Analysis Overview
SHA256
cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774
Threat Level: Known bad
The file cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774 was found to be: Known bad.
Malicious Activity Summary
Glupteba
Windows security bypass
Suspicious use of NtCreateUserProcessOtherParentProcess
Glupteba payload
Lumma Stealer
Rhadamanthys
Stealc
Detects DLL dropped by Raspberry Robin.
Downloads MZ/PE file
Blocklisted process makes network request
Modifies Windows Firewall
Reads data files stored by FTP clients
Executes dropped EXE
Reads user/profile data of web browsers
Drops startup file
Loads dropped DLL
Reads user/profile data of local email clients
Windows security modification
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates connected drives
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Windows directory
Launches sc.exe
Checks for VirtualBox DLLs, possible anti-VM trick
Program crash
Enumerates physical storage devices
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Uses Task Scheduler COM API
Runs ping.exe
Suspicious use of SendNotifyMessage
Creates scheduled task(s)
Suspicious use of FindShellTrayWindow
Modifies system certificate store
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-28 22:44
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-28 22:44
Reported
2024-03-28 22:49
Platform
win10-20240221-en
Max time kernel
153s
Max time network
295s
Command Line
Signatures
Detects DLL dropped by Raspberry Robin.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer
Rhadamanthys
Stealc
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4448 created 2812 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | c:\windows\system32\sihost.exe |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\7z2GrXu4T5HL4ZhdonvTSWEu.exe = "0" | C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\GR1j7EBpiI8uLInOdAEXxFBj.exe = "0" | C:\Users\Admin\Pictures\GR1j7EBpiI8uLInOdAEXxFBj.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Pictures\nQiEd9022p6pzqfvMEvsyw3t.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\nQiEd9022p6pzqfvMEvsyw3t.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\nQiEd9022p6pzqfvMEvsyw3t.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\nQiEd9022p6pzqfvMEvsyw3t.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GUufTQYYzZnS39HfSkoSrp4q.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZKvtKYQaZDQBTYfdrukCggSF.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LwvGy4xDFqhgGzEwn4hYDYN5.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XQ3QwVGFXnpBlfDPfrXoyc78.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\U3vA8yHG18lKgprpyI84kwGu.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oPo6NsfNdVjG8SZrk959Okjr.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gZ629Hg0XyCMhWhsg4Akt1oY.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2c3okWo0wm6xlk52XRKpvhZR.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YZknwtemtCsgetAL6HGNKXFD.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jkbqi38BPSMqKu3NC2Xhdlm8.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mCBfyGxDn6iJGA2HMU33Ggl3.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\7z2GrXu4T5HL4ZhdonvTSWEu.exe = "0" | C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\GR1j7EBpiI8uLInOdAEXxFBj.exe = "0" | C:\Users\Admin\Pictures\GR1j7EBpiI8uLInOdAEXxFBj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\.BLRVzdv\\svchost.exe\"" | C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\GR1j7EBpiI8uLInOdAEXxFBj.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe | N/A |
| File opened (read-only) | \??\D: | C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4800 set thread context of 2992 | N/A | C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe |
