Malware Analysis Report

2024-11-30 02:11

Sample ID 240328-2n383aaf91
Target cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774
SHA256 cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774
Tags
glupteba lumma rhadamanthys stealc discovery dropper evasion loader persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774

Threat Level: Known bad

The file cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774 was found to be: Known bad.

Malicious Activity Summary

glupteba lumma rhadamanthys stealc discovery dropper evasion loader persistence spyware stealer trojan

Glupteba

Windows security bypass

Suspicious use of NtCreateUserProcessOtherParentProcess

Glupteba payload

Lumma Stealer

Rhadamanthys

Stealc

Detects DLL dropped by Raspberry Robin.

Downloads MZ/PE file

Blocklisted process makes network request

Modifies Windows Firewall

Reads data files stored by FTP clients

Executes dropped EXE

Reads user/profile data of web browsers

Drops startup file

Loads dropped DLL

Reads user/profile data of local email clients

Windows security modification

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates connected drives

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Program crash

Enumerates physical storage devices

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Runs ping.exe

Suspicious use of SendNotifyMessage

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Modifies system certificate store

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-28 22:44

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-28 22:44

Reported

2024-03-28 22:49

Platform

win10-20240221-en

Max time kernel

153s

Max time network

295s

Command Line

sihost.exe

Signatures

Detects DLL dropped by Raspberry Robin.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Rhadamanthys

stealer rhadamanthys

Stealc

stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4448 created 2812 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe c:\windows\system32\sihost.exe

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\7z2GrXu4T5HL4ZhdonvTSWEu.exe = "0" C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\GR1j7EBpiI8uLInOdAEXxFBj.exe = "0" C:\Users\Admin\Pictures\GR1j7EBpiI8uLInOdAEXxFBj.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GUufTQYYzZnS39HfSkoSrp4q.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZKvtKYQaZDQBTYfdrukCggSF.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LwvGy4xDFqhgGzEwn4hYDYN5.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XQ3QwVGFXnpBlfDPfrXoyc78.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\U3vA8yHG18lKgprpyI84kwGu.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oPo6NsfNdVjG8SZrk959Okjr.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gZ629Hg0XyCMhWhsg4Akt1oY.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2c3okWo0wm6xlk52XRKpvhZR.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YZknwtemtCsgetAL6HGNKXFD.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jkbqi38BPSMqKu3NC2Xhdlm8.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mCBfyGxDn6iJGA2HMU33Ggl3.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\nQiEd9022p6pzqfvMEvsyw3t.exe N/A
N/A N/A C:\Users\Admin\Pictures\Wf9G59s8wh75MRChrFRSufsW.exe N/A
N/A N/A C:\Users\Admin\Pictures\2p1D5TJxpu5pEYgIyZldaP6y.exe N/A
N/A N/A C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
N/A N/A C:\Users\Admin\Pictures\GR1j7EBpiI8uLInOdAEXxFBj.exe N/A
N/A N/A C:\Users\Admin\Pictures\yKl6FZfh8dttB2T2iSXPnrTm.exe N/A
N/A N/A C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe N/A
N/A N/A C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ui4.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\cezDd26icHf6hom6ALqwMoXu.exe N/A
N/A N/A C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe N/A
N/A N/A C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ui4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CBFBGCGIJK.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282244561\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282244561\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282244561\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\Pictures\yKl6FZfh8dttB2T2iSXPnrTm.exe N/A
N/A N/A C:\Users\Admin\Pictures\GR1j7EBpiI8uLInOdAEXxFBj.exe N/A
N/A N/A C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\7z2GrXu4T5HL4ZhdonvTSWEu.exe = "0" C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\GR1j7EBpiI8uLInOdAEXxFBj.exe = "0" C:\Users\Admin\Pictures\GR1j7EBpiI8uLInOdAEXxFBj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\.BLRVzdv\\svchost.exe\"" C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\GR1j7EBpiI8uLInOdAEXxFBj.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\GR1j7EBpiI8uLInOdAEXxFBj.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\yKl6FZfh8dttB2T2iSXPnrTm.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\GR1j7EBpiI8uLInOdAEXxFBj.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\GR1j7EBpiI8uLInOdAEXxFBj.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ui4.1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ui4.1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ui4.1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\ui4.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\ui4.0.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\Pictures\yKl6FZfh8dttB2T2iSXPnrTm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C:\Users\Admin\Pictures\yKl6FZfh8dttB2T2iSXPnrTm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace C:\Windows\system32\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\Pictures\yKl6FZfh8dttB2T2iSXPnrTm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\Pictures\yKl6FZfh8dttB2T2iSXPnrTm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\Pictures\yKl6FZfh8dttB2T2iSXPnrTm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\Pictures\yKl6FZfh8dttB2T2iSXPnrTm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\Pictures\yKl6FZfh8dttB2T2iSXPnrTm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\Wf9G59s8wh75MRChrFRSufsW.exe N/A
N/A N/A C:\Users\Admin\Pictures\Wf9G59s8wh75MRChrFRSufsW.exe N/A
N/A N/A C:\Users\Admin\Pictures\Wf9G59s8wh75MRChrFRSufsW.exe N/A
N/A N/A C:\Users\Admin\Pictures\Wf9G59s8wh75MRChrFRSufsW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ui4.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ui4.0.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ui4.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ui4.0.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\Pictures\GR1j7EBpiI8uLInOdAEXxFBj.exe N/A
N/A N/A C:\Users\Admin\Pictures\GR1j7EBpiI8uLInOdAEXxFBj.exe N/A
N/A N/A C:\Users\Admin\Pictures\yKl6FZfh8dttB2T2iSXPnrTm.exe N/A
N/A N/A C:\Users\Admin\Pictures\yKl6FZfh8dttB2T2iSXPnrTm.exe N/A
N/A N/A C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
N/A N/A C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\GR1j7EBpiI8uLInOdAEXxFBj.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\GR1j7EBpiI8uLInOdAEXxFBj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\yKl6FZfh8dttB2T2iSXPnrTm.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\yKl6FZfh8dttB2T2iSXPnrTm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4800 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 4800 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 4800 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\system32\svchost.exe
PID 4800 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\system32\svchost.exe
PID 4800 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4800 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4800 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4800 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4800 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4800 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4800 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 4800 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 1300 wrote to memory of 192 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1300 wrote to memory of 192 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2992 wrote to memory of 652 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2992 wrote to memory of 652 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2992 wrote to memory of 652 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2992 wrote to memory of 1560 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\Wf9G59s8wh75MRChrFRSufsW.exe
PID 2992 wrote to memory of 1560 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\Wf9G59s8wh75MRChrFRSufsW.exe
PID 2992 wrote to memory of 1560 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\Wf9G59s8wh75MRChrFRSufsW.exe
PID 2992 wrote to memory of 4352 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\2p1D5TJxpu5pEYgIyZldaP6y.exe
PID 2992 wrote to memory of 4352 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\2p1D5TJxpu5pEYgIyZldaP6y.exe
PID 2992 wrote to memory of 4352 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\2p1D5TJxpu5pEYgIyZldaP6y.exe
PID 2992 wrote to memory of 1644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe
PID 2992 wrote to memory of 1644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe
PID 2992 wrote to memory of 1644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe
PID 2992 wrote to memory of 4608 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\GR1j7EBpiI8uLInOdAEXxFBj.exe
PID 2992 wrote to memory of 4608 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\GR1j7EBpiI8uLInOdAEXxFBj.exe
PID 2992 wrote to memory of 4608 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\GR1j7EBpiI8uLInOdAEXxFBj.exe
PID 2992 wrote to memory of 1716 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\yKl6FZfh8dttB2T2iSXPnrTm.exe
PID 2992 wrote to memory of 1716 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\yKl6FZfh8dttB2T2iSXPnrTm.exe
PID 2992 wrote to memory of 1716 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\yKl6FZfh8dttB2T2iSXPnrTm.exe
PID 4352 wrote to memory of 4448 N/A C:\Users\Admin\Pictures\2p1D5TJxpu5pEYgIyZldaP6y.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4352 wrote to memory of 4448 N/A C:\Users\Admin\Pictures\2p1D5TJxpu5pEYgIyZldaP6y.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4352 wrote to memory of 4448 N/A C:\Users\Admin\Pictures\2p1D5TJxpu5pEYgIyZldaP6y.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4352 wrote to memory of 4448 N/A C:\Users\Admin\Pictures\2p1D5TJxpu5pEYgIyZldaP6y.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4352 wrote to memory of 4448 N/A C:\Users\Admin\Pictures\2p1D5TJxpu5pEYgIyZldaP6y.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4352 wrote to memory of 4448 N/A C:\Users\Admin\Pictures\2p1D5TJxpu5pEYgIyZldaP6y.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4352 wrote to memory of 4448 N/A C:\Users\Admin\Pictures\2p1D5TJxpu5pEYgIyZldaP6y.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4352 wrote to memory of 4448 N/A C:\Users\Admin\Pictures\2p1D5TJxpu5pEYgIyZldaP6y.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4352 wrote to memory of 4448 N/A C:\Users\Admin\Pictures\2p1D5TJxpu5pEYgIyZldaP6y.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4352 wrote to memory of 4448 N/A C:\Users\Admin\Pictures\2p1D5TJxpu5pEYgIyZldaP6y.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4352 wrote to memory of 4448 N/A C:\Users\Admin\Pictures\2p1D5TJxpu5pEYgIyZldaP6y.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2992 wrote to memory of 948 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe
PID 2992 wrote to memory of 948 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe
PID 2992 wrote to memory of 948 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe
PID 652 wrote to memory of 2268 N/A C:\Users\Admin\Pictures\nQiEd9022p6pzqfvMEvsyw3t.exe C:\Users\Admin\AppData\Local\Temp\ui4.0.exe
PID 652 wrote to memory of 2268 N/A C:\Users\Admin\Pictures\nQiEd9022p6pzqfvMEvsyw3t.exe C:\Users\Admin\AppData\Local\Temp\ui4.0.exe
PID 652 wrote to memory of 2268 N/A C:\Users\Admin\Pictures\nQiEd9022p6pzqfvMEvsyw3t.exe C:\Users\Admin\AppData\Local\Temp\ui4.0.exe
PID 948 wrote to memory of 4216 N/A C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe
PID 948 wrote to memory of 4216 N/A C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe
PID 948 wrote to memory of 4216 N/A C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe
PID 948 wrote to memory of 1892 N/A C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\cezDd26icHf6hom6ALqwMoXu.exe
PID 948 wrote to memory of 1892 N/A C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\cezDd26icHf6hom6ALqwMoXu.exe
PID 948 wrote to memory of 1892 N/A C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\cezDd26icHf6hom6ALqwMoXu.exe
PID 948 wrote to memory of 3268 N/A C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe
PID 948 wrote to memory of 3268 N/A C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe
PID 948 wrote to memory of 3268 N/A C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe
PID 3268 wrote to memory of 292 N/A C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe
PID 3268 wrote to memory of 292 N/A C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe
PID 3268 wrote to memory of 292 N/A C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe
PID 4448 wrote to memory of 1696 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4448 wrote to memory of 1696 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4448 wrote to memory of 1696 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

