Admin\Pictures\kk83gnNms4TKo0AcDvyIaBgF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\38fZKclz2tUQR2znmzg6Yczm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\38fZKclz2tUQR2znmzg6Yczm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\38fZKclz2tUQR2znmzg6Yczm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\38fZKclz2tUQR2znmzg6Yczm.exe = "0" C:\Users\Admin\Pictures\38fZKclz2tUQR2znmzg6Yczm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\38fZKclz2tUQR2znmzg6Yczm.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8nVAlfevgFCVd3uOl3MrshqK.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GMcbD48ptFoG98kZjxo4GVZZ.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XvyF5gCZZiVy5tzgAPIAP6mk.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\R3YvY5AXvgbi7vm8e0y5duWI.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zzATMbpdrvSILewPesZRvjql.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OiwV1pasCezUHcLWcpdMKzhC.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x0Jc0xvuwDIqqSuilslO75OL.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aeXZaqLaI2NNZ1K0d4IDq2m8.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4qA4DeijD3ha5sMhcvRPBKuv.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
N/A N/A C:\Users\Admin\Pictures\SWOp5Ld6evApLXWFvxdvqTZZ.exe N/A
N/A N/A C:\Users\Admin\Pictures\SWOp5Ld6evApLXWFvxdvqTZZ.exe N/A
N/A N/A C:\Users\Admin\Pictures\SWOp5Ld6evApLXWFvxdvqTZZ.exe N/A
N/A N/A C:\Users\Admin\Pictures\SWOp5Ld6evApLXWFvxdvqTZZ.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
N/A N/A C:\Users\Admin\Pictures\SWOp5Ld6evApLXWFvxdvqTZZ.exe N/A
N/A N/A C:\Users\Admin\Pictures\SWOp5Ld6evApLXWFvxdvqTZZ.exe N/A
N/A N/A C:\Users\Admin\Pictures\SWOp5Ld6evApLXWFvxdvqTZZ.exe N/A
N/A N/A C:\Users\Admin\Pictures\SWOp5Ld6evApLXWFvxdvqTZZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u2ck.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u2ck.0.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\Pictures\38fZKclz2tUQR2znmzg6Yczm.exe N/A
N/A N/A C:\Users\Admin\Pictures\38fZKclz2tUQR2znmzg6Yczm.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\38fZKclz2tUQR2znmzg6Yczm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\38fZKclz2tUQR2znmzg6Yczm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\kk83gnNms4TKo0AcDvyIaBgF.exe = "0" C:\Users\Admin\Pictures\kk83gnNms4TKo0AcDvyIaBgF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\38fZKclz2tUQR2znmzg6Yczm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\38fZKclz2tUQR2znmzg6Yczm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\38fZKclz2tUQR2znmzg6Yczm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\38fZKclz2tUQR2znmzg6Yczm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\38fZKclz2tUQR2znmzg6Yczm.exe = "0" C:\Users\Admin\Pictures\38fZKclz2tUQR2znmzg6Yczm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Mtch7ty5lIeyhzV9Oq7fQeFk.exe = "0" C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\kk83gnNms4TKo0AcDvyIaBgF.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\38fZKclz2tUQR2znmzg6Yczm.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Modifies boot configuration data using bcdedit

Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1600 set thread context of 2996 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\kk83gnNms4TKo0AcDvyIaBgF.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\38fZKclz2tUQR2znmzg6Yczm.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\kk83gnNms4TKo0AcDvyIaBgF.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20240328224133.cab C:\Windows\system32\makecab.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\38fZKclz2tUQR2znmzg6Yczm.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\38fZKclz2tUQR2znmzg6Yczm.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\kk83gnNms4TKo0AcDvyIaBgF.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u2ck.1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u2ck.1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u2ck.1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\u2ck.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\u2ck.0.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-22 = "Cape Verde Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time" C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-21 = "Cape Verde Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-521 = "N. Central Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-551 = "North Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u2ck.0.exe N/A
N/A N/A C:\Users\Admin\Pictures\38fZKclz2tUQR2znmzg6Yczm.exe N/A
N/A N/A C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe N/A
N/A N/A C:\Users\Admin\Pictures\kk83gnNms4TKo0AcDvyIaBgF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u2ck.0.exe N/A
N/A N/A C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe N/A
N/A N/A C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe N/A
N/A N/A C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe N/A
N/A N/A C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe N/A
N/A N/A C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe N/A
N/A N/A C:\Users\Admin\Pictures\kk83gnNms4TKo0AcDvyIaBgF.exe N/A
N/A N/A C:\Users\Admin\Pictures\kk83gnNms4TKo0AcDvyIaBgF.exe N/A
N/A N/A C:\Users\Admin\Pictures\kk83gnNms4TKo0AcDvyIaBgF.exe N/A
N/A N/A C:\Users\Admin\Pictures\kk83gnNms4TKo0AcDvyIaBgF.exe N/A
N/A N/A C:\Users\Admin\Pictures\kk83gnNms4TKo0AcDvyIaBgF.exe N/A
N/A N/A C:\Users\Admin\Pictures\38fZKclz2tUQR2znmzg6Yczm.exe N/A
N/A N/A C:\Users\Admin\Pictures\38fZKclz2tUQR2znmzg6Yczm.exe N/A
N/A N/A C:\Users\Admin\Pictures\38fZKclz2tUQR2znmzg6Yczm.exe N/A
N/A N/A C:\Users\Admin\Pictures\38fZKclz2tUQR2znmzg6Yczm.exe N/A
N/A N/A C:\Users\Admin\Pictures\38fZKclz2tUQR2znmzg6Yczm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\38fZKclz2tUQR2znmzg6Yczm.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\38fZKclz2tUQR2znmzg6Yczm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\kk83gnNms4TKo0AcDvyIaBgF.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\kk83gnNms4TKo0AcDvyIaBgF.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1600 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1600 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1600 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1600 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1600 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1600 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1600 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1600 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1600 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1600 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1600 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1600 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1600 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1600 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1600 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1600 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1600 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1600 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1600 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1600 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1600 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1600 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1600 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1600 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1600 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1600 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1600 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1600 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1600 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1600 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1600 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1600 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1600 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 1600 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2996 wrote to memory of 3044 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\SWOp5Ld6evApLXWFvxdvqTZZ.exe
PID 2996 wrote to memory of 3044 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\SWOp5Ld6evApLXWFvxdvqTZZ.exe
PID 2996 wrote to memory of 3044 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\SWOp5Ld6evApLXWFvxdvqTZZ.exe
PID 2996 wrote to memory of 3044 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\SWOp5Ld6evApLXWFvxdvqTZZ.exe
PID 2996 wrote to memory of 608 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\biIS1os86y2FBBFr9Q3IOpZc.exe
PID 2996 wrote to memory of 608 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\biIS1os86y2FBBFr9Q3IOpZc.exe
PID 2996 wrote to memory of 608 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\biIS1os86y2FBBFr9Q3IOpZc.exe
PID 2996 wrote to memory of 608 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\biIS1os86y2FBBFr9Q3IOpZc.exe
PID 2996 wrote to memory of 1560 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\38fZKclz2tUQR2znmzg6Yczm.exe
PID 2996 wrote to memory of 1560 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\38fZKclz2tUQR2znmzg6Yczm.exe
PID 2996 wrote to memory of 1560 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\38fZKclz2tUQR2znmzg6Yczm.exe
PID 2996 wrote to memory of 1560 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\38fZKclz2tUQR2znmzg6Yczm.exe
PID 2996 wrote to memory of 2192 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\kk83gnNms4TKo0AcDvyIaBgF.exe
PID 2996 wrote to memory of 2192 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\kk83gnNms4TKo0AcDvyIaBgF.exe
PID 2996 wrote to memory of 2192 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\kk83gnNms4TKo0AcDvyIaBgF.exe
PID 2996 wrote to memory of 2192 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\kk83gnNms4TKo0AcDvyIaBgF.exe
PID 3044 wrote to memory of 1124 N/A C:\Users\Admin\Pictures\SWOp5Ld6evApLXWFvxdvqTZZ.exe C:\Users\Admin\AppData\Local\Temp\u2ck.0.exe
PID 3044 wrote to memory of 1124 N/A C:\Users\Admin\Pictures\SWOp5Ld6evApLXWFvxdvqTZZ.exe C:\Users\Admin\AppData\Local\Temp\u2ck.0.exe
PID 3044 wrote to memory of 1124 N/A C:\Users\Admin\Pictures\SWOp5Ld6evApLXWFvxdvqTZZ.exe C:\Users\Admin\AppData\Local\Temp\u2ck.0.exe
PID 3044 wrote to memory of 1124 N/A C:\Users\Admin\Pictures\SWOp5Ld6evApLXWFvxdvqTZZ.exe C:\Users\Admin\AppData\Local\Temp\u2ck.0.exe
PID 2996 wrote to memory of 2772 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe
PID 2996 wrote to memory of 2772 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe
PID 2996 wrote to memory of 2772 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe
PID 2996 wrote to memory of 2772 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe
PID 3044 wrote to memory of 456 N/A C:\Users\Admin\Pictures\SWOp5Ld6evApLXWFvxdvqTZZ.exe C:\Users\Admin\AppData\Local\Temp\u2ck.1.exe
PID 3044 wrote to memory of 456 N/A C:\Users\Admin\Pictures\SWOp5Ld6evApLXWFvxdvqTZZ.exe C:\Users\Admin\AppData\Local\Temp\u2ck.1.exe
PID 3044 wrote to memory of 456 N/A C:\Users\Admin\Pictures\SWOp5Ld6evApLXWFvxdvqTZZ.exe C:\Users\Admin\AppData\Local\Temp\u2ck.1.exe
PID 3044 wrote to memory of 456 N/A C:\Users\Admin\Pictures\SWOp5Ld6evApLXWFvxdvqTZZ.exe C:\Users\Admin\AppData\Local\Temp\u2ck.1.exe
PID 972 wrote to memory of 2440 N/A C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe C:\Windows\system32\cmd.exe
PID 972 wrote to memory of 2440 N/A C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe C:\Windows\system32\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe

"C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"

C:\Users\Admin\Pictures\SWOp5Ld6evApLXWFvxdvqTZZ.exe

"C:\Users\Admin\Pictures\SWOp5Ld6evApLXWFvxdvqTZZ.exe"

C:\Users\Admin\Pictures\biIS1os86y2FBBFr9Q3IOpZc.exe

"C:\Users\Admin\Pictures\biIS1os86y2FBBFr9Q3IOpZc.exe"

C:\Users\Admin\Pictures\38fZKclz2tUQR2znmzg6Yczm.exe

"C:\Users\Admin\Pictures\38fZKclz2tUQR2znmzg6Yczm.exe"

C:\Users\Admin\Pictures\kk83gnNms4TKo0AcDvyIaBgF.exe

"C:\Users\Admin\Pictures\kk83gnNms4TKo0AcDvyIaBgF.exe"

C:\Users\Admin\AppData\Local\Temp\u2ck.0.exe

"C:\Users\Admin\AppData\Local\Temp\u2ck.0.exe"

C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe

"C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe"

C:\Users\Admin\AppData\Local\Temp\u2ck.1.exe

"C:\Users\Admin\AppData\Local\Temp\u2ck.1.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240328224133.log C:\Windows\Logs\CBS\CbsPersist_20240328224133.cab

C:\Users\Admin\Pictures\kk83gnNms4TKo0AcDvyIaBgF.exe

"C:\Users\Admin\Pictures\kk83gnNms4TKo0AcDvyIaBgF.exe"

C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe

"C:\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe"

C:\Users\Admin\Pictures\38fZKclz2tUQR2znmzg6Yczm.exe

"C:\Users\Admin\Pictures\38fZKclz2tUQR2znmzg6Yczm.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FCFBFHIEBK.exe"

C:\Users\Admin\AppData\Local\Temp\FCFBFHIEBK.exe

"C:\Users\Admin\AppData\Local\Temp\FCFBFHIEBK.exe"

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\FCFBFHIEBK.exe

C:\Windows\SysWOW64\PING.EXE

ping 2.2.2.2 -n 1 -w 3000

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 yip.su udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.169.89:443 yip.su tcp
US 172.67.34.170:443 pastebin.com tcp
US 8.8.8.8:53 piramidglobaltobacco.id udp
DE 185.172.128.144:80 185.172.128.144 tcp
AT 5.42.64.17:80 5.42.64.17 tcp
US 8.8.8.8:53 shipofdestiny.com udp
US 8.8.8.8:53 sty.ink udp
US 8.8.8.8:53 operandotwo.com udp
US 8.8.8.8:53 shipofdestiny.com udp
US 8.8.8.8:53 sty.ink udp
US 8.8.8.8:53 namemail.org udp
US 8.8.8.8:53 cu82342.tw1.ru udp
US 8.8.8.8:53 net.geo.opera.com udp
US 104.21.13.170:443 sty.ink tcp
US 172.67.200.219:443 sty.ink tcp
US 104.21.32.142:443 shipofdestiny.com tcp
US 172.67.152.98:443 shipofdestiny.com tcp
RU 176.57.210.144:443 cu82342.tw1.ru tcp
NL 185.26.182.111:80 net.geo.opera.com tcp
US 104.21.15.5:443 operandotwo.com tcp
NL 185.26.182.111:443 net.geo.opera.com tcp
SG 217.21.73.190:443 piramidglobaltobacco.id tcp
US 8.8.8.8:53 lawyerbuyer.org udp
US 8.8.8.8:53 lawyerbuyer.org udp
US 172.67.170.65:443 lawyerbuyer.org tcp
US 104.21.63.71:443 lawyerbuyer.org tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 88.221.134.137:80 apps.identrust.com tcp
DE 185.172.128.90:80 185.172.128.90 tcp
DE 185.172.128.65:80 185.172.128.65 tcp
DE 185.172.128.65:80 185.172.128.65 tcp
DE 185.172.128.144:80 185.172.128.144 tcp
US 8.8.8.8:53 guseman.org udp
US 104.21.80.30:443 guseman.org tcp
DE 185.172.128.209:80 185.172.128.209 tcp
US 8.8.8.8:53 iplogger.com udp
US 172.67.188.178:443 iplogger.com tcp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
DE 185.172.128.65:80 185.172.128.65 tcp
US 8.8.8.8:53 download.iolo.net udp
FR 143.244.56.51:80 download.iolo.net tcp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 29dee6d8-1313-4d2c-823b-ef422dd6c1ae.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.145:443 tcp
US 20.150.70.36:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 8.8.8.8:53 udp
US 20.9.155.145:443 tcp
US 20.9.155.145:443 tcp
US 20.9.155.145:443 tcp
US 20.9.155.145:443 tcp
US 8.8.8.8:53 udp
US 20.9.155.145:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 server4.thestatsfiles.ru udp
US 8.8.8.8:53 stun2.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.96:443 server4.thestatsfiles.ru tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
NL 74.125.128.127:19302 stun2.l.google.com udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.96:443 server4.thestatsfiles.ru tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
BG 185.82.216.96:443 server4.thestatsfiles.ru tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
N/A 127.0.0.1:31465 tcp

Files

memory/1600-0-0x0000000001140000-0x000000000114E000-memory.dmp

memory/1600-1-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

memory/1600-2-0x000000001B230000-0x000000001B2B0000-memory.dmp

memory/1600-3-0x0000000000260000-0x000000000026A000-memory.dmp

memory/1600-4-0x0000000000390000-0x000000000039A000-memory.dmp

memory/1600-5-0x0000000000AE0000-0x0000000000B5E000-memory.dmp

memory/1600-6-0x0000000000C30000-0x0000000000CAE000-memory.dmp

memory/1600-7-0x00000000005F0000-0x000000000060C000-memory.dmp

memory/1600-8-0x0000000000610000-0x000000000062C000-memory.dmp

memory/1600-9-0x00000000005F0000-0x0000000000604000-memory.dmp

memory/1600-10-0x0000000000AE0000-0x0000000000AF4000-memory.dmp

memory/1600-11-0x00000000005F0000-0x0000000000600000-memory.dmp

memory/1600-12-0x0000000000600000-0x0000000000610000-memory.dmp

memory/1600-13-0x00000000005F0000-0x0000000000608000-memory.dmp

memory/1600-14-0x0000000000B00000-0x0000000000B18000-memory.dmp

memory/1600-15-0x000000001BD30000-0x000000001BE8A000-memory.dmp

memory/1600-16-0x000000001BE90000-0x000000001BFEA000-memory.dmp

memory/1600-17-0x0000000000C30000-0x0000000000CD4000-memory.dmp

memory/1600-18-0x000000001ACB0000-0x000000001AD54000-memory.dmp

memory/1600-19-0x00000000005F0000-0x000000000060A000-memory.dmp

memory/1600-20-0x0000000000B20000-0x0000000000B3A000-memory.dmp

memory/1600-21-0x000000001BD30000-0x000000001BE52000-memory.dmp

memory/1600-22-0x000000001BFF0000-0x000000001C112000-memory.dmp

memory/1600-23-0x0000000000B20000-0x0000000000B64000-memory.dmp

memory/1600-24-0x0000000000C30000-0x0000000000C74000-memory.dmp

memory/1600-25-0x0000000000C30000-0x0000000000CA6000-memory.dmp

memory/1600-26-0x000000001B3B0000-0x000000001B426000-memory.dmp

memory/1600-27-0x0000000000B70000-0x0000000000B80000-memory.dmp

memory/1600-28-0x0000000000B80000-0x0000000000B90000-memory.dmp

memory/1600-29-0x0000000000C30000-0x0000000000C60000-memory.dmp

memory/1600-30-0x0000000000C60000-0x0000000000C90000-memory.dmp

memory/1600-31-0x0000000000C30000-0x0000000000CEA000-memory.dmp

memory/1600-32-0x000000001B3B0000-0x000000001B46A000-memory.dmp

memory/1600-33-0x0000000000C30000-0x0000000000C90000-memory.dmp

memory/1600-34-0x0000000000C90000-0x0000000000CF0000-memory.dmp

memory/1600-35-0x0000000000C30000-0x0000000000C52000-memory.dmp

memory/1600-36-0x0000000000C60000-0x0000000000C82000-memory.dmp

memory/1600-37-0x000000001C120000-0x000000001C4E5000-memory.dmp

memory/1600-38-0x000000001E460000-0x000000001E825000-memory.dmp

memory/1600-39-0x0000000000B90000-0x0000000000BAE000-memory.dmp

memory/1600-40-0x0000000000C30000-0x0000000000C4E000-memory.dmp

memory/1600-41-0x000000001B700000-0x000000001B77C000-memory.dmp

memory/1600-42-0x000000001B940000-0x000000001B9BC000-memory.dmp

memory/1600-43-0x000000001B700000-0x000000001B79C000-memory.dmp

memory/1600-44-0x000000001BB30000-0x000000001BBCC000-memory.dmp

memory/1600-45-0x0000000000B90000-0x0000000000B98000-memory.dmp

memory/1600-46-0x0000000000BA0000-0x0000000000BA8000-memory.dmp

memory/1600-47-0x0000000000B90000-0x0000000000B9E000-memory.dmp

memory/1600-48-0x0000000000BA0000-0x0000000000BAE000-memory.dmp

memory/1600-49-0x0000000000B90000-0x0000000000B98000-memory.dmp

memory/1600-50-0x0000000000C50000-0x0000000000C58000-memory.dmp

memory/1600-51-0x0000000000C90000-0x0000000000CB2000-memory.dmp

memory/1600-52-0x0000000000CC0000-0x0000000000CE2000-memory.dmp

memory/1600-53-0x0000000000C90000-0x0000000000CAA000-memory.dmp

memory/1600-54-0x0000000000FF0000-0x000000000100A000-memory.dmp

memory/1600-55-0x0000000000C90000-0x0000000000CA2000-memory.dmp

memory/1600-56-0x0000000001110000-0x0000000001122000-memory.dmp

memory/1600-57-0x0000000000C90000-0x0000000000CB0000-memory.dmp

memory/1600-58-0x0000000001110000-0x0000000001130000-memory.dmp

memory/1600-59-0x000000001B700000-0x000000001B7B0000-memory.dmp

memory/1600-60-0x000000001BB30000-0x000000001BBE0000-memory.dmp

memory/1600-61-0x000000001C2E0000-0x000000001C456000-memory.dmp

memory/1600-62-0x000000001C460000-0x000000001C5D6000-memory.dmp

memory/1600-63-0x0000000000C90000-0x0000000000CB2000-memory.dmp

memory/2400-461-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2400-467-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2400-469-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2400-471-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2996-489-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2996-490-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2996-495-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2996-493-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\TarCAD5.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 554987ab7d6f547b317e72ed56c07886
SHA1 5308d2f0f34760b0b29c75d8fb3df8c25c4df2c7
SHA256 447ba89a77fad346742db1fd13d97c76edcbde14ab682974fecb3f3308df758e
SHA512 76b97a9da3c72e3f46806d04af29a57bd60b6406fda38a64d64a6ffa335f3da9aacf5150ead55c8173a0d87edeed78657b129a13b15e61766104e3ff0fd563df