| PID 4352 set thread context of 4448 | N/A | C:\Users\Admin\Pictures\2p1D5TJxpu5pEYgIyZldaP6y.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe | N/A |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\GR1j7EBpiI8uLInOdAEXxFBj.exe | N/A |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\yKl6FZfh8dttB2T2iSXPnrTm.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\GR1j7EBpiI8uLInOdAEXxFBj.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\GR1j7EBpiI8uLInOdAEXxFBj.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Pictures\2p1D5TJxpu5pEYgIyZldaP6y.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\ui4.1.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\ui4.1.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\ui4.1.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\ui4.0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\ui4.0.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" | C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" | C:\Users\Admin\Pictures\yKl6FZfh8dttB2T2iSXPnrTm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" | C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" | C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" | C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" | C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" | C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" | C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" | C:\Users\Admin\Pictures\yKl6FZfh8dttB2T2iSXPnrTm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" | C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace | C:\Windows\system32\netsh.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" | C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" | C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" | C:\Users\Admin\Pictures\yKl6FZfh8dttB2T2iSXPnrTm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" | C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" | C:\Users\Admin\Pictures\yKl6FZfh8dttB2T2iSXPnrTm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" | C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" | C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" | C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" | C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" | C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" | C:\Users\Admin\Pictures\yKl6FZfh8dttB2T2iSXPnrTm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" | C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" | C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" | C:\Users\Admin\Pictures\yKl6FZfh8dttB2T2iSXPnrTm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" | C:\Users\Admin\Pictures\yKl6FZfh8dttB2T2iSXPnrTm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" | C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" | C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" | C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" | C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" | C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" | C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" | C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 | C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ui4.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ui4.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ui4.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ui4.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ui4.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ui4.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ui4.1.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ui4.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ui4.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ui4.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ui4.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ui4.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ui4.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ui4.1.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