c:\windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe

"C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile

C:\Windows\SYSTEM32\cmd.exe

"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\.BLRVzdv\svchost.exe"' & exit

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\.BLRVzdv\svchost.exe"'

C:\Users\Admin\Pictures\nQiEd9022p6pzqfvMEvsyw3t.exe

"C:\Users\Admin\Pictures\nQiEd9022p6pzqfvMEvsyw3t.exe"

C:\Users\Admin\Pictures\Wf9G59s8wh75MRChrFRSufsW.exe

"C:\Users\Admin\Pictures\Wf9G59s8wh75MRChrFRSufsW.exe"

C:\Users\Admin\Pictures\2p1D5TJxpu5pEYgIyZldaP6y.exe

"C:\Users\Admin\Pictures\2p1D5TJxpu5pEYgIyZldaP6y.exe"

C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe

"C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe"

C:\Users\Admin\Pictures\GR1j7EBpiI8uLInOdAEXxFBj.exe

"C:\Users\Admin\Pictures\GR1j7EBpiI8uLInOdAEXxFBj.exe"

C:\Users\Admin\Pictures\yKl6FZfh8dttB2T2iSXPnrTm.exe

"C:\Users\Admin\Pictures\yKl6FZfh8dttB2T2iSXPnrTm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 836

C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe

"C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe" --silent --allusers=0

C:\Users\Admin\AppData\Local\Temp\ui4.0.exe

"C:\Users\Admin\AppData\Local\Temp\ui4.0.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s PcaSvc

C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe

C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2a4,0x2a8,0x2ac,0x2a0,0x2b0,0x6e73e1d0,0x6e73e1dc,0x6e73e1e8

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\cezDd26icHf6hom6ALqwMoXu.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\cezDd26icHf6hom6ALqwMoXu.exe" --version

C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe

"C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=948 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240328224456" --session-guid=759a05d2-414f-4b4e-b288-82252c935327 --server-tracking-blob=ODliNGJjNjE2NzcyNzRkNDZhOTZiODhjYjc1NmZjYmE2ZDY5NmJmODBkZjFlZDI3NjViNjRiZDQ0MTU1OTYyZTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N180NTYiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMCIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTE2NjU4ODguOTA5NCIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N180NTYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6ImRlYmM0NzM4LWExNjYtNDU0NC04OTc2LWIyOTJlYTJkNTFlMSJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=5C04000000000000

C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe

C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2a0,0x2b0,0x2b4,0x27c,0x2b8,0x6d3de1d0,0x6d3de1dc,0x6d3de1e8

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 648

C:\Users\Admin\AppData\Local\Temp\ui4.1.exe

"C:\Users\Admin\AppData\Local\Temp\ui4.1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CBFBGCGIJK.exe"

C:\Users\Admin\AppData\Local\Temp\CBFBGCGIJK.exe

"C:\Users\Admin\AppData\Local\Temp\CBFBGCGIJK.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\CBFBGCGIJK.exe

C:\Windows\SysWOW64\PING.EXE

ping 2.2.2.2 -n 1 -w 3000

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282244561\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282244561\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282244561\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282244561\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282244561\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282244561\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x2e0040,0x2e004c,0x2e0058

C:\Users\Admin\Pictures\yKl6FZfh8dttB2T2iSXPnrTm.exe

"C:\Users\Admin\Pictures\yKl6FZfh8dttB2T2iSXPnrTm.exe"

C:\Users\Admin\Pictures\GR1j7EBpiI8uLInOdAEXxFBj.exe

"C:\Users\Admin\Pictures\GR1j7EBpiI8uLInOdAEXxFBj.exe"