C:\Users\Admin\Pictures\SWOp5Ld6evApLXWFvxdvqTZZ.exe

MD5 7fcc0bae1fa98de1d16819e6f85de171
SHA1 d8ba9866840e0449ddb78d31d6bcf2762ed3e6e4
SHA256 28249276aafcf8911cc5fc8b6adebe10efb7141f3869ab2ec2f0bf5cffc1c82a
SHA512 58cf14e662f68b61339dd3517dae6c831a5094ef01eab8e5ee64cf85a23e26b3ffce43912ba62356fdf1a4bbeba7249f55de222154b729b8d85fa48744ddbe29

\Users\Admin\Pictures\biIS1os86y2FBBFr9Q3IOpZc.exe

MD5 e2a6c1f58b137874e490b8d94382fcdb
SHA1 71529c5d708091b1e1a580227dc52e62a140edd1
SHA256 4801879a7afb9d03f7edcbe76cd9306cb024d80abc8512c4995aa97e8fd52437
SHA512 24d12ce668e5189a4ba80520a4eaf480d17d3a07d8d0d4312964968f8489143df225881ec70e39e0c62e381061626801ead72d70cea164e2c3870bfbd7bc4eff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fd921b5b142c57ce8f91052c20dda39d
SHA1 8d58c29e460ca8a09e25e407567794016e458159
SHA256 c8f43e3b0ee5c94d3372186b957538d2c011927e3084e81141259489e6643dcb
SHA512 77d8295372cc9c00ac76ba94268697f49764e191ccc601552ba0b3bfcbb91a0af24b11738a0bba72fb6405ee2c22f13bcbf171b4472539d953e6918ef2b4c174

\Users\Admin\Pictures\38fZKclz2tUQR2znmzg6Yczm.exe

MD5 6126c6923b352edf2507639b7fe78e8a
SHA1 1fd3edb62b8d44673772fb58a05c43d5360e8e5b
SHA256 98db3710f7b5e68beb18c0ec584909ad3c92d66bbf093164892d5cd00d1021dd
SHA512 93fcbbc0a3f42f9fab3c5e0a5cbc83308b5d93999fa89f449c2b50653860de2fe3dbb42fc463bf34f5f5e5e69390dae8b6a1dfed8e742dcb0059a445cf041736

memory/1560-684-0x0000000002730000-0x0000000002B28000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 04767b813ef2a66407b2eb32651b8a3b
SHA1 5deaa7b215738b2a863ab1e61d2b6906491d62ea
SHA256 25571943f700136da147e1281f6c4e6a12102b14a9b7f078ace57fba3a05fcd1
SHA512 8762719ba94239a8357cd0294457465355f42a20b42b77333739a74a2770da08ccc89447336b13c7ee58f4ff67cf26565e535c8271c751df70a413469c7fae76

memory/2192-750-0x00000000027F0000-0x0000000002BE8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c020d9f5894edca1a8c571691e955042
SHA1 cfe9eced0ac4118ded87a544e1a7c239bb881b88
SHA256 5a047c70b7184c7f6b6659924f717feff2131dbbc3d991e69460095e3305d183
SHA512 94dbab49dd74f8f6b216ae28fe8c37f25248acdb858ca23a7638b814009992ca2174bfa8f51bad77583fd9a204f3c94e217dcca7bc92865f80b10c08ee357612

\Users\Admin\AppData\Local\Temp\u2ck.0.exe

MD5 4524e1a1e2725e159d68b3bca2c1b296
SHA1 0e3b226d0ebd227b911c5fc25d6a28478ed0a957
SHA256 12a5bac24e4e354bfc93a989c398df11ac5ec63c9d9834e0a9062bd8857cdda7
SHA512 870e0e4e86593a3f060643b043d41f2aa6108af8075f19c0ba6c9d276a28df5c6f6e02a6cd088eb88382af35a41bcd626ea5add747494d468158abb7e610f3ca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 23b3290844d222a7ad750f1e5e2dc165
SHA1 bec520e50f46c1e37fc422253a9c4011d159df4d
SHA256 2189e78b579b75587696fcc61d21a506fd444212e305aba84639b1f4059db7bc
SHA512 a27602232f0e55c89cf4242b4c0adf1538eb28313267c79b2505b4e6c5ebf9a82b5558eb5c10d224e71884724821b353f19ac8e3aa7e52c4d1c38e1412673e03

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d437c6f21f33c97fd8dcee113b18873e
SHA1 03279b4138c87c1e5412812e91c1d4a671421216
SHA256 2c8aa7ba516d2b8af3331ac22e3bab8f5ae44c1b180561027f40dffa9cd0e700
SHA512 4b26c106290e244d8811382d8868e2e20116e9bfe41d6e50c6d72cec069b3ee2de569e619e3f3899ad41f8dc7986184186648e3786a6f384f5122a6f51fad087

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 57365a7aee95b6ef186a4bf368ef54f4
SHA1 37abfb43a218164ad1db269bdd60952ca925cb9b
SHA256 7144fe084c6a7039dde0d29749b895394b559e6c499f3ac911dadda66e3a7815
SHA512 d7e2a1c46d20e997b7b0a82e5ac63ac831e0071ee2a539e704393400c721c106679fddce410109f8047ff09126c615e3a961e446f203b87ccd4dd9b91b93ed7e

memory/1124-1013-0x0000000061E00000-0x0000000061EF3000-memory.dmp

\Users\Admin\Pictures\Mtch7ty5lIeyhzV9Oq7fQeFk.exe

MD5 5f066ebf9264cad80bdb1384ce2a6b34
SHA1 a6bfd2df4ad14b8b0f90951b688a7de61f7d4bbc
SHA256 5c2b1d90d0299ff70ea73f89a9326628e602cf9f72c425b570ac5272279372e1
SHA512 0b0ce2214f57be9155b6eb7de144a96b09a9699fd75e82e4be525a4048a027c509c3f1495f111a3cc1c62b283deb150779d6458b13022095614d502a9805f1c5

memory/2772-1049-0x00000000027D0000-0x0000000002BC8000-memory.dmp

memory/3044-1050-0x0000000000400000-0x0000000000B0E000-memory.dmp

\Users\Admin\AppData\Local\Temp\u2ck.1.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/3044-1069-0x0000000000400000-0x0000000000B0E000-memory.dmp

memory/1560-1065-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2192-1074-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1124-1075-0x0000000000400000-0x0000000000AEA000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/972-1110-0x00000000027C0000-0x0000000002BB8000-memory.dmp

memory/1668-1114-0x00000000027E0000-0x0000000002BD8000-memory.dmp

memory/1224-1113-0x0000000002700000-0x0000000002AF8000-memory.dmp

memory/2192-1115-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2772-1116-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1560-1121-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/456-1141-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/1668-1142-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/972-1143-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1224-1144-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1124-1145-0x0000000000400000-0x0000000000AEA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FCFBFHIEBK.exe

MD5 fe380780b5c35bd6d54541791151c2be
SHA1 7fe3a583cf91474c733f85cebf3c857682e269e1
SHA256 b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53
SHA512 ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 e44bac99825465ee2a2a05ee76e98dd6
SHA1 5e0198339c1fa06d642f989cfdc1c1a2a95f2f43
SHA256 7d2cf5b1f6c5660b544cb75c46748b6fbe800a56cd955ba5e13f4180de0474d1
SHA512 c7f4179bd9da24ad90028c147a9775f35e2dc4f6651c8cf0fe465c933d09335636d9d4fbdca6c41aa17890096960c37749c319ecb9d76c6b15740c9a203a981c

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 13aaafe14eb60d6a718230e82c671d57
SHA1 e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256 f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512 ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 5c399d34d8dc01741269ff1f1aca7554
SHA1 e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256 e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA512 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 f0616fa8bc54ece07e3107057f74e4db
SHA1 b33995c4f9a004b7d806c4bb36040ee844781fca
SHA256 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026
SHA512 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2e87b9c1bf691e9da0e040cb5642f36f
SHA1 9319cd7fed91f28ea6c06a736fc52391ad781656
SHA256 ce38dbd596a1398a4ea57735090cae67b235505e191327aecb414e8138b4dec1
SHA512 97e815e19846e4e95315aba188f895783d576a2d5aff4e306938d06268d56390834d27642d775689d66e757b604ed8212b85f9b83e67454f851eab7111d2d997

C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\cbd917ecdddf4d7ea513e7205a2d5392a887f48f5bd59f61319893cd307908d2\66f7e538050a4bc1b45e7eebb9cf602b.tmp