c:\windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe
"C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\.BLRVzdv\svchost.exe"' & exit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\.BLRVzdv\svchost.exe"'
C:\Users\Admin\Pictures\nQiEd9022p6pzqfvMEvsyw3t.exe
"C:\Users\Admin\Pictures\nQiEd9022p6pzqfvMEvsyw3t.exe"
C:\Users\Admin\Pictures\Wf9G59s8wh75MRChrFRSufsW.exe
"C:\Users\Admin\Pictures\Wf9G59s8wh75MRChrFRSufsW.exe"
C:\Users\Admin\Pictures\2p1D5TJxpu5pEYgIyZldaP6y.exe
"C:\Users\Admin\Pictures\2p1D5TJxpu5pEYgIyZldaP6y.exe"
C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe
"C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe"
C:\Users\Admin\Pictures\GR1j7EBpiI8uLInOdAEXxFBj.exe
"C:\Users\Admin\Pictures\GR1j7EBpiI8uLInOdAEXxFBj.exe"
C:\Users\Admin\Pictures\yKl6FZfh8dttB2T2iSXPnrTm.exe
"C:\Users\Admin\Pictures\yKl6FZfh8dttB2T2iSXPnrTm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 836
C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe
"C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe" --silent --allusers=0
C:\Users\Admin\AppData\Local\Temp\ui4.0.exe
"C:\Users\Admin\AppData\Local\Temp\ui4.0.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s PcaSvc
C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe
C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2a4,0x2a8,0x2ac,0x2a0,0x2b0,0x6e73e1d0,0x6e73e1dc,0x6e73e1e8
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\cezDd26icHf6hom6ALqwMoXu.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\cezDd26icHf6hom6ALqwMoXu.exe" --version
C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe
"C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=948 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240328224456" --session-guid=759a05d2-414f-4b4e-b288-82252c935327 --server-tracking-blob=ODliNGJjNjE2NzcyNzRkNDZhOTZiODhjYjc1NmZjYmE2ZDY5NmJmODBkZjFlZDI3NjViNjRiZDQ0MTU1OTYyZTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N180NTYiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMCIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTE2NjU4ODguOTA5NCIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N180NTYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6ImRlYmM0NzM4LWExNjYtNDU0NC04OTc2LWIyOTJlYTJkNTFlMSJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=5C04000000000000
C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe
C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2a0,0x2b0,0x2b4,0x27c,0x2b8,0x6d3de1d0,0x6d3de1dc,0x6d3de1e8
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 648
C:\Users\Admin\AppData\Local\Temp\ui4.1.exe
"C:\Users\Admin\AppData\Local\Temp\ui4.1.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CBFBGCGIJK.exe"
C:\Users\Admin\AppData\Local\Temp\CBFBGCGIJK.exe
"C:\Users\Admin\AppData\Local\Temp\CBFBGCGIJK.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\CBFBGCGIJK.exe
C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282244561\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282244561\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282244561\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282244561\assistant\assistant_installer.exe" --version
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282244561\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282244561\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x2e0040,0x2e004c,0x2e0058