C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe

"C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 yip.su udp
US 172.67.169.89:443 yip.su tcp
US 172.67.34.170:443 pastebin.com tcp
US 8.8.8.8:53 piramidglobaltobacco.id udp
DE 185.172.128.144:80 185.172.128.144 tcp
US 8.8.8.8:53 shipofdestiny.com udp
AT 5.42.64.17:80 5.42.64.17 tcp
US 8.8.8.8:53 sty.ink udp
US 8.8.8.8:53 operandotwo.com udp
US 8.8.8.8:53 namemail.org udp
US 8.8.8.8:53 cu82342.tw1.ru udp
US 8.8.8.8:53 net.geo.opera.com udp
SG 217.21.73.190:443 piramidglobaltobacco.id tcp
US 172.67.152.98:443 shipofdestiny.com tcp
US 172.67.152.98:443 shipofdestiny.com tcp
RU 176.57.210.144:443 cu82342.tw1.ru tcp
US 172.67.200.219:443 sty.ink tcp
US 172.67.200.219:443 sty.ink tcp
US 172.67.160.247:443 operandotwo.com tcp
NL 185.26.182.112:80 net.geo.opera.com tcp
NL 185.26.182.112:443 net.geo.opera.com tcp
US 8.8.8.8:53 89.169.67.172.in-addr.arpa udp
US 8.8.8.8:53 170.34.67.172.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 lawyerbuyer.org udp
US 104.21.63.71:443 lawyerbuyer.org tcp
US 104.21.63.71:443 lawyerbuyer.org tcp
US 8.8.8.8:53 guseman.org udp
US 104.21.80.30:443 guseman.org tcp
US 8.8.8.8:53 144.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 98.152.67.172.in-addr.arpa udp
US 8.8.8.8:53 219.200.67.172.in-addr.arpa udp
US 8.8.8.8:53 247.160.67.172.in-addr.arpa udp
US 8.8.8.8:53 17.64.42.5.in-addr.arpa udp
US 8.8.8.8:53 112.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 144.210.57.176.in-addr.arpa udp
US 8.8.8.8:53 71.63.21.104.in-addr.arpa udp
US 8.8.8.8:53 190.73.21.217.in-addr.arpa udp
US 8.8.8.8:53 30.80.21.104.in-addr.arpa udp
US 8.8.8.8:53 herdbescuitinjurywu.shop udp
DE 185.172.128.90:80 185.172.128.90 tcp
US 104.21.69.91:443 herdbescuitinjurywu.shop tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 91.69.21.104.in-addr.arpa udp
DE 185.172.128.65:80 185.172.128.65 tcp
DE 185.172.128.65:80 185.172.128.65 tcp
US 8.8.8.8:53 65.128.172.185.in-addr.arpa udp
US 104.21.69.91:443 herdbescuitinjurywu.shop tcp
US 104.21.69.91:443 herdbescuitinjurywu.shop tcp
DE 185.172.128.144:80 185.172.128.144 tcp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
DE 185.172.128.209:80 185.172.128.209 tcp
NL 185.26.182.123:443 autoupdate.geo.opera.com tcp
NL 185.26.182.123:443 autoupdate.geo.opera.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 209.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 123.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 121.217.145.82.in-addr.arpa udp
US 8.8.8.8:53 241.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 216.203.100.95.in-addr.arpa udp
US 8.8.8.8:53 features.opera-api2.com udp
US 8.8.8.8:53 download.opera.com udp
NL 185.26.182.122:443 download.opera.com tcp
NL 82.145.216.16:443 features.opera-api2.com tcp
US 8.8.8.8:53 122.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 16.216.145.82.in-addr.arpa udp
US 104.21.69.91:443 herdbescuitinjurywu.shop tcp
US 8.8.8.8:53 download5.operacdn.com udp
US 104.18.10.89:443 download5.operacdn.com tcp
US 8.8.8.8:53 89.10.18.104.in-addr.arpa udp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 download.iolo.net udp
FR 185.93.2.244:443 download.iolo.net tcp
US 8.8.8.8:53 244.2.93.185.in-addr.arpa udp
DE 185.172.128.65:80 185.172.128.65 tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 download3.operacdn.com udp
GB 95.101.143.176:443 download3.operacdn.com tcp
US 8.8.8.8:53 176.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 41.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 145.155.9.20.in-addr.arpa udp
US 8.8.8.8:53 bad6dcba-6c2d-43c4-beb7-054e5bc420c4.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun.sipgate.net udp
US 8.8.8.8:53 server12.thestatsfiles.ru udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 15.197.250.192:3478 stun.sipgate.net udp
BG 185.82.216.96:443 server12.thestatsfiles.ru tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 192.250.197.15.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
BG 185.82.216.96:443 server12.thestatsfiles.ru tcp

Files

memory/4256-4-0x000001E1EF2B0000-0x000001E1EF2D2000-memory.dmp

memory/4256-5-0x00007FFAB9A70000-0x00007FFABA45C000-memory.dmp

memory/4256-6-0x000001E1ED3A0000-0x000001E1ED3B0000-memory.dmp

memory/4256-7-0x000001E1ED3A0000-0x000001E1ED3B0000-memory.dmp

memory/2992-12-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4256-13-0x000001E1EF460000-0x000001E1EF4D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gvt3wt4h.pei.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2992-26-0x0000000073460000-0x0000000073B4E000-memory.dmp

memory/4256-27-0x000001E1ED3A0000-0x000001E1ED3B0000-memory.dmp

memory/2992-28-0x0000000004C20000-0x0000000004C30000-memory.dmp

C:\Users\Admin\Pictures\xejj5o1LPkksk7sTkCLI6vzU.exe

MD5 73678fedd57a7f4b92435cdf58123990
SHA1 03e0a9299fae0c6c5745ef826da6ec7e16c5b6ed
SHA256 080a5a7a7e10479dd248d32a5ea3bba39bef946820a7696890436794bc1849a4
SHA512 43265fc4797a0b152dd04a5b1bfc4204feed0cfb78d7f25f6cf9f937e6525a88e925f49c790a69ca9c4877a37869189e8e4dd76c8c00407867ba576b038feaf1

C:\Users\Admin\Pictures\SWaad7T9j6Yj0uW38swd4Ote.exe

MD5 5b423612b36cde7f2745455c5dd82577
SHA1 0187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256 e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512 c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

C:\Users\Admin\Pictures\nQiEd9022p6pzqfvMEvsyw3t.exe

MD5 7fcc0bae1fa98de1d16819e6f85de171
SHA1 d8ba9866840e0449ddb78d31d6bcf2762ed3e6e4
SHA256 28249276aafcf8911cc5fc8b6adebe10efb7141f3869ab2ec2f0bf5cffc1c82a
SHA512 58cf14e662f68b61339dd3517dae6c831a5094ef01eab8e5ee64cf85a23e26b3ffce43912ba62356fdf1a4bbeba7249f55de222154b729b8d85fa48744ddbe29

memory/4256-85-0x000001E1ED3A0000-0x000001E1ED3B0000-memory.dmp

C:\Users\Admin\Pictures\Wf9G59s8wh75MRChrFRSufsW.exe

MD5 e2a6c1f58b137874e490b8d94382fcdb
SHA1 71529c5d708091b1e1a580227dc52e62a140edd1
SHA256 4801879a7afb9d03f7edcbe76cd9306cb024d80abc8512c4995aa97e8fd52437
SHA512 24d12ce668e5189a4ba80520a4eaf480d17d3a07d8d0d4312964968f8489143df225881ec70e39e0c62e381061626801ead72d70cea164e2c3870bfbd7bc4eff

memory/652-86-0x0000000000E20000-0x0000000000F20000-memory.dmp

memory/1560-89-0x0000000000C20000-0x0000000000D20000-memory.dmp

memory/1560-94-0x0000000000B80000-0x0000000000BCA000-memory.dmp

memory/1560-98-0x0000000000BD0000-0x0000000000C10000-memory.dmp

memory/1560-103-0x0000000000BD0000-0x0000000000C10000-memory.dmp

C:\Users\Admin\Pictures\2p1D5TJxpu5pEYgIyZldaP6y.exe

MD5 7960d8afbbac06f216cceeb1531093bb
SHA1 008221bf66a0749447cffcb86f2d1ec80e23fc76
SHA256 f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84
SHA512 35d12e81eb892aeb2237049beca61a81469dea5b1c9b7a0b9f49fbf95a95c756509d9e76c732fb10b504f9f9692e1fbe83ea2fd09d791f793a928c01974b8147