MD5 650530a00d0d15316290a3a76e983240
SHA1 63e242a2e4a9ab02a90f6688ae46b5e60faae312
SHA256 ff6fd065a7aadca28699379f2ad2d9c57f2ad77658d81f95b2559409efc83422
SHA512 d3d3d967b53b2ab88ff06a31381aad9e9ce6426ee5e70cccda35c0c04e8e8eeafd5050d55d8b935b4146fdf176d913958ab8fd8c674376fc8ef588be88ba23c6

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 fafbf2197151d5ce947872a4b0bcbe16
SHA1 a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020
SHA256 feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71
SHA512 acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-28 22:40

Reported

2024-03-28 22:45

Platform

win10-20240214-en

Max time kernel

299s

Max time network

287s

Command Line

sihost.exe

Signatures

Detects DLL dropped by Raspberry Robin.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Rhadamanthys

stealer rhadamanthys

Stealc

stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 932 created 2840 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe c:\windows\system32\sihost.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\79zVGVBHVKwV3pzMGpPa7QOw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\79zVGVBHVKwV3pzMGpPa7QOw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\79zVGVBHVKwV3pzMGpPa7QOw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\79zVGVBHVKwV3pzMGpPa7QOw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\16nVp1TabdSC2LoD4GzGserO.exe = "0" C:\Users\Admin\Pictures\16nVp1TabdSC2LoD4GzGserO.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\lIbJr8AoMYy0x7nNwLcVPxb1.exe = "0" C:\Users\Admin\Pictures\lIbJr8AoMYy0x7nNwLcVPxb1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\79zVGVBHVKwV3pzMGpPa7QOw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\79zVGVBHVKwV3pzMGpPa7QOw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\79zVGVBHVKwV3pzMGpPa7QOw.exe = "0" C:\Users\Admin\Pictures\79zVGVBHVKwV3pzMGpPa7QOw.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DRx6RbkXPZ11ldxu1KYLIIOF.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\w8yOdLFAQEnvgfvmmPf1Z2pV.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H7ZAkAk9qtuwveYPeKPdtJsH.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\06kH0mggRfjD35zhQKP42nmR.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RzPE6diRJUoypzJ4qH9urcfs.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BUgfoHnBetiV7WxNm1ZwG5ya.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OL94ccLxrkwzyeZUSrUsDHhS.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CmI8PcPJC7hd9QyesOqSpAj3.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CaEVIdCnQK7L9qutEK83P9TL.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eHZBKNoV7aKm1iY1g3OvQLw8.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VMFd2yHrvDxc1AIGM1SLqhk1.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\Vtjo9pcdmBaAkbHmv3YJBMql.exe N/A
N/A N/A C:\Users\Admin\Pictures\PnXhOpNQd26VoVq1dNyFh4q7.exe N/A
N/A N/A C:\Users\Admin\Pictures\yNI0MiM8hFKuMT13OuhoUwtY.exe N/A
N/A N/A C:\Users\Admin\Pictures\lIbJr8AoMYy0x7nNwLcVPxb1.exe N/A
N/A N/A C:\Users\Admin\Pictures\16nVp1TabdSC2LoD4GzGserO.exe N/A
N/A N/A C:\Users\Admin\Pictures\79zVGVBHVKwV3pzMGpPa7QOw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uj0.0.exe N/A
N/A N/A C:\Users\Admin\Pictures\YVDMuxEHxSpvKeCOkRgibyCW.exe N/A
N/A N/A C:\Users\Admin\Pictures\YVDMuxEHxSpvKeCOkRgibyCW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\YVDMuxEHxSpvKeCOkRgibyCW.exe N/A
N/A N/A C:\Users\Admin\Pictures\YVDMuxEHxSpvKeCOkRgibyCW.exe N/A
N/A N/A C:\Users\Admin\Pictures\YVDMuxEHxSpvKeCOkRgibyCW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uj0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HJKECAAAFH.exe N/A
N/A N/A C:\Users\Admin\Pictures\16nVp1TabdSC2LoD4GzGserO.exe N/A
N/A N/A C:\Users\Admin\Pictures\79zVGVBHVKwV3pzMGpPa7QOw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282240581\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282240581\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282240581\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\Pictures\lIbJr8AoMYy0x7nNwLcVPxb1.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\79zVGVBHVKwV3pzMGpPa7QOw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\79zVGVBHVKwV3pzMGpPa7QOw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\79zVGVBHVKwV3pzMGpPa7QOw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\lIbJr8AoMYy0x7nNwLcVPxb1.exe = "0" C:\Users\Admin\Pictures\lIbJr8AoMYy0x7nNwLcVPxb1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\79zVGVBHVKwV3pzMGpPa7QOw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\79zVGVBHVKwV3pzMGpPa7QOw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\79zVGVBHVKwV3pzMGpPa7QOw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\79zVGVBHVKwV3pzMGpPa7QOw.exe = "0" C:\Users\Admin\Pictures\79zVGVBHVKwV3pzMGpPa7QOw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\16nVp1TabdSC2LoD4GzGserO.exe = "0" C:\Users\Admin\Pictures\16nVp1TabdSC2LoD4GzGserO.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\79zVGVBHVKwV3pzMGpPa7QOw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\16nVp1TabdSC2LoD4GzGserO.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\lIbJr8AoMYy0x7nNwLcVPxb1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\Pictures\YVDMuxEHxSpvKeCOkRgibyCW.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\YVDMuxEHxSpvKeCOkRgibyCW.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Pictures\YVDMuxEHxSpvKeCOkRgibyCW.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\YVDMuxEHxSpvKeCOkRgibyCW.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\lIbJr8AoMYy0x7nNwLcVPxb1.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\79zVGVBHVKwV3pzMGpPa7QOw.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\16nVp1TabdSC2LoD4GzGserO.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\16nVp1TabdSC2LoD4GzGserO.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\lIbJr8AoMYy0x7nNwLcVPxb1.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\lIbJr8AoMYy0x7nNwLcVPxb1.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\79zVGVBHVKwV3pzMGpPa7QOw.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\79zVGVBHVKwV3pzMGpPa7QOw.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\16nVp1TabdSC2LoD4GzGserO.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\uj0.1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\uj0.1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\uj0.1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\uj0.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\uj0.0.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" C:\Windows\windefender.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-492 = "India Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2062 = "North Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\Pictures\79zVGVBHVKwV3pzMGpPa7QOw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\Pictures\79zVGVBHVKwV3pzMGpPa7QOw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\Pictures\79zVGVBHVKwV3pzMGpPa7QOw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\Pictures\79zVGVBHVKwV3pzMGpPa7QOw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Users\Admin\Pictures\79zVGVBHVKwV3pzMGpPa7QOw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\Pictures\79zVGVBHVKwV3pzMGpPa7QOw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\Pictures\16nVp1TabdSC2LoD4GzGserO.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\Pictures\79zVGVBHVKwV3pzMGpPa7QOw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\Pictures\79zVGVBHVKwV3pzMGpPa7QOw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-162 = "Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\Pictures\79zVGVBHVKwV3pzMGpPa7QOw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\Pictures\79zVGVBHVKwV3pzMGpPa7QOw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2412 = "Marquesas Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\Pictures\79zVGVBHVKwV3pzMGpPa7QOw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" C:\Windows\windefender.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Users\Admin\Pictures\YVDMuxEHxSpvKeCOkRgibyCW.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\YVDMuxEHxSpvKeCOkRgibyCW.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\YVDMuxEHxSpvKeCOkRgibyCW.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\PnXhOpNQd26VoVq1dNyFh4q7.exe N/A
N/A N/A C:\Users\Admin\Pictures\PnXhOpNQd26VoVq1dNyFh4q7.exe N/A
N/A N/A C:\Users\Admin\Pictures\PnXhOpNQd26VoVq1dNyFh4q7.exe N/A
N/A N/A C:\Users\Admin\Pictures\PnXhOpNQd26VoVq1dNyFh4q7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uj0.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uj0.0.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uj0.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uj0.0.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\79zVGVBHVKwV3pzMGpPa7QOw.exe N/A
N/A N/A C:\Users\Admin\Pictures\79zVGVBHVKwV3pzMGpPa7QOw.exe N/A
N/A N/A C:\Users\Admin\Pictures\lIbJr8AoMYy0x7nNwLcVPxb1.exe N/A
N/A N/A C:\Users\Admin\Pictures\lIbJr8AoMYy0x7nNwLcVPxb1.exe N/A
N/A N/A C:\Users\Admin\Pictures\16nVp1TabdSC2LoD4GzGserO.exe N/A
N/A N/A C:\Users\Admin\Pictures\16nVp1TabdSC2LoD4GzGserO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\lIbJr8AoMYy0x7nNwLcVPxb1.exe N/A
N/A N/A C:\Users\Admin\Pictures\lIbJr8AoMYy0x7nNwLcVPxb1.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\79zVGVBHVKwV3pzMGpPa7QOw.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\79zVGVBHVKwV3pzMGpPa7QOw.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\lIbJr8AoMYy0x7nNwLcVPxb1.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\lIbJr8AoMYy0x7nNwLcVPxb1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\16nVp1TabdSC2LoD4GzGserO.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\16nVp1TabdSC2LoD4GzGserO.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\lIbJr8AoMYy0x7nNwLcVPxb1.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\lIbJr8AoMYy0x7nNwLcVPxb1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4128 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4128 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4128 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 4128 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 4128 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 4128 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 4128 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 4128 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 4128 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 4128 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2460 wrote to memory of 684 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\Vtjo9pcdmBaAkbHmv3YJBMql.exe
PID 2460 wrote to memory of 684 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\Vtjo9pcdmBaAkbHmv3YJBMql.exe
PID 2460 wrote to memory of 684 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\Vtjo9pcdmBaAkbHmv3YJBMql.exe
PID 2460 wrote to memory of 872 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\PnXhOpNQd26VoVq1dNyFh4q7.exe
PID 2460 wrote to memory of 872 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\PnXhOpNQd26VoVq1dNyFh4q7.exe
PID 2460 wrote to memory of 872 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\PnXhOpNQd26VoVq1dNyFh4q7.exe
PID 2460 wrote to memory of 2992 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\yNI0MiM8hFKuMT13OuhoUwtY.exe
PID 2460 wrote to memory of 2992 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\yNI0MiM8hFKuMT13OuhoUwtY.exe
PID 2460 wrote to memory of 2992 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\yNI0MiM8hFKuMT13OuhoUwtY.exe
PID 2992 wrote to memory of 932 N/A C:\Users\Admin\Pictures\yNI0MiM8hFKuMT13OuhoUwtY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2992 wrote to memory of 932 N/A C:\Users\Admin\Pictures\yNI0MiM8hFKuMT13OuhoUwtY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2992 wrote to memory of 932 N/A C:\Users\Admin\Pictures\yNI0MiM8hFKuMT13OuhoUwtY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2992 wrote to memory of 932 N/A C:\Users\Admin\Pictures\yNI0MiM8hFKuMT13OuhoUwtY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2992 wrote to memory of 932 N/A C:\Users\Admin\Pictures\yNI0MiM8hFKuMT13OuhoUwtY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2992 wrote to memory of 932 N/A C:\Users\Admin\Pictures\yNI0MiM8hFKuMT13OuhoUwtY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2992 wrote to memory of 932 N/A C:\Users\Admin\Pictures\yNI0MiM8hFKuMT13OuhoUwtY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2992 wrote to memory of 932 N/A C:\Users\Admin\Pictures\yNI0MiM8hFKuMT13OuhoUwtY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2992 wrote to memory of 932 N/A C:\Users\Admin\Pictures\yNI0MiM8hFKuMT13OuhoUwtY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2992 wrote to memory of 932 N/A C:\Users\Admin\Pictures\yNI0MiM8hFKuMT13OuhoUwtY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2992 wrote to memory of 932 N/A C:\Users\Admin\Pictures\yNI0MiM8hFKuMT13OuhoUwtY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2460 wrote to memory of 2292 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\lIbJr8AoMYy0x7nNwLcVPxb1.exe
PID 2460 wrote to memory of 2292 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\lIbJr8AoMYy0x7nNwLcVPxb1.exe
PID 2460 wrote to memory of 2292 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\lIbJr8AoMYy0x7nNwLcVPxb1.exe
PID 2460 wrote to memory of 1428 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\16nVp1TabdSC2LoD4GzGserO.exe
PID 2460 wrote to memory of 1428 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\16nVp1TabdSC2LoD4GzGserO.exe
PID 2460 wrote to memory of 1428 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\16nVp1TabdSC2LoD4GzGserO.exe
PID 2460 wrote to memory of 3584 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\79zVGVBHVKwV3pzMGpPa7QOw.exe
PID 2460 wrote to memory of 3584 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\79zVGVBHVKwV3pzMGpPa7QOw.exe
PID 2460 wrote to memory of 3584 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\79zVGVBHVKwV3pzMGpPa7QOw.exe
PID 684 wrote to memory of 2856 N/A C:\Users\Admin\Pictures\Vtjo9pcdmBaAkbHmv3YJBMql.exe C:\Users\Admin\AppData\Local\Temp\uj0.0.exe
PID 684 wrote to memory of 2856 N/A C:\Users\Admin\Pictures\Vtjo9pcdmBaAkbHmv3YJBMql.exe C:\Users\Admin\AppData\Local\Temp\uj0.0.exe
PID 684 wrote to memory of 2856 N/A C:\Users\Admin\Pictures\Vtjo9pcdmBaAkbHmv3YJBMql.exe C:\Users\Admin\AppData\Local\Temp\uj0.0.exe
PID 932 wrote to memory of 3036 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 932 wrote to memory of 3036 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 932 wrote to memory of 3036 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 932 wrote to memory of 3036 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 932 wrote to memory of 3036 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 2460 wrote to memory of 4188 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\YVDMuxEHxSpvKeCOkRgibyCW.exe
PID 2460 wrote to memory of 4188 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\YVDMuxEHxSpvKeCOkRgibyCW.exe
PID 2460 wrote to memory of 4188 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\YVDMuxEHxSpvKeCOkRgibyCW.exe
PID 4188 wrote to memory of 1332 N/A C:\Users\Admin\Pictures\YVDMuxEHxSpvKeCOkRgibyCW.exe C:\Users\Admin\Pictures\YVDMuxEHxSpvKeCOkRgibyCW.exe
PID 4188 wrote to memory of 1332 N/A C:\Users\Admin\Pictures\YVDMuxEHxSpvKeCOkRgibyCW.exe C:\Users\Admin\Pictures\YVDMuxEHxSpvKeCOkRgibyCW.exe
PID 4188 wrote to memory of 1332 N/A C:\Users\Admin\Pictures\YVDMuxEHxSpvKeCOkRgibyCW.exe C:\Users\Admin\Pictures\YVDMuxEHxSpvKeCOkRgibyCW.exe
PID 4188 wrote to memory of 4424 N/A C:\Users\Admin\Pictures\YVDMuxEHxSpvKeCOkRgibyCW.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\YVDMuxEHxSpvKeCOkRgibyCW.exe
PID 4188 wrote to memory of 4424 N/A C:\Users\Admin\Pictures\YVDMuxEHxSpvKeCOkRgibyCW.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\YVDMuxEHxSpvKeCOkRgibyCW.exe
PID 4188 wrote to memory of 4424 N/A C:\Users\Admin\Pictures\YVDMuxEHxSpvKeCOkRgibyCW.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\YVDMuxEHxSpvKeCOkRgibyCW.exe
PID 4188 wrote to memory of 4084 N/A C:\Users\Admin\Pictures\YVDMuxEHxSpvKeCOkRgibyCW.exe C:\Users\Admin\Pictures\YVDMuxEHxSpvKeCOkRgibyCW.exe
PID 4188 wrote to memory of 4084 N/A C:\Users\Admin\Pictures\YVDMuxEHxSpvKeCOkRgibyCW.exe C:\Users\Admin\Pictures\YVDMuxEHxSpvKeCOkRgibyCW.exe
PID 4188 wrote to memory of 4084 N/A C:\Users\Admin\Pictures\YVDMuxEHxSpvKeCOkRgibyCW.exe C:\Users\Admin\Pictures\YVDMuxEHxSpvKeCOkRgibyCW.exe
PID 4084 wrote to memory of 4892 N/A C:\Users\Admin\Pictures\YVDMuxEHxSpvKeCOkRgibyCW.exe C:\Users\Admin\Pictures\YVDMuxEHxSpvKeCOkRgibyCW.exe
PID 4084 wrote to memory of 4892 N/A C:\Users\Admin\Pictures\YVDMuxEHxSpvKeCOkRgibyCW.exe C:\Users\Admin\Pictures\YVDMuxEHxSpvKeCOkRgibyCW.exe
PID 4084 wrote to memory of 4892 N/A C:\Users\Admin\Pictures\YVDMuxEHxSpvKeCOkRgibyCW.exe C:\Users\Admin\Pictures\YVDMuxEHxSpvKeCOkRgibyCW.exe
PID 3584 wrote to memory of 1408 N/A C:\Users\Admin\Pictures\79zVGVBHVKwV3pzMGpPa7QOw.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3584 wrote to memory of 1408 N/A C:\Users\Admin\Pictures\79zVGVBHVKwV3pzMGpPa7QOw.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe N/A