C:\Users\Admin\Pictures\yKl6FZfh8dttB2T2iSXPnrTm.exe
"C:\Users\Admin\Pictures\yKl6FZfh8dttB2T2iSXPnrTm.exe"
C:\Users\Admin\Pictures\GR1j7EBpiI8uLInOdAEXxFBj.exe
"C:\Users\Admin\Pictures\GR1j7EBpiI8uLInOdAEXxFBj.exe"
C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe
"C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 172.67.169.89:443 | yip.su | tcp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | piramidglobaltobacco.id | udp |
| DE | 185.172.128.144:80 | 185.172.128.144 | tcp |
| US | 8.8.8.8:53 | shipofdestiny.com | udp |
| AT | 5.42.64.17:80 | 5.42.64.17 | tcp |
| US | 8.8.8.8:53 | sty.ink | udp |
| US | 8.8.8.8:53 | operandotwo.com | udp |
| US | 8.8.8.8:53 | namemail.org | udp |
| US | 8.8.8.8:53 | cu82342.tw1.ru | udp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| SG | 217.21.73.190:443 | piramidglobaltobacco.id | tcp |
| US | 172.67.152.98:443 | shipofdestiny.com | tcp |
| US | 172.67.152.98:443 | shipofdestiny.com | tcp |
| RU | 176.57.210.144:443 | cu82342.tw1.ru | tcp |
| US | 172.67.200.219:443 | sty.ink | tcp |
| US | 172.67.200.219:443 | sty.ink | tcp |
| US | 172.67.160.247:443 | operandotwo.com | tcp |
| NL | 185.26.182.112:80 | net.geo.opera.com | tcp |
| NL | 185.26.182.112:443 | net.geo.opera.com | tcp |
| US | 8.8.8.8:53 | 89.169.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.34.67.172.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | lawyerbuyer.org | udp |
| US | 104.21.63.71:443 | lawyerbuyer.org | tcp |
| US | 104.21.63.71:443 | lawyerbuyer.org | tcp |
| US | 8.8.8.8:53 | guseman.org | udp |
| US | 104.21.80.30:443 | guseman.org | tcp |
| US | 8.8.8.8:53 | 144.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.152.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 219.200.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 247.160.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.64.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.182.26.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.210.57.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.63.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.73.21.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.80.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | herdbescuitinjurywu.shop | udp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 104.21.69.91:443 | herdbescuitinjurywu.shop | tcp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.69.21.104.in-addr.arpa | udp |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| US | 8.8.8.8:53 | 65.128.172.185.in-addr.arpa | udp |
| US | 104.21.69.91:443 | herdbescuitinjurywu.shop | tcp |
| US | 104.21.69.91:443 | herdbescuitinjurywu.shop | tcp |
| DE | 185.172.128.144:80 | 185.172.128.144 | tcp |
| US | 8.8.8.8:53 | autoupdate.geo.opera.com | udp |
| US | 8.8.8.8:53 | desktop-netinstaller-sub.osp.opera.software | udp |
| DE | 185.172.128.209:80 | 185.172.128.209 | tcp |
| NL | 185.26.182.123:443 | autoupdate.geo.opera.com | tcp |
| NL | 185.26.182.123:443 | autoupdate.geo.opera.com | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | 209.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.182.26.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.217.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.110.86.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.203.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | features.opera-api2.com | udp |
| US | 8.8.8.8:53 | download.opera.com | udp |
| NL | 185.26.182.122:443 | download.opera.com | tcp |
| NL | 82.145.216.16:443 | features.opera-api2.com | tcp |