memory/1560-108-0x0000000000400000-0x0000000000B06000-memory.dmp

memory/1560-104-0x0000000000BD0000-0x0000000000C10000-memory.dmp

memory/1560-101-0x0000000000BD0000-0x0000000000C10000-memory.dmp

memory/1560-99-0x0000000000BD0000-0x0000000000C10000-memory.dmp

memory/1560-97-0x0000000000BD0000-0x0000000000C10000-memory.dmp

C:\Users\Admin\Pictures\L2MqEt7gmIPkAgFX3psfdHxf.exe

MD5 a73c3ab280a7cff262ea07e0411fba5b
SHA1 3f15229c5ed431dd9fc80686c34a402f1d6ef369
SHA256 2d5bf302602871ced66ecb1f4e70d1023e9c126b70639ff9cf7728bdc3d87115
SHA512 9ec42678314aca6c5590315502dff5847366576ed6ed57d6e611f7f2f26a1c5158b66419200e7e2d58db0c5760dcc70dfeeed626dd9e5780bfa08c394801d730

memory/652-92-0x0000000000400000-0x0000000000B0E000-memory.dmp

memory/652-88-0x00000000026C0000-0x000000000272E000-memory.dmp

C:\Users\Admin\Pictures\8PaUrsjCdBqEaOOjJkNUfkaB.exe

MD5 160458fc52d4675a348e1fd0c25b44a0
SHA1 41f41926edf0c803670cf41ff67662dfe9a7431e
SHA256 5256deb1ce435534bcba1b19e02ba8122f9e13cde92178a5bd7f763b1959432e
SHA512 719aa90d5e6fcddc648c1a0607eb772d9c802de426bb53d6ccac8379aeb99b2f570e955c6d65403f25b74345b8e8b86355dc2ac94daa71f5762db16c13c4f4bb

C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe

MD5 5f066ebf9264cad80bdb1384ce2a6b34
SHA1 a6bfd2df4ad14b8b0f90951b688a7de61f7d4bbc
SHA256 5c2b1d90d0299ff70ea73f89a9326628e602cf9f72c425b570ac5272279372e1
SHA512 0b0ce2214f57be9155b6eb7de144a96b09a9699fd75e82e4be525a4048a027c509c3f1495f111a3cc1c62b283deb150779d6458b13022095614d502a9805f1c5

C:\Users\Admin\Pictures\yKl6FZfh8dttB2T2iSXPnrTm.exe

MD5 6126c6923b352edf2507639b7fe78e8a
SHA1 1fd3edb62b8d44673772fb58a05c43d5360e8e5b
SHA256 98db3710f7b5e68beb18c0ec584909ad3c92d66bbf093164892d5cd00d1021dd
SHA512 93fcbbc0a3f42f9fab3c5e0a5cbc83308b5d93999fa89f449c2b50653860de2fe3dbb42fc463bf34f5f5e5e69390dae8b6a1dfed8e742dcb0059a445cf041736

memory/4352-138-0x0000000000950000-0x00000000009BE000-memory.dmp

memory/4352-140-0x0000000073460000-0x0000000073B4E000-memory.dmp

memory/4352-141-0x0000000005320000-0x0000000005330000-memory.dmp

memory/4256-135-0x00007FFAB9A70000-0x00007FFABA45C000-memory.dmp

memory/1644-142-0x0000000002B60000-0x0000000002F65000-memory.dmp

memory/1716-144-0x0000000002AF0000-0x0000000002EF4000-memory.dmp

memory/1560-146-0x0000000003120000-0x0000000003220000-memory.dmp

memory/1560-147-0x0000000003120000-0x0000000003220000-memory.dmp

memory/4448-149-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1560-152-0x0000000003120000-0x0000000003220000-memory.dmp

memory/1560-153-0x0000000003120000-0x0000000003220000-memory.dmp

memory/1560-155-0x0000000003120000-0x0000000003220000-memory.dmp

memory/1560-158-0x0000000003120000-0x0000000003220000-memory.dmp

memory/1560-162-0x0000000003120000-0x0000000003220000-memory.dmp

memory/1560-163-0x0000000003120000-0x0000000003220000-memory.dmp

memory/1560-164-0x0000000003120000-0x0000000003220000-memory.dmp

memory/1560-165-0x0000000003120000-0x0000000003220000-memory.dmp

memory/1560-168-0x0000000003120000-0x0000000003220000-memory.dmp

memory/1560-169-0x0000000003120000-0x0000000003220000-memory.dmp

memory/1560-171-0x0000000003120000-0x0000000003220000-memory.dmp

memory/1560-173-0x0000000003120000-0x0000000003220000-memory.dmp

memory/1560-175-0x0000000003120000-0x0000000003220000-memory.dmp

memory/1560-176-0x0000000003120000-0x0000000003220000-memory.dmp

memory/1560-180-0x0000000003120000-0x0000000003220000-memory.dmp

memory/1560-183-0x0000000003220000-0x0000000003260000-memory.dmp

memory/1560-185-0x0000000003220000-0x0000000003260000-memory.dmp

memory/1560-188-0x0000000003220000-0x0000000003260000-memory.dmp

memory/1560-187-0x0000000003220000-0x0000000003260000-memory.dmp

memory/1560-186-0x0000000003220000-0x0000000003260000-memory.dmp

memory/1560-184-0x0000000003220000-0x0000000003260000-memory.dmp

memory/1560-182-0x0000000003120000-0x0000000003220000-memory.dmp

memory/1560-181-0x0000000003120000-0x0000000003220000-memory.dmp

memory/1560-179-0x0000000003120000-0x0000000003220000-memory.dmp

memory/1560-178-0x0000000003120000-0x0000000003220000-memory.dmp

memory/1560-177-0x0000000003120000-0x0000000003220000-memory.dmp

memory/1560-174-0x0000000003120000-0x0000000003220000-memory.dmp

memory/1560-172-0x0000000003120000-0x0000000003220000-memory.dmp

memory/1560-170-0x0000000003120000-0x0000000003220000-memory.dmp

memory/1560-167-0x0000000003120000-0x0000000003220000-memory.dmp

memory/1560-166-0x0000000003120000-0x0000000003220000-memory.dmp

memory/4448-220-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1560-157-0x0000000003120000-0x0000000003220000-memory.dmp

memory/1560-154-0x0000000003120000-0x0000000003220000-memory.dmp

memory/1560-151-0x0000000003120000-0x0000000003220000-memory.dmp

memory/1560-148-0x0000000003120000-0x0000000003220000-memory.dmp

C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe

MD5 115ad043254db6fc45db5cdbcf4c7f83
SHA1 6f5cfe5b7a30c4d00d8f83956fcb33c998e25b50
SHA256 fa1c3bf058b7390cd739a990dcecacdbfdb1949aa1491ad617b3d76f19fb3c1e
SHA512 09ad51e25493a5ecfe6eaba47366fab4f0236065836c136efdae4263d052ed0bb34d36e000c6fb17d20880355e7d305cf6618df8cf259ee81707734371801792

\Users\Admin\AppData\Local\Temp\Opera_installer_240328224454888948.dll

MD5 117176ddeaf70e57d1747704942549e4
SHA1 75e3ab6b3469d93cce9ea2f7e22b71b987ccdf2b
SHA256 3c5b34de987116a4d3240e319c0da89a951c96b81e6705476a0fea27b22b20af
SHA512 ca2a356929c92d314aab63d7f3b246d72783212dfa3a4507f28d41a51ca0eedc78e85b1cd453aa8e02c12509f847a0216bb702154f903291c804c8a98ec378b9