Uses Task Scheduler COM API

persistence

Processes

c:\windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe

"C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"

C:\Users\Admin\Pictures\Vtjo9pcdmBaAkbHmv3YJBMql.exe

"C:\Users\Admin\Pictures\Vtjo9pcdmBaAkbHmv3YJBMql.exe"

C:\Users\Admin\Pictures\PnXhOpNQd26VoVq1dNyFh4q7.exe

"C:\Users\Admin\Pictures\PnXhOpNQd26VoVq1dNyFh4q7.exe"

C:\Users\Admin\Pictures\yNI0MiM8hFKuMT13OuhoUwtY.exe

"C:\Users\Admin\Pictures\yNI0MiM8hFKuMT13OuhoUwtY.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\Pictures\lIbJr8AoMYy0x7nNwLcVPxb1.exe

"C:\Users\Admin\Pictures\lIbJr8AoMYy0x7nNwLcVPxb1.exe"

C:\Users\Admin\Pictures\16nVp1TabdSC2LoD4GzGserO.exe

"C:\Users\Admin\Pictures\16nVp1TabdSC2LoD4GzGserO.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 836

C:\Users\Admin\Pictures\79zVGVBHVKwV3pzMGpPa7QOw.exe

"C:\Users\Admin\Pictures\79zVGVBHVKwV3pzMGpPa7QOw.exe"

C:\Users\Admin\AppData\Local\Temp\uj0.0.exe

"C:\Users\Admin\AppData\Local\Temp\uj0.0.exe"

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 612

C:\Users\Admin\Pictures\YVDMuxEHxSpvKeCOkRgibyCW.exe

"C:\Users\Admin\Pictures\YVDMuxEHxSpvKeCOkRgibyCW.exe" --silent --allusers=0

C:\Users\Admin\Pictures\YVDMuxEHxSpvKeCOkRgibyCW.exe

C:\Users\Admin\Pictures\YVDMuxEHxSpvKeCOkRgibyCW.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2b0,0x2b4,0x2b8,0x28c,0x2bc,0x6ddfe1d0,0x6ddfe1dc,0x6ddfe1e8

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\YVDMuxEHxSpvKeCOkRgibyCW.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\YVDMuxEHxSpvKeCOkRgibyCW.exe" --version