| US | 8.8.8.8:53 | 122.182.26.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.216.145.82.in-addr.arpa | udp |
| US | 104.21.69.91:443 | herdbescuitinjurywu.shop | tcp |
| US | 8.8.8.8:53 | download5.operacdn.com | udp |
| US | 104.18.10.89:443 | download5.operacdn.com | tcp |
| US | 8.8.8.8:53 | 89.10.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | svc.iolo.com | udp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | download.iolo.net | udp |
| FR | 185.93.2.244:443 | download.iolo.net | tcp |
| US | 8.8.8.8:53 | 244.2.93.185.in-addr.arpa | udp |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | svc.iolo.com | udp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | download3.operacdn.com | udp |
| GB | 95.101.143.176:443 | download3.operacdn.com | tcp |
| US | 8.8.8.8:53 | 176.143.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | westus2-2.in.applicationinsights.azure.com | udp |
| US | 20.9.155.145:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 8.8.8.8:53 | 145.155.9.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bad6dcba-6c2d-43c4-beb7-054e5bc420c4.uuid.thestatsfiles.ru | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | stun.sipgate.net | udp |
| US | 8.8.8.8:53 | server12.thestatsfiles.ru | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 15.197.250.192:3478 | stun.sipgate.net | udp |
| BG | 185.82.216.96:443 | server12.thestatsfiles.ru | tcp |
| US | 8.8.8.8:53 | carsalessystem.com | udp |
| US | 104.21.94.82:443 | carsalessystem.com | tcp |
| US | 8.8.8.8:53 | 192.250.197.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.94.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| BG | 185.82.216.96:443 | server12.thestatsfiles.ru | tcp |
Files
memory/4256-4-0x000001E1EF2B0000-0x000001E1EF2D2000-memory.dmp
memory/4256-5-0x00007FFAB9A70000-0x00007FFABA45C000-memory.dmp
memory/4256-6-0x000001E1ED3A0000-0x000001E1ED3B0000-memory.dmp
memory/4256-7-0x000001E1ED3A0000-0x000001E1ED3B0000-memory.dmp
memory/2992-12-0x0000000000400000-0x0000000000408000-memory.dmp
memory/4256-13-0x000001E1EF460000-0x000001E1EF4D6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gvt3wt4h.pei.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2992-26-0x0000000073460000-0x0000000073B4E000-memory.dmp
memory/4256-27-0x000001E1ED3A0000-0x000001E1ED3B0000-memory.dmp
memory/2992-28-0x0000000004C20000-0x0000000004C30000-memory.dmp
C:\Users\Admin\Pictures\xejj5o1LPkksk7sTkCLI6vzU.exe
| MD5 | 73678fedd57a7f4b92435cdf58123990 |
| SHA1 | 03e0a9299fae0c6c5745ef826da6ec7e16c5b6ed |
| SHA256 | 080a5a7a7e10479dd248d32a5ea3bba39bef946820a7696890436794bc1849a4 |
| SHA512 | 43265fc4797a0b152dd04a5b1bfc4204feed0cfb78d7f25f6cf9f937e6525a88e925f49c790a69ca9c4877a37869189e8e4dd76c8c00407867ba576b038feaf1 |
C:\Users\Admin\Pictures\SWaad7T9j6Yj0uW38swd4Ote.exe
| MD5 | 5b423612b36cde7f2745455c5dd82577 |
| SHA1 | 0187c7c80743b44e9e0c193e993294e3b969cc3d |
| SHA256 | e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09 |
| SHA512 | c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c |
C:\Users\Admin\Pictures\nQiEd9022p6pzqfvMEvsyw3t.exe
| MD5 | 7fcc0bae1fa98de1d16819e6f85de171 |
| SHA1 | d8ba9866840e0449ddb78d31d6bcf2762ed3e6e4 |
| SHA256 | 28249276aafcf8911cc5fc8b6adebe10efb7141f3869ab2ec2f0bf5cffc1c82a |
| SHA512 | 58cf14e662f68b61339dd3517dae6c831a5094ef01eab8e5ee64cf85a23e26b3ffce43912ba62356fdf1a4bbeba7249f55de222154b729b8d85fa48744ddbe29 |
memory/4256-85-0x000001E1ED3A0000-0x000001E1ED3B0000-memory.dmp
C:\Users\Admin\Pictures\Wf9G59s8wh75MRChrFRSufsW.exe
| MD5 | e2a6c1f58b137874e490b8d94382fcdb |
| SHA1 | 71529c5d708091b1e1a580227dc52e62a140edd1 |
| SHA256 | 4801879a7afb9d03f7edcbe76cd9306cb024d80abc8512c4995aa97e8fd52437 |