C:\Users\Admin\AppData\Local\Temp\ui4.0.exe

MD5 4524e1a1e2725e159d68b3bca2c1b296
SHA1 0e3b226d0ebd227b911c5fc25d6a28478ed0a957
SHA256 12a5bac24e4e354bfc93a989c398df11ac5ec63c9d9834e0a9062bd8857cdda7
SHA512 870e0e4e86593a3f060643b043d41f2aa6108af8075f19c0ba6c9d276a28df5c6f6e02a6cd088eb88382af35a41bcd626ea5add747494d468158abb7e610f3ca

memory/652-273-0x0000000000400000-0x0000000000B0E000-memory.dmp

memory/1560-278-0x0000000000400000-0x0000000000B06000-memory.dmp

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 99e7c3be62d452eec124597d31a62c40
SHA1 817449da91d16d9ad125b2c966a37d755547a050
SHA256 4b9254c9363c279755f8b3fb7ee618a84e7f14c10d174d9fccd8ffd8e09ebe3c
SHA512 6559b79be42e9779e01d7e20dce2b4b4fe217b9c70ca77a0326088c3a194bbef7482aa80c31aedb2dbd03506b81970e8cfd28923539f0656937bb10f9f810446

memory/4448-288-0x00000000039D0000-0x0000000003DD0000-memory.dmp

memory/4448-294-0x00000000039D0000-0x0000000003DD0000-memory.dmp

memory/4448-297-0x00007FFAD65B0000-0x00007FFAD678B000-memory.dmp

memory/4448-302-0x00000000768B0000-0x0000000076A72000-memory.dmp

memory/1696-304-0x0000000002470000-0x0000000002479000-memory.dmp

memory/1644-306-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1696-316-0x0000000004060000-0x0000000004460000-memory.dmp

memory/1696-320-0x00007FFAD65B0000-0x00007FFAD678B000-memory.dmp

memory/4608-312-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1716-319-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/652-334-0x0000000000400000-0x0000000000B0E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ui4.1.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/1696-328-0x00000000768B0000-0x0000000076A72000-memory.dmp

memory/2268-315-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/2268-397-0x0000000000400000-0x0000000000AEA000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/1644-455-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/4608-459-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1716-460-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 082aac9bf0152e48c787d1f48837a044
SHA1 7c96d904c81033eee3d14f0a94591b9c9a9ae217
SHA256 624f8c02fc0e953b4d382052ddbc7cd9a97809bfcc3a6530a2f492e8fe854e2e
SHA512 b22dd6ef676a202b634b3699b38ad6721cd68b7078e237c72310008045fb17d0e070696c229edff79d0219737438eaa356c8cc20840ea81d67a62dc4d8bd3069

memory/2480-468-0x0000000000400000-0x00000000008AD000-memory.dmp

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

memory/2268-636-0x0000000000400000-0x0000000000AEA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CBFBGCGIJK.exe

MD5 fe380780b5c35bd6d54541791151c2be
SHA1 7fe3a583cf91474c733f85cebf3c857682e269e1
SHA256 b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53
SHA512 ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c

memory/1644-646-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/4608-648-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1716-649-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 c8348dcc970e41ce023c262ec88ce5f7
SHA1 5ca378ce74cbb5407b3c8b9e84205be8b27da512
SHA256 f12c3ffec1a372fa5e03059bb95373faa30f9760c1b6e5e461bb43c1cb4bfffe
SHA512 e05acc89c94ba571b5fa3ae924862d54181a6458136cd5925b1b219f01499d822f56571872fb1ac64fb7ac11f162b100fec4986a99143953dbcc4c81f6ee2059

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282244561\opera_package

MD5 401c352990789be2f40fe8f9c5c7a5ac
SHA1 d7c1e902487511d3f4e1a57abdee8a94d5483ed4
SHA256 f62f4ebc7eca46d9cddfb02cc0305da5efdd6f3601fb0f53da555e19558869a3
SHA512 efc6d4224e3721e91efb2ea8f4b74685cba607260c69d08eac26866c52b8127080a42799d9f76ab1661b8ca63c946fcf35dddf0a63ab3cd258ea44a27dd769c8

memory/2480-950-0x0000000000400000-0x00000000008AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282244561\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe

MD5 20d293b9bf23403179ca48086ba88867
SHA1 dedf311108f607a387d486d812514a2defbd1b9e
SHA256 fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348
SHA512 5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282244561\assistant\assistant_installer.exe

MD5 b3f05009b53af6435e86cfd939717e82
SHA1 770877e7c5f03e8d684984fe430bdfcc2cf41b26
SHA256 3ea8d40fcede1fc03e5603246d75d13e8d44d7229d4c390c39a55534053027f7
SHA512 d2dee80aaa79b19f1eb1db85079a05f621780e06bfea9e838b62d757ba29399f9090ec7c6ff553377c9b712f3ba8dd812cdff39f3e28829928e86746a8ac6b27

\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282244561\assistant\dbgcore.dll

MD5 8b6f64e5d3a608b434079e50a1277913
SHA1 03f431fabf1c99a48b449099455c1575893d9f32
SHA256 926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2
SHA512 c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c

\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282244561\assistant\dbghelp.dll

MD5 925ea07f594d3fce3f73ede370d92ef7
SHA1 f67ea921368c288a9d3728158c3f80213d89d7c2
SHA256 6d02ebd4ec9a6093f21cd8ccefb9445fa0ab7b1f69ac868a5cfc5d28ed8d2de9
SHA512 a809851da820d9fdd8fb860a8f549311dcc2579df2c6f6fba74f50d5d8bf94baa834b09fb5476ac248f18d1deb6b47d4fdd6d658889d5d45ca8774a9264483d2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 34cbce7a86066983ddec1c5c7316fa24
SHA1 a1135a1ddbfd3ae8079f7e449d7978fdb92f3bd9
SHA256 23bf6d99f757f6728c8c896676b0707e190e1acb80ec8758696fa3efa8d6cb42
SHA512 f6537a61341ef316200de61d4185d7fdf8169fa5f01446241d34dc74ffdf9edfd520c5d06d54c9df8a8d1eb0eeab53141d75c88f157b72cbcb6b7f0bdb84e769

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ec1a341def23c1a8b14771eb3f6cec4d
SHA1 68d85fac7d2668eccb43cc87e362f99a432a82ce
SHA256 f756988c36715c2c4f6378e11a29ef492804bcf56faabb0dc80110ff45f41f0a
SHA512 b5c14b976788f8e26f662f48a5419add56d1c00dda971cac8bef2fc82467d94e68ade11a2a24d687ea636e34411b0e712d8f1664114b52642173328685197a3f

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 1c19c16e21c97ed42d5beabc93391fc5
SHA1 8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA256 1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA512 7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

memory/1644-1459-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1716-1473-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/4608-1466-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1644-1475-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/4608-1481-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 06b2f5213698f22886b3c4596dec2e94
SHA1 9c2c790b23772625483adc3ecc8976e6e35fb0b9
SHA256 dddd0950371fb0cf8f79c00b8323aa0edfc7c6a884428df77f0f6c9ea93051fa
SHA512 34b804449f0434df1eac975c5aaf05ad6b0c71d58a2f37c4b037708e24d5aa135795ceb1afd5f93baed15fa4853c312d4cea0d50f9c9ad9ab81de556f5d2eac8

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9d7294e10a1e3b3dca39775d323799e4
SHA1 4a6c665b09f74864d0addf2731b707514825117c
SHA256 35e3be39d19c358f6e3e5cfd7384d9734aa37444fccd66cea85d8c4b2e0b954c
SHA512 e3ffcca84cdd2a7d963d2ee37ee591f27a34c4e3c4a058c388cd22cf5b9696233f290f39721645b72dda183fa3b922b83f4ffb1081a911cb9806fe141a84c019