C:\Users\Admin\Pictures\YVDMuxEHxSpvKeCOkRgibyCW.exe

"C:\Users\Admin\Pictures\YVDMuxEHxSpvKeCOkRgibyCW.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4188 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240328224058" --session-guid=805e71e6-ca0b-47fa-ad77-c46cea898fea --server-tracking-blob=YWU5YjY2YWM3N2QxMTc4YjM1ZDMzYTAzNjBiMzdlNTJkYmMxNzkyYjQxMDgzOWI1YTg3ZWQ1ZmUxMjRjNGQzNzp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N180NTYiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMCIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTE2NjU2NTMuNDM2NyIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N180NTYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6IjBkMjVjNzg3LTVhZDctNDg3Ny1iMGNjLWQ3OWYyNDg3MTA1OSJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=C004000000000000

C:\Users\Admin\Pictures\YVDMuxEHxSpvKeCOkRgibyCW.exe

C:\Users\Admin\Pictures\YVDMuxEHxSpvKeCOkRgibyCW.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2a0,0x2a4,0x2a8,0x27c,0x2ac,0x6d47e1d0,0x6d47e1dc,0x6d47e1e8

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\uj0.1.exe

"C:\Users\Admin\AppData\Local\Temp\uj0.1.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HJKECAAAFH.exe"

C:\Users\Admin\AppData\Local\Temp\HJKECAAAFH.exe

"C:\Users\Admin\AppData\Local\Temp\HJKECAAAFH.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\HJKECAAAFH.exe

C:\Windows\SysWOW64\PING.EXE

ping 2.2.2.2 -n 1 -w 3000

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Users\Admin\Pictures\16nVp1TabdSC2LoD4GzGserO.exe

"C:\Users\Admin\Pictures\16nVp1TabdSC2LoD4GzGserO.exe"

C:\Users\Admin\Pictures\79zVGVBHVKwV3pzMGpPa7QOw.exe

"C:\Users\Admin\Pictures\79zVGVBHVKwV3pzMGpPa7QOw.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282240581\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282240581\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282240581\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282240581\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282240581\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282240581\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0xd40040,0xd4004c,0xd40058

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\Pictures\lIbJr8AoMYy0x7nNwLcVPxb1.exe

"C:\Users\Admin\Pictures\lIbJr8AoMYy0x7nNwLcVPxb1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 yip.su udp
US 104.21.79.77:443 yip.su tcp
US 104.20.67.143:443 pastebin.com tcp
DE 185.172.128.144:80 185.172.128.144 tcp
US 8.8.8.8:53 piramidglobaltobacco.id udp
US 8.8.8.8:53 shipofdestiny.com udp
AT 5.42.64.17:80 5.42.64.17 tcp
SG 217.21.73.190:443 piramidglobaltobacco.id tcp
US 172.67.152.98:443 shipofdestiny.com tcp
US 8.8.8.8:53 sty.ink udp
US 104.21.13.170:443 sty.ink tcp
US 172.67.152.98:443 shipofdestiny.com tcp
US 8.8.8.8:53 operandotwo.com udp
US 104.21.13.170:443 sty.ink tcp
US 8.8.8.8:53 namemail.org udp
US 8.8.8.8:53 cu82342.tw1.ru udp
US 172.67.160.247:443 operandotwo.com tcp
US 8.8.8.8:53 lawyerbuyer.org udp
US 8.8.8.8:53 net.geo.opera.com udp
RU 176.57.210.144:443 cu82342.tw1.ru tcp
NL 185.26.182.112:80 net.geo.opera.com tcp
US 104.21.63.71:443 lawyerbuyer.org tcp
US 104.21.63.71:443 lawyerbuyer.org tcp
NL 185.26.182.112:443 net.geo.opera.com tcp
US 8.8.8.8:53 guseman.org udp
US 104.21.80.30:443 guseman.org tcp
US 8.8.8.8:53 241.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 77.79.21.104.in-addr.arpa udp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
US 8.8.8.8:53 17.64.42.5.in-addr.arpa udp
US 8.8.8.8:53 144.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 98.152.67.172.in-addr.arpa udp
US 8.8.8.8:53 170.13.21.104.in-addr.arpa udp
US 8.8.8.8:53 190.73.21.217.in-addr.arpa udp
US 8.8.8.8:53 247.160.67.172.in-addr.arpa udp
US 8.8.8.8:53 112.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 71.63.21.104.in-addr.arpa udp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 144.210.57.176.in-addr.arpa udp
US 8.8.8.8:53 30.80.21.104.in-addr.arpa udp
US 8.8.8.8:53 herdbescuitinjurywu.shop udp
US 104.21.69.91:443 herdbescuitinjurywu.shop tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 91.69.21.104.in-addr.arpa udp
DE 185.172.128.65:80 185.172.128.65 tcp
DE 185.172.128.65:80 185.172.128.65 tcp
US 8.8.8.8:53 65.128.172.185.in-addr.arpa udp
DE 185.172.128.144:80 185.172.128.144 tcp
US 104.21.69.91:443 herdbescuitinjurywu.shop tcp
DE 185.172.128.209:80 185.172.128.209 tcp
US 104.21.69.91:443 herdbescuitinjurywu.shop tcp
US 8.8.8.8:53 209.128.172.185.in-addr.arpa udp
US 104.21.69.91:443 herdbescuitinjurywu.shop tcp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
NL 82.145.216.20:443 autoupdate.geo.opera.com tcp
NL 82.145.216.20:443 autoupdate.geo.opera.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 20.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 41.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 121.217.145.82.in-addr.arpa udp
NL 82.145.216.16:443 tcp
NL 82.145.216.24:443 tcp
US 8.8.8.8:53 udp
US 104.18.10.89:443 download5.operacdn.com tcp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 tcp
US 8.8.8.8:53 iplogger.com udp
US 172.67.188.178:443 iplogger.com tcp
US 8.8.8.8:53 45.87.157.20.in-addr.arpa udp
US 8.8.8.8:53 178.188.67.172.in-addr.arpa udp
DE 185.172.128.65:80 185.172.128.65 tcp
US 8.8.8.8:53 download.iolo.net udp
FR 143.244.56.50:443 download.iolo.net tcp
US 8.8.8.8:53 50.56.244.143.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
NL 82.145.216.24:443 download.opera.com tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 150.155.9.20.in-addr.arpa udp
US 8.8.8.8:53 08d936f6-f66f-4de2-9530-176af65e295a.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 server15.thestatsfiles.ru udp
US 8.8.8.8:53 stun3.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
IT 142.251.27.127:19302 stun3.l.google.com udp
BG 185.82.216.96:443 server15.thestatsfiles.ru tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 127.27.251.142.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
BG 185.82.216.96:443 server15.thestatsfiles.ru tcp
BG 185.82.216.96:443 server15.thestatsfiles.ru tcp
N/A 127.0.0.1:31465 tcp
BG 185.82.216.96:443 server15.thestatsfiles.ru tcp