| SHA512 | 24d12ce668e5189a4ba80520a4eaf480d17d3a07d8d0d4312964968f8489143df225881ec70e39e0c62e381061626801ead72d70cea164e2c3870bfbd7bc4eff |
memory/652-86-0x0000000000E20000-0x0000000000F20000-memory.dmp
memory/1560-89-0x0000000000C20000-0x0000000000D20000-memory.dmp
memory/1560-94-0x0000000000B80000-0x0000000000BCA000-memory.dmp
memory/1560-98-0x0000000000BD0000-0x0000000000C10000-memory.dmp
memory/1560-103-0x0000000000BD0000-0x0000000000C10000-memory.dmp
C:\Users\Admin\Pictures\2p1D5TJxpu5pEYgIyZldaP6y.exe
| MD5 | 7960d8afbbac06f216cceeb1531093bb |
| SHA1 | 008221bf66a0749447cffcb86f2d1ec80e23fc76 |
| SHA256 | f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84 |
| SHA512 | 35d12e81eb892aeb2237049beca61a81469dea5b1c9b7a0b9f49fbf95a95c756509d9e76c732fb10b504f9f9692e1fbe83ea2fd09d791f793a928c01974b8147 |
memory/1560-108-0x0000000000400000-0x0000000000B06000-memory.dmp
memory/1560-104-0x0000000000BD0000-0x0000000000C10000-memory.dmp
memory/1560-101-0x0000000000BD0000-0x0000000000C10000-memory.dmp
memory/1560-99-0x0000000000BD0000-0x0000000000C10000-memory.dmp
memory/1560-97-0x0000000000BD0000-0x0000000000C10000-memory.dmp
C:\Users\Admin\Pictures\L2MqEt7gmIPkAgFX3psfdHxf.exe
| MD5 | a73c3ab280a7cff262ea07e0411fba5b |
| SHA1 | 3f15229c5ed431dd9fc80686c34a402f1d6ef369 |
| SHA256 | 2d5bf302602871ced66ecb1f4e70d1023e9c126b70639ff9cf7728bdc3d87115 |
| SHA512 | 9ec42678314aca6c5590315502dff5847366576ed6ed57d6e611f7f2f26a1c5158b66419200e7e2d58db0c5760dcc70dfeeed626dd9e5780bfa08c394801d730 |
memory/652-92-0x0000000000400000-0x0000000000B0E000-memory.dmp
memory/652-88-0x00000000026C0000-0x000000000272E000-memory.dmp
C:\Users\Admin\Pictures\8PaUrsjCdBqEaOOjJkNUfkaB.exe
| MD5 | 160458fc52d4675a348e1fd0c25b44a0 |
| SHA1 | 41f41926edf0c803670cf41ff67662dfe9a7431e |
| SHA256 | 5256deb1ce435534bcba1b19e02ba8122f9e13cde92178a5bd7f763b1959432e |
| SHA512 | 719aa90d5e6fcddc648c1a0607eb772d9c802de426bb53d6ccac8379aeb99b2f570e955c6d65403f25b74345b8e8b86355dc2ac94daa71f5762db16c13c4f4bb |
C:\Users\Admin\Pictures\7z2GrXu4T5HL4ZhdonvTSWEu.exe
| MD5 | 5f066ebf9264cad80bdb1384ce2a6b34 |
| SHA1 | a6bfd2df4ad14b8b0f90951b688a7de61f7d4bbc |
| SHA256 | 5c2b1d90d0299ff70ea73f89a9326628e602cf9f72c425b570ac5272279372e1 |
| SHA512 | 0b0ce2214f57be9155b6eb7de144a96b09a9699fd75e82e4be525a4048a027c509c3f1495f111a3cc1c62b283deb150779d6458b13022095614d502a9805f1c5 |
C:\Users\Admin\Pictures\yKl6FZfh8dttB2T2iSXPnrTm.exe
| MD5 | 6126c6923b352edf2507639b7fe78e8a |
| SHA1 | 1fd3edb62b8d44673772fb58a05c43d5360e8e5b |
| SHA256 | 98db3710f7b5e68beb18c0ec584909ad3c92d66bbf093164892d5cd00d1021dd |
| SHA512 | 93fcbbc0a3f42f9fab3c5e0a5cbc83308b5d93999fa89f449c2b50653860de2fe3dbb42fc463bf34f5f5e5e69390dae8b6a1dfed8e742dcb0059a445cf041736 |
memory/4352-138-0x0000000000950000-0x00000000009BE000-memory.dmp
memory/4352-140-0x0000000073460000-0x0000000073B4E000-memory.dmp
memory/4352-141-0x0000000005320000-0x0000000005330000-memory.dmp
memory/4256-135-0x00007FFAB9A70000-0x00007FFABA45C000-memory.dmp
memory/1644-142-0x0000000002B60000-0x0000000002F65000-memory.dmp
memory/1716-144-0x0000000002AF0000-0x0000000002EF4000-memory.dmp
memory/1560-146-0x0000000003120000-0x0000000003220000-memory.dmp
memory/1560-147-0x0000000003120000-0x0000000003220000-memory.dmp
memory/4448-149-0x0000000000400000-0x000000000046D000-memory.dmp
memory/1560-152-0x0000000003120000-0x0000000003220000-memory.dmp
memory/1560-153-0x0000000003120000-0x0000000003220000-memory.dmp
memory/1560-155-0x0000000003120000-0x0000000003220000-memory.dmp
memory/1560-158-0x0000000003120000-0x0000000003220000-memory.dmp
memory/1560-162-0x0000000003120000-0x0000000003220000-memory.dmp
memory/1560-163-0x0000000003120000-0x0000000003220000-memory.dmp