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 0f38a17bbaa7b6f75f51c671be981097
SHA1 ee95e5225cfb623b6ddd58902bf72504993e2030
SHA256 03f4d293b34e18f429d34282179a04a705d448f3b88b88982486997f6cd51f39
SHA512 429100ae213ea857fa3fefea7b512bb616219f76cf2a55a4735776650806d42582ff886cd4779a1406d2bc9d0f514c93e40c3d12d9e764ffa8b880067bd704a2

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5b755164730760a544f34b686d619f89
SHA1 ea6f5168560f5079191f1d1893ab18b85928c849
SHA256 c3590f597a3d72962f30af37b7e03ffc6aa57cd411a98796433d19b7802bb4d0
SHA512 5dd5d48930327baef0c4d170ae64947051cb2d80e6fde895d61a64801d52c3998d3376508792b5b167fe4556e654bf4507f00381b02d2b83c7af52ca32c24700

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8938bf8f5c3202eeadf1f6003f096a4a
SHA1 b6eba25d172060a63d8b4145c195b738e00ffd1b
SHA256 5d53fb5f5d9b720a43af10335c06a6bf7cdd2742aa8b23f5044a1db708b85067
SHA512 18d6100bf0777f8a9653479858da86710768921eb1b4b8601936cec6a61b38801152de747b3755d9ba294cc722eb5e514ff524f732114914ce9067ba028dfc95

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 41211b9b622ffa5a0ae1f00710aaacf7
SHA1 fdc47c433d88460e83654d7f59a8a9912451248a
SHA256 9bdb92fade5ceeac6e8eb8dd5ef9af1be5b430cb646ea943ee356d7d098cd374
SHA512 575c87bcd513ee6d30ca180c2109a881376324ae45adb477ddba40463ca523183bba35c65c31aaa8bcba50cd68272fcb34b0cca6a86aef817b291b6a0299e34a

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7c8c8e13c796becd6ac60447255feb8f
SHA1 35a6882d2e40076857c6a4fdc340671010f4c849
SHA256 81acc2730ee137604c1a8f5a27e78fbf21d0b1404dcb3de41d74312a7a4def57
SHA512 03de180f60a0f1a57c3f8e2df88986ff2d91aa6c11b04736798d14139a0e18ff1d5ce7b25ea50b854beeb4416d565544647bd88efee86bec29dc3885c404efc6

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-28 22:44

Reported

2024-03-28 22:45

Platform

win7-20240221-en

Max time kernel

20s

Max time network

60s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nWXq7sSD38uxnt6PqA8rjNUY.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5HR4Al8JFMoEXmvkrFB6wr6C.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\om5MZPVFzRjs7Oe7Do2VWu9o.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HvdEK8dT2ZzMXlV30GtW4yty.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SWkCKGdDgPIXNC5FYCMIe3D0.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tNJPUkaSFseiBqHrq0uXNFQl.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scKaU59asNjbM0q8q6X5Pq3c.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f8B0eUHv1FEGOiAJCdhdYgow.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4S7Ee9Cbjo4wL4X7Poh14baV.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\.BLRVzdv\\svchost.exe\"" C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3060 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\system32\cmd.exe
PID 3060 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\system32\cmd.exe
PID 3060 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\system32\cmd.exe
PID 3036 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3036 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3036 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3060 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3060 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3060 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3060 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3060 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3060 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3060 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3060 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3060 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2580 wrote to memory of 1872 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\7o56DVApUKTmAT5UroG05piN.exe
PID 2580 wrote to memory of 1872 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\7o56DVApUKTmAT5UroG05piN.exe
PID 2580 wrote to memory of 1872 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\7o56DVApUKTmAT5UroG05piN.exe
PID 2580 wrote to memory of 1872 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\7o56DVApUKTmAT5UroG05piN.exe
PID 2580 wrote to memory of 2448 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\rNOzzj2Uh3ChYSTBiitKKoUQ.exe
PID 2580 wrote to memory of 2448 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\rNOzzj2Uh3ChYSTBiitKKoUQ.exe
PID 2580 wrote to memory of 2448 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\rNOzzj2Uh3ChYSTBiitKKoUQ.exe
PID 2580 wrote to memory of 2448 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\rNOzzj2Uh3ChYSTBiitKKoUQ.exe
PID 2580 wrote to memory of 2944 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\Q3LqMhlriYkUdOHRMxvVlzL7.exe
PID 2580 wrote to memory of 2944 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\Q3LqMhlriYkUdOHRMxvVlzL7.exe
PID 2580 wrote to memory of 2944 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\Q3LqMhlriYkUdOHRMxvVlzL7.exe
PID 2580 wrote to memory of 2944 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\Q3LqMhlriYkUdOHRMxvVlzL7.exe
PID 2580 wrote to memory of 2504 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\7ky6tAb6cgfC5fE0ZpNsZxel.exe
PID 2580 wrote to memory of 2504 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\7ky6tAb6cgfC5fE0ZpNsZxel.exe
PID 2580 wrote to memory of 2504 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\7ky6tAb6cgfC5fE0ZpNsZxel.exe
PID 2580 wrote to memory of 2504 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\7ky6tAb6cgfC5fE0ZpNsZxel.exe
PID 2580 wrote to memory of 304 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\2j2ahiLUuoeQcLy53c0Ix8uk.exe
PID 2580 wrote to memory of 304 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\2j2ahiLUuoeQcLy53c0Ix8uk.exe
PID 2580 wrote to memory of 304 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\2j2ahiLUuoeQcLy53c0Ix8uk.exe
PID 2580 wrote to memory of 304 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\2j2ahiLUuoeQcLy53c0Ix8uk.exe
PID 1872 wrote to memory of 2160 N/A C:\Users\Admin\Pictures\7o56DVApUKTmAT5UroG05piN.exe C:\Users\Admin\AppData\Local\Temp\u1g0.0.exe
PID 1872 wrote to memory of 2160 N/A C:\Users\Admin\Pictures\7o56DVApUKTmAT5UroG05piN.exe C:\Users\Admin\AppData\Local\Temp\u1g0.0.exe
PID 1872 wrote to memory of 2160 N/A C:\Users\Admin\Pictures\7o56DVApUKTmAT5UroG05piN.exe C:\Users\Admin\AppData\Local\Temp\u1g0.0.exe
PID 1872 wrote to memory of 2160 N/A C:\Users\Admin\Pictures\7o56DVApUKTmAT5UroG05piN.exe C:\Users\Admin\AppData\Local\Temp\u1g0.0.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe

"C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile

C:\Windows\system32\cmd.exe

"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\.BLRVzdv\svchost.exe"' & exit

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\.BLRVzdv\svchost.exe"'

C:\Users\Admin\Pictures\7o56DVApUKTmAT5UroG05piN.exe

"C:\Users\Admin\Pictures\7o56DVApUKTmAT5UroG05piN.exe"

C:\Users\Admin\Pictures\rNOzzj2Uh3ChYSTBiitKKoUQ.exe

"C:\Users\Admin\Pictures\rNOzzj2Uh3ChYSTBiitKKoUQ.exe"

C:\Users\Admin\Pictures\Q3LqMhlriYkUdOHRMxvVlzL7.exe

"C:\Users\Admin\Pictures\Q3LqMhlriYkUdOHRMxvVlzL7.exe"

C:\Users\Admin\Pictures\7ky6tAb6cgfC5fE0ZpNsZxel.exe

"C:\Users\Admin\Pictures\7ky6tAb6cgfC5fE0ZpNsZxel.exe"

C:\Users\Admin\Pictures\2j2ahiLUuoeQcLy53c0Ix8uk.exe

"C:\Users\Admin\Pictures\2j2ahiLUuoeQcLy53c0Ix8uk.exe"

C:\Users\Admin\AppData\Local\Temp\u1g0.0.exe

"C:\Users\Admin\AppData\Local\Temp\u1g0.0.exe"