Files

memory/4128-0-0x00000180D8560000-0x00000180D856E000-memory.dmp

memory/4128-1-0x00007FFCBE540000-0x00007FFCBEF2C000-memory.dmp

memory/4128-2-0x00000180F2940000-0x00000180F2950000-memory.dmp

memory/4128-3-0x00000180D8930000-0x00000180D893A000-memory.dmp

memory/4128-7-0x00000180F3A10000-0x00000180F3A28000-memory.dmp

memory/4128-6-0x00000180D8960000-0x00000180D8970000-memory.dmp

memory/4128-5-0x00000180F2A50000-0x00000180F2A64000-memory.dmp

memory/4128-4-0x00000180F2A50000-0x00000180F2A6C000-memory.dmp

memory/4128-8-0x00000180F3BB0000-0x00000180F3D0A000-memory.dmp

memory/4128-9-0x00000180F3B00000-0x00000180F3BA4000-memory.dmp

memory/4128-10-0x00000180F3A10000-0x00000180F3A2A000-memory.dmp

memory/4128-11-0x00000180F3E70000-0x00000180F3F92000-memory.dmp

memory/4128-12-0x00000180F3AC0000-0x00000180F3B04000-memory.dmp

memory/4128-14-0x00000180D8960000-0x00000180D8970000-memory.dmp

memory/4128-15-0x00000180F3AA0000-0x00000180F3AD0000-memory.dmp

memory/4128-13-0x00000180F3C60000-0x00000180F3CD6000-memory.dmp

memory/4128-16-0x00000180F4190000-0x00000180F424A000-memory.dmp

memory/4128-17-0x00000180F3C60000-0x00000180F3CC0000-memory.dmp

memory/4128-18-0x00000180F3A70000-0x00000180F3A92000-memory.dmp

memory/4128-19-0x00000180F4310000-0x00000180F46D5000-memory.dmp

memory/4128-21-0x00000180F40D0000-0x00000180F414C000-memory.dmp

memory/4128-20-0x00000180F3A10000-0x00000180F3A2E000-memory.dmp

memory/4128-22-0x00000180F4310000-0x00000180F43AC000-memory.dmp

memory/4128-23-0x00000180F2A70000-0x00000180F2A78000-memory.dmp

memory/4128-28-0x00000180F2A70000-0x00000180F2A7A000-memory.dmp

memory/4128-32-0x00000180F4AB0000-0x00000180F4C26000-memory.dmp

memory/4128-33-0x00000180F3F50000-0x00000180F3F72000-memory.dmp

memory/4128-36-0x00000180F3F50000-0x00000180F3F7A000-memory.dmp

memory/4128-43-0x00000180F4310000-0x00000180F435A000-memory.dmp

memory/4128-49-0x00000180F3A20000-0x00000180F3A28000-memory.dmp

memory/4128-54-0x00000180F3A20000-0x00000180F3A28000-memory.dmp

memory/4128-56-0x00000180F4DB0000-0x00000180F5115000-memory.dmp

memory/4128-57-0x00000180F4AB0000-0x00000180F4BBA000-memory.dmp

memory/4128-55-0x00000180F4210000-0x00000180F4222000-memory.dmp

memory/4128-58-0x00000180F5B30000-0x00000180F5F0A000-memory.dmp

memory/4128-53-0x00000180F4AB0000-0x00000180F4C2A000-memory.dmp

memory/4128-52-0x00000180F3A20000-0x00000180F3A28000-memory.dmp

memory/4128-59-0x00000180F4520000-0x00000180F45CA000-memory.dmp

memory/4128-60-0x00000180F43B0000-0x00000180F442E000-memory.dmp

memory/4128-51-0x00000180F41D0000-0x00000180F41EA000-memory.dmp

memory/4128-63-0x00000180F4F70000-0x00000180F5016000-memory.dmp

memory/4128-62-0x00000180F4310000-0x00000180F433E000-memory.dmp

memory/4128-61-0x00000180F4AB0000-0x00000180F4B1E000-memory.dmp

memory/4128-50-0x00000180F4520000-0x00000180F4584000-memory.dmp

memory/4128-48-0x00000180F3A20000-0x00000180F3A28000-memory.dmp

memory/4128-47-0x00000180F3A20000-0x00000180F3A28000-memory.dmp

memory/4128-46-0x00000180F3A20000-0x00000180F3A28000-memory.dmp

memory/4128-45-0x00000180F3F70000-0x00000180F3F90000-memory.dmp

memory/4128-44-0x00000180F3A20000-0x00000180F3A30000-memory.dmp

memory/4128-42-0x00000180F3A20000-0x00000180F3A28000-memory.dmp

memory/4128-41-0x00000180F3A20000-0x00000180F3A28000-memory.dmp

memory/4128-40-0x00000180F3A20000-0x00000180F3A28000-memory.dmp

memory/4128-39-0x00000180F3A20000-0x00000180F3A28000-memory.dmp

memory/4128-38-0x00000180F3A20000-0x00000180F3A28000-memory.dmp

memory/4128-37-0x00000180F3A20000-0x00000180F3A28000-memory.dmp

memory/4128-35-0x00000180F3A20000-0x00000180F3A30000-memory.dmp

memory/4128-34-0x00000180F4FC0000-0x00000180F51C8000-memory.dmp

memory/4128-31-0x00000180F43C0000-0x00000180F4470000-memory.dmp

memory/4128-30-0x00000180F3C60000-0x00000180F3C80000-memory.dmp

memory/4128-29-0x00000180F3C60000-0x00000180F3C72000-memory.dmp

memory/4128-27-0x00000180F3B60000-0x00000180F3B7A000-memory.dmp

memory/4128-26-0x00000180F3C60000-0x00000180F3C82000-memory.dmp

memory/4128-25-0x00000180F2A70000-0x00000180F2A78000-memory.dmp

memory/4128-24-0x00000180F2A70000-0x00000180F2A7E000-memory.dmp

memory/2460-235-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4128-246-0x00007FFCC06D0000-0x00007FFCC0703000-memory.dmp

memory/4128-247-0x00000180F3880000-0x00000180F38B3000-memory.dmp

memory/4128-249-0x00007FFCC4E10000-0x00007FFCC4E1B000-memory.dmp

memory/4128-251-0x00007FFCC4E10000-0x00007FFCC4E17000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ca1x4j1x.h0x.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4128-263-0x00000180F2A90000-0x00000180F2AA4000-memory.dmp

memory/4128-265-0x00000180F38F0000-0x00000180F3928000-memory.dmp

memory/4128-267-0x00000180F3930000-0x00000180F3968000-memory.dmp

memory/4128-272-0x00007FFCBE260000-0x00007FFCBE394000-memory.dmp

memory/4128-277-0x00007FFCBE260000-0x00007FFCBE398000-memory.dmp

memory/4128-285-0x00007FFCC02C0000-0x00007FFCC02DC000-memory.dmp

memory/4128-295-0x00007FFCC02C0000-0x00007FFCC02DB000-memory.dmp

memory/4128-308-0x00007FFCC01B0000-0x00007FFCC01D2000-memory.dmp

C:\Users\Admin\Pictures\neWvK2u00yEi7UHhbZSovnyn.exe

MD5 5b423612b36cde7f2745455c5dd82577
SHA1 0187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256 e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512 c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

memory/4128-327-0x00007FFCC02C0000-0x00007FFCC02DD000-memory.dmp

C:\Users\Admin\Pictures\j4U8tGMxtzIeMTUS3mSGkCmz.exe

MD5 aaa335d09bf6f7d8367a100a848fe188
SHA1 cc7665f4b44248ea1684edccf3ace38bbba1430e
SHA256 1325821b8a887e0a67515f76fc2be7f8d7677bd90853391ea56fa9a053b52d99
SHA512 a68499fa66c6bab3d99590b29f0d43af7790338e142e07b093bd49263c76060232e99fc487598ae1a4d611e817a989ed839b461d85c3af89c3839e3324b50612

C:\Users\Admin\Pictures\VvG5vyGRj0JD9U61ClEFUEmw.exe

MD5 37e3f16536f90166e23567b4916ba2f1
SHA1 0f912cbf8dd1b0e6cb1e9e4725a8aecd247a5927
SHA256 9d3ee7b7a06f4c5e15ac1b6c9b7fb9511982999521d7e1fbbf81e89decaf3486
SHA512 bd5bc70378a106a25ec7bcea732f85d74ae19d648bad490ebc7c5bbeee3f124f1b7f23ebecaeaead5289fda6dd8f4c73c3df2355315625a6144b83563c52a902

C:\Users\Admin\Pictures\Vtjo9pcdmBaAkbHmv3YJBMql.exe

MD5 7fcc0bae1fa98de1d16819e6f85de171
SHA1 d8ba9866840e0449ddb78d31d6bcf2762ed3e6e4
SHA256 28249276aafcf8911cc5fc8b6adebe10efb7141f3869ab2ec2f0bf5cffc1c82a
SHA512 58cf14e662f68b61339dd3517dae6c831a5094ef01eab8e5ee64cf85a23e26b3ffce43912ba62356fdf1a4bbeba7249f55de222154b729b8d85fa48744ddbe29

C:\Users\Admin\Pictures\N0NEKdpgcv9SZFFjqVUCqjjC.exe

MD5 d3261c8dada16881b153081ce0e61891
SHA1 907f2c63ef35ded1f8c1c25a49b7ecb18223bdba
SHA256 8c5ee623ec873038f4df7a7969f775fbd0c808f6d35fa5b3b0d8ee421330e608
SHA512 831b176332004844f03d030a6e67670044f4a6e6a61226b00baee8da8a7bf248b67e99e06b72f2870af96d0b4be4280ae00fc392c80e1001809cb80304ff8957

C:\Users\Admin\Pictures\PnXhOpNQd26VoVq1dNyFh4q7.exe

MD5 e2a6c1f58b137874e490b8d94382fcdb
SHA1 71529c5d708091b1e1a580227dc52e62a140edd1
SHA256 4801879a7afb9d03f7edcbe76cd9306cb024d80abc8512c4995aa97e8fd52437
SHA512 24d12ce668e5189a4ba80520a4eaf480d17d3a07d8d0d4312964968f8489143df225881ec70e39e0c62e381061626801ead72d70cea164e2c3870bfbd7bc4eff

C:\Users\Admin\Pictures\yNI0MiM8hFKuMT13OuhoUwtY.exe

MD5 7960d8afbbac06f216cceeb1531093bb
SHA1 008221bf66a0749447cffcb86f2d1ec80e23fc76
SHA256 f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84
SHA512 35d12e81eb892aeb2237049beca61a81469dea5b1c9b7a0b9f49fbf95a95c756509d9e76c732fb10b504f9f9692e1fbe83ea2fd09d791f793a928c01974b8147

memory/932-402-0x0000000000400000-0x000000000046D000-memory.dmp

C:\Users\Admin\Pictures\16nVp1TabdSC2LoD4GzGserO.exe

MD5 6126c6923b352edf2507639b7fe78e8a
SHA1 1fd3edb62b8d44673772fb58a05c43d5360e8e5b
SHA256 98db3710f7b5e68beb18c0ec584909ad3c92d66bbf093164892d5cd00d1021dd
SHA512 93fcbbc0a3f42f9fab3c5e0a5cbc83308b5d93999fa89f449c2b50653860de2fe3dbb42fc463bf34f5f5e5e69390dae8b6a1dfed8e742dcb0059a445cf041736

memory/932-416-0x0000000000400000-0x000000000046D000-memory.dmp

C:\Users\Admin\Pictures\lIbJr8AoMYy0x7nNwLcVPxb1.exe

MD5 5f066ebf9264cad80bdb1384ce2a6b34
SHA1 a6bfd2df4ad14b8b0f90951b688a7de61f7d4bbc
SHA256 5c2b1d90d0299ff70ea73f89a9326628e602cf9f72c425b570ac5272279372e1
SHA512 0b0ce2214f57be9155b6eb7de144a96b09a9699fd75e82e4be525a4048a027c509c3f1495f111a3cc1c62b283deb150779d6458b13022095614d502a9805f1c5

C:\Users\Admin\AppData\Local\Temp\uj0.0.exe

MD5 4524e1a1e2725e159d68b3bca2c1b296
SHA1 0e3b226d0ebd227b911c5fc25d6a28478ed0a957
SHA256 12a5bac24e4e354bfc93a989c398df11ac5ec63c9d9834e0a9062bd8857cdda7
SHA512 870e0e4e86593a3f060643b043d41f2aa6108af8075f19c0ba6c9d276a28df5c6f6e02a6cd088eb88382af35a41bcd626ea5add747494d468158abb7e610f3ca

memory/932-517-0x0000000003610000-0x0000000003A10000-memory.dmp

memory/932-519-0x0000000003610000-0x0000000003A10000-memory.dmp

memory/932-521-0x00007FFCCBA30000-0x00007FFCCBC0B000-memory.dmp

memory/932-523-0x00000000765B0000-0x0000000076772000-memory.dmp

memory/3036-525-0x0000000000AC0000-0x0000000000AC9000-memory.dmp

memory/3036-530-0x0000000004590000-0x0000000004990000-memory.dmp

memory/3036-531-0x00007FFCCBA30000-0x00007FFCCBC0B000-memory.dmp

memory/3036-534-0x00000000765B0000-0x0000000076772000-memory.dmp

memory/2856-538-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\Pictures\YVDMuxEHxSpvKeCOkRgibyCW.exe