memory/1560-164-0x0000000003120000-0x0000000003220000-memory.dmp
memory/1560-165-0x0000000003120000-0x0000000003220000-memory.dmp
memory/1560-168-0x0000000003120000-0x0000000003220000-memory.dmp
memory/1560-169-0x0000000003120000-0x0000000003220000-memory.dmp
memory/1560-171-0x0000000003120000-0x0000000003220000-memory.dmp
memory/1560-173-0x0000000003120000-0x0000000003220000-memory.dmp
memory/1560-175-0x0000000003120000-0x0000000003220000-memory.dmp
memory/1560-176-0x0000000003120000-0x0000000003220000-memory.dmp
memory/1560-180-0x0000000003120000-0x0000000003220000-memory.dmp
memory/1560-183-0x0000000003220000-0x0000000003260000-memory.dmp
memory/1560-185-0x0000000003220000-0x0000000003260000-memory.dmp
memory/1560-188-0x0000000003220000-0x0000000003260000-memory.dmp
memory/1560-187-0x0000000003220000-0x0000000003260000-memory.dmp
memory/1560-186-0x0000000003220000-0x0000000003260000-memory.dmp
memory/1560-184-0x0000000003220000-0x0000000003260000-memory.dmp
memory/1560-182-0x0000000003120000-0x0000000003220000-memory.dmp
memory/1560-181-0x0000000003120000-0x0000000003220000-memory.dmp
memory/1560-179-0x0000000003120000-0x0000000003220000-memory.dmp
memory/1560-178-0x0000000003120000-0x0000000003220000-memory.dmp
memory/1560-177-0x0000000003120000-0x0000000003220000-memory.dmp
memory/1560-174-0x0000000003120000-0x0000000003220000-memory.dmp
memory/1560-172-0x0000000003120000-0x0000000003220000-memory.dmp
memory/1560-170-0x0000000003120000-0x0000000003220000-memory.dmp
memory/1560-167-0x0000000003120000-0x0000000003220000-memory.dmp
memory/1560-166-0x0000000003120000-0x0000000003220000-memory.dmp
memory/4448-220-0x0000000000400000-0x000000000046D000-memory.dmp
memory/1560-157-0x0000000003120000-0x0000000003220000-memory.dmp
memory/1560-154-0x0000000003120000-0x0000000003220000-memory.dmp
memory/1560-151-0x0000000003120000-0x0000000003220000-memory.dmp
memory/1560-148-0x0000000003120000-0x0000000003220000-memory.dmp
C:\Users\Admin\Pictures\cezDd26icHf6hom6ALqwMoXu.exe
| MD5 | 115ad043254db6fc45db5cdbcf4c7f83 |
| SHA1 | 6f5cfe5b7a30c4d00d8f83956fcb33c998e25b50 |
| SHA256 | fa1c3bf058b7390cd739a990dcecacdbfdb1949aa1491ad617b3d76f19fb3c1e |
| SHA512 | 09ad51e25493a5ecfe6eaba47366fab4f0236065836c136efdae4263d052ed0bb34d36e000c6fb17d20880355e7d305cf6618df8cf259ee81707734371801792 |
\Users\Admin\AppData\Local\Temp\Opera_installer_240328224454888948.dll
| MD5 | 117176ddeaf70e57d1747704942549e4 |
| SHA1 | 75e3ab6b3469d93cce9ea2f7e22b71b987ccdf2b |
| SHA256 | 3c5b34de987116a4d3240e319c0da89a951c96b81e6705476a0fea27b22b20af |
| SHA512 | ca2a356929c92d314aab63d7f3b246d72783212dfa3a4507f28d41a51ca0eedc78e85b1cd453aa8e02c12509f847a0216bb702154f903291c804c8a98ec378b9 |
C:\Users\Admin\AppData\Local\Temp\ui4.0.exe
| MD5 | 4524e1a1e2725e159d68b3bca2c1b296 |
| SHA1 | 0e3b226d0ebd227b911c5fc25d6a28478ed0a957 |
| SHA256 | 12a5bac24e4e354bfc93a989c398df11ac5ec63c9d9834e0a9062bd8857cdda7 |
| SHA512 | 870e0e4e86593a3f060643b043d41f2aa6108af8075f19c0ba6c9d276a28df5c6f6e02a6cd088eb88382af35a41bcd626ea5add747494d468158abb7e610f3ca |
memory/652-273-0x0000000000400000-0x0000000000B0E000-memory.dmp
memory/1560-278-0x0000000000400000-0x0000000000B06000-memory.dmp
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
| MD5 | 99e7c3be62d452eec124597d31a62c40 |
| SHA1 | 817449da91d16d9ad125b2c966a37d755547a050 |
| SHA256 | 4b9254c9363c279755f8b3fb7ee618a84e7f14c10d174d9fccd8ffd8e09ebe3c |
| SHA512 | 6559b79be42e9779e01d7e20dce2b4b4fe217b9c70ca77a0326088c3a194bbef7482aa80c31aedb2dbd03506b81970e8cfd28923539f0656937bb10f9f810446 |
memory/4448-288-0x00000000039D0000-0x0000000003DD0000-memory.dmp
memory/4448-294-0x00000000039D0000-0x0000000003DD0000-memory.dmp