C:\Users\Admin\AppData\Local\Temp\u1g0.1.exe

"C:\Users\Admin\AppData\Local\Temp\u1g0.1.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240328224503.log C:\Windows\Logs\CBS\CbsPersist_20240328224503.cab

C:\Users\Admin\Pictures\2j2ahiLUuoeQcLy53c0Ix8uk.exe

"C:\Users\Admin\Pictures\2j2ahiLUuoeQcLy53c0Ix8uk.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Users\Admin\Pictures\Q3LqMhlriYkUdOHRMxvVlzL7.exe

"C:\Users\Admin\Pictures\Q3LqMhlriYkUdOHRMxvVlzL7.exe"

C:\Users\Admin\Pictures\7ky6tAb6cgfC5fE0ZpNsZxel.exe

"C:\Users\Admin\Pictures\7ky6tAb6cgfC5fE0ZpNsZxel.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 yip.su udp
US 104.21.79.77:443 yip.su tcp
US 172.67.34.170:443 pastebin.com tcp
US 8.8.8.8:53 piramidglobaltobacco.id udp
US 8.8.8.8:53 shipofdestiny.com udp
US 8.8.8.8:53 sty.ink udp
US 8.8.8.8:53 operandotwo.com udp
US 8.8.8.8:53 shipofdestiny.com udp
US 8.8.8.8:53 sty.ink udp
US 8.8.8.8:53 namemail.org udp
DE 185.172.128.144:80 185.172.128.144 tcp
US 8.8.8.8:53 cu82342.tw1.ru udp
AT 5.42.64.17:80 5.42.64.17 tcp
US 8.8.8.8:53 net.geo.opera.com udp
US 172.67.152.98:443 shipofdestiny.com tcp
US 172.67.152.98:443 shipofdestiny.com tcp
US 172.67.200.219:443 sty.ink tcp
NL 185.26.182.112:80 net.geo.opera.com tcp
US 104.21.13.170:443 sty.ink tcp
US 172.67.160.247:443 operandotwo.com tcp
RU 176.57.210.144:443 cu82342.tw1.ru tcp
NL 185.26.182.112:443 net.geo.opera.com tcp
US 8.8.8.8:53 lawyerbuyer.org udp
US 8.8.8.8:53 lawyerbuyer.org udp
US 172.67.170.65:443 lawyerbuyer.org tcp
US 8.8.8.8:53 apps.identrust.com udp
US 172.67.170.65:443 lawyerbuyer.org tcp
GB 95.101.143.18:80 apps.identrust.com tcp
SG 217.21.73.190:443 piramidglobaltobacco.id tcp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 guseman.org udp
US 104.21.80.30:443 guseman.org tcp
DE 185.172.128.65:80 185.172.128.65 tcp
DE 185.172.128.65:80 185.172.128.65 tcp
DE 185.172.128.144:80 185.172.128.144 tcp
US 8.8.8.8:53 iplogger.com udp
US 172.67.188.178:443 iplogger.com tcp
DE 185.172.128.209:80 185.172.128.209 tcp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 download.iolo.net udp
FR 185.93.2.251:80 download.iolo.net tcp
US 20.157.87.45:80 svc.iolo.com tcp

Files

memory/3008-4-0x000000001B1F0000-0x000000001B4D2000-memory.dmp

memory/3008-5-0x00000000026E0000-0x00000000026E8000-memory.dmp

memory/3008-8-0x000007FEF6270000-0x000007FEF6C0D000-memory.dmp

memory/3008-9-0x00000000028C0000-0x0000000002940000-memory.dmp

memory/3008-10-0x000007FEF6270000-0x000007FEF6C0D000-memory.dmp

memory/3008-12-0x000007FEF6270000-0x000007FEF6C0D000-memory.dmp

memory/3008-11-0x00000000028C0000-0x0000000002940000-memory.dmp

memory/2580-15-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2580-14-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2580-13-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2580-16-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2580-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2580-18-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2580-22-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2580-20-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2580-23-0x0000000074A60000-0x000000007514E000-memory.dmp

memory/2580-24-0x0000000000390000-0x00000000003D0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar5AD4.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 897e9c6f30e894c486ecf44950ffbbb7
SHA1 6fe8bffd66ff22929925caeb5230197919cc899b
SHA256 cd15de8321d6c64052612799e5cf063af9d3bb09407fb3a0fd94ab3a1f1421d0
SHA512 1af99dd28bd1d392c2dad4b246e19e119400af696ece2303edbd3a7cae85d51ffcbb97de222e467248102ff7924a5597936e155b0b2caa69137c66df0a1e2c8f

\Users\Admin\Pictures\7o56DVApUKTmAT5UroG05piN.exe

MD5 7fcc0bae1fa98de1d16819e6f85de171
SHA1 d8ba9866840e0449ddb78d31d6bcf2762ed3e6e4
SHA256 28249276aafcf8911cc5fc8b6adebe10efb7141f3869ab2ec2f0bf5cffc1c82a
SHA512 58cf14e662f68b61339dd3517dae6c831a5094ef01eab8e5ee64cf85a23e26b3ffce43912ba62356fdf1a4bbeba7249f55de222154b729b8d85fa48744ddbe29

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bb2d94bd3e7efb87cc9e1238474bcdad
SHA1 c42843c821acd921505cef604bd1ba4544686695
SHA256 7b331703e58a5384b91161a439a589a2006941277d9439be5992ff789e1fdf8c
SHA512 989d8ce259e0ed174e5bc8647b220748edc3ce68a746ecb7e4d34da57c402822182c9165b6eae52c2111fa0d80dd8e747b81f70342bea6887577427e56c0531d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eb73558587435ac4387468d56b4b56e1
SHA1 37e4ca9264c8326fecf35a3e48255d954a53bcd7
SHA256 b2851ff8b8e71684ef5589d5457addc47ca9b90809aa5bf335d831754e039e4b
SHA512 dcc054629a3bb4c58aa8ea8fc9fdb634d300ec4ed240fbd327606473967e35282f1f965045c2092fc2f5a5b51e0b2a8dd1df454db45d975cc6cbc5872f81863c

memory/1872-222-0x0000000000F30000-0x0000000001030000-memory.dmp

memory/1872-225-0x0000000000230000-0x000000000029E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 034d5f9dc9cfb443c3b9535d874cd797
SHA1 36ce8b4da9d4f4b69857cd44a58104e5a3bf03a0
SHA256 d488c02a441ca2a5c4f50ab6c11a3f47b75c521d80d98752a90fd6338016e8ac
SHA512 23babe045d54a89430da17d29d30eb1ca84ae4f61152398169cfebf5724776df3d1a4b7019e819606b6cc07d628e09ffbe3714ff80117de8e8bbea01dac22509

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1724b778bd23333e8e6e1128b20204e0
SHA1 5c02c5d7e430b5eeacc7a4568f852bd493a5f3d4
SHA256 43bbd7253e2d21a549b7e9f2e9e4211352644eae523d9d2fd140401aa1b2c1ec
SHA512 ef54af2ef4cbe9902b24125fe58fbd5b03a045e0ec2d3a0d0e0a9b7775badbdd6025d8e96f2ca53a311a25aec04ac9c6d58e83c33a20517e8b7679d1f10c9cf7