MD5 b9c6ca60b9f13ce420d00bdd3e7cd7b5
SHA1 89a8e08c19bc307c25547ebe40edd1c1a66a6225
SHA256 bc7618f4ed88555064918dc5dd637def2d4fc95a5bff878c042a5dcbd0bc9ef8
SHA512 d5171c5f31d1e211c76b7ee0a5b4253e2bebdbe6379eecdcea7b3c231ca594a06c224033724384e434b0be19c8f0489afec30890e664131308aca68431fdb777

\Users\Admin\AppData\Local\Temp\Opera_installer_2403282240583764188.dll

MD5 117176ddeaf70e57d1747704942549e4
SHA1 75e3ab6b3469d93cce9ea2f7e22b71b987ccdf2b
SHA256 3c5b34de987116a4d3240e319c0da89a951c96b81e6705476a0fea27b22b20af
SHA512 ca2a356929c92d314aab63d7f3b246d72783212dfa3a4507f28d41a51ca0eedc78e85b1cd453aa8e02c12509f847a0216bb702154f903291c804c8a98ec378b9

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 41dc988791533287ff8fd17d7f22f279
SHA1 9ce6a8862239a4e3191cefb7662c33987fb3a70b
SHA256 e3ecba6f3dd90d9c3891ae461c504d2da4784db25740ce7d415715a915883e23
SHA512 75090cf0f76e58e15a6d459ca1aab59cf3c9ee89d425e9c42d5bae33f58f6706c0f19ddf8b7e4efc05b7277792a816e7b5f6da324a616bf941aa01a8589dfee0

C:\Users\Admin\AppData\Local\Temp\uj0.1.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/684-666-0x0000000000400000-0x0000000000B0E000-memory.dmp

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

memory/2292-897-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1428-901-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2856-909-0x0000000000400000-0x0000000000AEA000-memory.dmp

memory/2856-961-0x0000000000400000-0x0000000000AEA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HJKECAAAFH.exe

MD5 fe380780b5c35bd6d54541791151c2be
SHA1 7fe3a583cf91474c733f85cebf3c857682e269e1
SHA256 b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53
SHA512 ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 9a507117f44e486eabd7121ec65cec15
SHA1 d4c6cc5628ab25fa860a702ba0748b71ddc1edd5
SHA256 ca6afdbcc3e137dceaa2c06fac0cd36141b1d4f416c9ecba623f42fb9fa148f6
SHA512 830e1a774772b1977eb6a2bdc8535f10383716725ff64ca000b44dde2869e457894e5468bc5d40597eb1a2209215afb7f3f4f9d70e0a5ef2ca7f9acbf42192df

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 34cbce7a86066983ddec1c5c7316fa24
SHA1 a1135a1ddbfd3ae8079f7e449d7978fdb92f3bd9
SHA256 23bf6d99f757f6728c8c896676b0707e190e1acb80ec8758696fa3efa8d6cb42
SHA512 f6537a61341ef316200de61d4185d7fdf8169fa5f01446241d34dc74ffdf9edfd520c5d06d54c9df8a8d1eb0eeab53141d75c88f157b72cbcb6b7f0bdb84e769

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 1537f30bfe919578e23f9245b6f452d4
SHA1 67ef8cb446db34d64b507e29d802dd85356a2aaa
SHA256 2cafe49a88999d3f3ce1416f2969bc00ce1f151ebef868dc2358a3d19deb5537
SHA512 bec1b77d95fd9864ddb0fb9ddac1f3b0a8f6f476aa6041f4abdf4cccfea6836e077b7378e44f835cd93de57733a025d24cb5d77d96a3e3f86ad2812b884bc6e9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 022e819aeea857fe0b10a240818ce911
SHA1 ed5555a0ad67da9f20e218b26f2e70f39fdd29c5
SHA256 f0a6f0494cdb6d31c8f9ef16ce92d178a73bd2a4ef8261afa3eb2f10a5ea5968
SHA512 43799a7031aa85d9a2d11ff0c279a0ec7c6ed50e0b1d5d015e58555b346e2af6bed978d2cf44cdb45bdb7117742b7b8de679687b24773b131450a5949af717c1

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282240581\opera_package

MD5 12bb8c521aaf552dbb846f637954188f
SHA1 2f782cd411aa37ee1be2311565eaf11267ea52ba
SHA256 47032c3915d47ae9f3978ff4bb9276d2d0d12a3819589f17cff8e45e970eed03
SHA512 2ecc44349d72ab4e26d27f7df6d73c6be1f6792bebe7e18a2a1216a428f3357f4fa96db232d96739216d7e2d6c18fe3007ab442a7e5f20096d3566cf02de3bd1

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 db01a2c1c7e70b2b038edf8ad5ad9826
SHA1 540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256 413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512 c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282240581\additional_file0.tmp

MD5 20d293b9bf23403179ca48086ba88867
SHA1 dedf311108f607a387d486d812514a2defbd1b9e
SHA256 fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348
SHA512 5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282240581\assistant\assistant_installer.exe

MD5 b3f05009b53af6435e86cfd939717e82
SHA1 770877e7c5f03e8d684984fe430bdfcc2cf41b26
SHA256 3ea8d40fcede1fc03e5603246d75d13e8d44d7229d4c390c39a55534053027f7
SHA512 d2dee80aaa79b19f1eb1db85079a05f621780e06bfea9e838b62d757ba29399f9090ec7c6ff553377c9b712f3ba8dd812cdff39f3e28829928e86746a8ac6b27

\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282240581\assistant\dbgcore.dll

MD5 8b6f64e5d3a608b434079e50a1277913
SHA1 03f431fabf1c99a48b449099455c1575893d9f32
SHA256 926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2
SHA512 c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c

\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282240581\assistant\dbghelp.dll

MD5 925ea07f594d3fce3f73ede370d92ef7
SHA1 f67ea921368c288a9d3728158c3f80213d89d7c2
SHA256 6d02ebd4ec9a6093f21cd8ccefb9445fa0ab7b1f69ac868a5cfc5d28ed8d2de9
SHA512 a809851da820d9fdd8fb860a8f549311dcc2579df2c6f6fba74f50d5d8bf94baa834b09fb5476ac248f18d1deb6b47d4fdd6d658889d5d45ca8774a9264483d2

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5591578d0320bdaf75cee4ff9a5d9f2f
SHA1 dd5a7c50a3aba54e6d0dd7461922d40aca6f2695
SHA256 9f1d759d70c5fbc3b1d183138eecc6ee1a5788300c5776f62a511447b9847de9
SHA512 d6cc7cdae4fab052b9c5e5a56e3b193456f7373f9137b0dd65ebbd74d4d5c339bc98bcd4644b9e2b51f38aec4ceb9bb385a758c07ee122d7bfe318f8c96441e8

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a4d7ba2d91845809c6378b5124f3d380
SHA1 de3b5d5560d1fba59a576e01d8109b8c3234cf99
SHA256 1ec088cc561b38c170e44c9a7386f148951c8c215fb7dc802b70a373514aa6ac
SHA512 f06606481ee9d4573dc23f60c7826dcdbf68958fd28ad2013f6fc608cd155ddee8a5508471f9e60cab40a72ff7175773e043d582e5a74daf3443846327434da7

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0cad059830c16bbeba0d9639f3da3db7
SHA1 0361eb298bea3b1532a80b044312ca9934dff465
SHA256 d0200f70a1cef3bcd2b8e042578bcfb49978e0546681ff8c228429dfa1ffb64f
SHA512 678f6ee7259902b33bd75a82e1ccc2ad8f15e8dfeded7fdc869640f892803a681b503ce67f76a078d54ce1cd30f6b41bbc155d07523c0b01a905db9233e2a28f

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9b3a1917ef9df6aeb01f0c9fb5448d33
SHA1 de87ed0be5cbddf5e3c56a9f61c2b31352c5798a
SHA256 e49e5961981328986c61e3e9c933a4f65d70e5acc7b4ab4f8ea19b7ca9a818f6
SHA512 008863721abc5a06ef461456ae2b4a511bdcc8d4a6a3dd3c4f3cf9b3eefbd78d1c5b330edced43c2a6c38fa846e28a3f8bda778d92943592b03ec93720699c1b

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f965fb3aebe21eaad36b680f884e52c9
SHA1 27a34a12edca591de9d8a26b80e462e0d0c6422e
SHA256 524b5fbd0c1255fefc2176af49983caf4aaf70472943b5c55eae454716f26879
SHA512 fa55f5e7d1366516e62c9fd95d987335eedbc47303a8cbae26ec4ec09b2de8805e3f844f7bdb5f58d2129cef969e26619f4e3c9ebd6ffe03476607d21160ba0f

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bc3de1381ca2fcacce43774facccf1d8
SHA1 7de88d7e9f127025dce6f5bd9e6eefcc34e6a93f
SHA256 81cbd09644e895791c306033e3406d99d778dd9afd912650ee36a5f1987b55ca
SHA512 c60c85f44ac64f9003225fa5f3f7f31824925780a122f4db5ed2e82f9dd8a90ddeabe063927c34bea76d8f8d2407f94c707b0dc359baf9e16b70d7aab068a277

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 364b9968975d7141e73390e601607ae9
SHA1 aa65221d138db0380c218c5743b84f9431274304
SHA256 5fd4db947b880a99dae5c56ddef1285a444887c561426ff16c076bc3284afeb9
SHA512 98e24ae5d0a57dff3ebde30ca8ae673dd62f189a80e424193b7bfd26ff58bed4b8667891e078524b5b0f0dddebffcfa88ca4e417cffda362a9e481b963cc57bf

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5