\Users\Admin\Pictures\rNOzzj2Uh3ChYSTBiitKKoUQ.exe

MD5 e2a6c1f58b137874e490b8d94382fcdb
SHA1 71529c5d708091b1e1a580227dc52e62a140edd1
SHA256 4801879a7afb9d03f7edcbe76cd9306cb024d80abc8512c4995aa97e8fd52437
SHA512 24d12ce668e5189a4ba80520a4eaf480d17d3a07d8d0d4312964968f8489143df225881ec70e39e0c62e381061626801ead72d70cea164e2c3870bfbd7bc4eff

memory/1872-348-0x0000000000400000-0x0000000000B0E000-memory.dmp

C:\Users\Admin\Pictures\7ky6tAb6cgfC5fE0ZpNsZxel.exe

MD5 6126c6923b352edf2507639b7fe78e8a
SHA1 1fd3edb62b8d44673772fb58a05c43d5360e8e5b
SHA256 98db3710f7b5e68beb18c0ec584909ad3c92d66bbf093164892d5cd00d1021dd
SHA512 93fcbbc0a3f42f9fab3c5e0a5cbc83308b5d93999fa89f449c2b50653860de2fe3dbb42fc463bf34f5f5e5e69390dae8b6a1dfed8e742dcb0059a445cf041736

memory/2448-373-0x00000000001B0000-0x00000000001FA000-memory.dmp

memory/2448-372-0x0000000000400000-0x0000000000B06000-memory.dmp

memory/2944-375-0x0000000002960000-0x0000000002D58000-memory.dmp

memory/2448-352-0x00000000002F0000-0x00000000003F0000-memory.dmp

memory/2944-386-0x0000000002960000-0x0000000002D58000-memory.dmp

memory/2504-385-0x0000000002600000-0x00000000029F8000-memory.dmp

memory/2944-389-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5f00210c99ec091f79065f4f0b5e3e3a
SHA1 b71e55d8e98c501fc4a003f4cd583d473ea06bd1
SHA256 217d71f0eb509ed1d332d966c28fd33b2ca7e0f4cc0fdff2c4271d9f02f8f082
SHA512 dbacbf55afd13980a428ff421c4c6cb3e9e440e68f2c6cd376f292a0fe4bc4de828bcf062a86f1866066aa5ae4b14e81ad1e0c5724f8e43cbf5fa922345cfdb9

memory/2944-410-0x0000000002D60000-0x000000000364B000-memory.dmp

memory/2504-420-0x0000000002600000-0x00000000029F8000-memory.dmp

memory/2504-425-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Users\Admin\Pictures\2j2ahiLUuoeQcLy53c0Ix8uk.exe

MD5 5f066ebf9264cad80bdb1384ce2a6b34
SHA1 a6bfd2df4ad14b8b0f90951b688a7de61f7d4bbc
SHA256 5c2b1d90d0299ff70ea73f89a9326628e602cf9f72c425b570ac5272279372e1
SHA512 0b0ce2214f57be9155b6eb7de144a96b09a9699fd75e82e4be525a4048a027c509c3f1495f111a3cc1c62b283deb150779d6458b13022095614d502a9805f1c5

memory/304-433-0x00000000027A0000-0x0000000002B98000-memory.dmp

memory/2580-435-0x0000000074A60000-0x000000007514E000-memory.dmp

memory/2580-437-0x0000000000390000-0x00000000003D0000-memory.dmp

memory/304-438-0x00000000027A0000-0x0000000002B98000-memory.dmp

memory/304-439-0x0000000002BA0000-0x000000000348B000-memory.dmp

memory/304-440-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u1g0.0.exe

MD5 4524e1a1e2725e159d68b3bca2c1b296
SHA1 0e3b226d0ebd227b911c5fc25d6a28478ed0a957
SHA256 12a5bac24e4e354bfc93a989c398df11ac5ec63c9d9834e0a9062bd8857cdda7
SHA512 870e0e4e86593a3f060643b043d41f2aa6108af8075f19c0ba6c9d276a28df5c6f6e02a6cd088eb88382af35a41bcd626ea5add747494d468158abb7e610f3ca

memory/1872-486-0x0000000000F30000-0x0000000001030000-memory.dmp

memory/1872-487-0x0000000000230000-0x000000000029E000-memory.dmp

memory/2160-488-0x0000000000C00000-0x0000000000D00000-memory.dmp

memory/2160-489-0x0000000000220000-0x0000000000247000-memory.dmp

memory/2160-490-0x0000000000400000-0x0000000000AEA000-memory.dmp

\Users\Admin\AppData\Local\Temp\u1g0.1.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/1872-508-0x0000000000400000-0x0000000000B0E000-memory.dmp

memory/1872-509-0x0000000000F30000-0x0000000001030000-memory.dmp

memory/2280-510-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2160-514-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/2944-513-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2504-519-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2448-521-0x0000000000400000-0x0000000000B06000-memory.dmp

memory/2944-522-0x0000000002960000-0x0000000002D58000-memory.dmp

memory/304-541-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2160-542-0x0000000000400000-0x0000000000AEA000-memory.dmp

memory/2944-543-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2108-556-0x00000000026C0000-0x0000000002AB8000-memory.dmp

memory/304-557-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2504-558-0x0000000002600000-0x00000000029F8000-memory.dmp

memory/2108-562-0x00000000026C0000-0x0000000002AB8000-memory.dmp

memory/2504-563-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2108-567-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/304-568-0x00000000027A0000-0x0000000002B98000-memory.dmp

memory/2280-580-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/2944-587-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2504-588-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2272-595-0x0000000002840000-0x0000000002C38000-memory.dmp

memory/2944-597-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1884-596-0x0000000002920000-0x0000000002D18000-memory.dmp

memory/2504-598-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2160-599-0x0000000000400000-0x0000000000AEA000-memory.dmp

memory/2108-600-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2272-601-0x0000000002840000-0x0000000002C38000-memory.dmp

memory/2272-602-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2160-603-0x0000000000C00000-0x0000000000D00000-memory.dmp

memory/2280-604-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1884-605-0x0000000002920000-0x0000000002D18000-memory.dmp

memory/1884-606-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 a1cafe12ee71349ee054b5a5d8526122
SHA1 4030e21823a8cee53e9eccf3e995ccff8fdf6301
SHA256 02d378adda623d50a41b50544f0ea56f5083f2d068cfc6159de3269e1596c81c
SHA512 abd817ed1a6c69fef7d0ee9ef2c3dec765b20a311435298170b29e8945c7f1e12a443edae413b1c27f73e06c4e8eca832ba2b8637913ce2aa2e770b435b202df

memory/2280-613-0x0000000000400000-0x00000000008AD000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2108-620-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1884-621-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2272-622-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 de1621057d5f72eed9129bb176ffb052
SHA1 aca3f09868b6dfd66931b8c479f5957a8e95bc52
SHA256 f37850c99d94503c518e50fa69d15ce1c80257b4da0ed387fd2900222e44207e
SHA512 006458ac0c5bb79e769c595d4b9075b9536313a20925dc12a2a29b74cf6eb73dc6fb0fc159dc6c7f8b4259ba79dcfaf40a72bfcba3b2684ad8fcd205eb7de330

\Windows\rss\csrss.exe

MD5 efb917e745227ef243e144e819858e1a
SHA1 0cf30460bbb3f03e94559e60ab2338e317ec4118
SHA256 a6ceaa76e2e1e8253ffe11be11a7ac7d3a27e40a0d5aa21ed733c3761d7255d4
SHA512 8e139b338c6821b712ccec1c2f46fe2ddffef9a036c5f1883a62e8c339d2b440729b2867fc4893a1d8f316d3292b0222e6038b1c2d682f037506f795802a0d4e

memory/1740-638-0x0000000002730000-0x0000000002B28000-memory.dmp

memory/2108-639-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 236471c97358ef3b84c1f067d0e78a10
SHA1 5cd8cb28ae285b2e38c7e411dc1af57b0fc156a4
SHA256 64c292206c1bb9d04fb3f093dfa7672131b4e749982490c6500b2acc0e20ad9e
SHA512 290268f81a2636f1fa90c6ac59aa391a3f7e505806a24a28c2f1bc8b837adbc1f76ad5de2eb52a74c9dd808af2f3f3139480ba1be7534e2a69f3e2a6b4689e9b

memory/1740-653-0x0000000002730000-0x0000000002B28000-memory.dmp