memory/4448-297-0x00007FFAD65B0000-0x00007FFAD678B000-memory.dmp
memory/4448-302-0x00000000768B0000-0x0000000076A72000-memory.dmp
memory/1696-304-0x0000000002470000-0x0000000002479000-memory.dmp
memory/1644-306-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/1696-316-0x0000000004060000-0x0000000004460000-memory.dmp
memory/1696-320-0x00007FFAD65B0000-0x00007FFAD678B000-memory.dmp
memory/4608-312-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/1716-319-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/652-334-0x0000000000400000-0x0000000000B0E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ui4.1.exe
| MD5 | 397926927bca55be4a77839b1c44de6e |
| SHA1 | e10f3434ef3021c399dbba047832f02b3c898dbd |
| SHA256 | 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7 |
| SHA512 | cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954 |
memory/1696-328-0x00000000768B0000-0x0000000076A72000-memory.dmp
memory/2268-315-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/2268-397-0x0000000000400000-0x0000000000AEA000-memory.dmp
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/1644-455-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/4608-459-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/1716-460-0x0000000000400000-0x0000000000ECD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | 082aac9bf0152e48c787d1f48837a044 |
| SHA1 | 7c96d904c81033eee3d14f0a94591b9c9a9ae217 |
| SHA256 | 624f8c02fc0e953b4d382052ddbc7cd9a97809bfcc3a6530a2f492e8fe854e2e |
| SHA512 | b22dd6ef676a202b634b3699b38ad6721cd68b7078e237c72310008045fb17d0e070696c229edff79d0219737438eaa356c8cc20840ea81d67a62dc4d8bd3069 |
memory/2480-468-0x0000000000400000-0x00000000008AD000-memory.dmp
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
memory/2268-636-0x0000000000400000-0x0000000000AEA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CBFBGCGIJK.exe
| MD5 | fe380780b5c35bd6d54541791151c2be |
| SHA1 | 7fe3a583cf91474c733f85cebf3c857682e269e1 |
| SHA256 | b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53 |
| SHA512 | ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c |
memory/1644-646-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/4608-648-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/1716-649-0x0000000000400000-0x0000000000ECD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | c8348dcc970e41ce023c262ec88ce5f7 |
| SHA1 | 5ca378ce74cbb5407b3c8b9e84205be8b27da512 |
| SHA256 | f12c3ffec1a372fa5e03059bb95373faa30f9760c1b6e5e461bb43c1cb4bfffe |
| SHA512 | e05acc89c94ba571b5fa3ae924862d54181a6458136cd5925b1b219f01499d822f56571872fb1ac64fb7ac11f162b100fec4986a99143953dbcc4c81f6ee2059 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282244561\opera_package
| MD5 | 401c352990789be2f40fe8f9c5c7a5ac |
| SHA1 | d7c1e902487511d3f4e1a57abdee8a94d5483ed4 |
| SHA256 | f62f4ebc7eca46d9cddfb02cc0305da5efdd6f3601fb0f53da555e19558869a3 |
| SHA512 | efc6d4224e3721e91efb2ea8f4b74685cba607260c69d08eac26866c52b8127080a42799d9f76ab1661b8ca63c946fcf35dddf0a63ab3cd258ea44a27dd769c8 |
memory/2480-950-0x0000000000400000-0x00000000008AD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282244561\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
| MD5 | 20d293b9bf23403179ca48086ba88867 |
| SHA1 | dedf311108f607a387d486d812514a2defbd1b9e |
| SHA256 | fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348 |
| SHA512 | 5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282244561\assistant\assistant_installer.exe
| MD5 | b3f05009b53af6435e86cfd939717e82 |
| SHA1 | 770877e7c5f03e8d684984fe430bdfcc2cf41b26 |
| SHA256 | 3ea8d40fcede1fc03e5603246d75d13e8d44d7229d4c390c39a55534053027f7 |
| SHA512 | d2dee80aaa79b19f1eb1db85079a05f621780e06bfea9e838b62d757ba29399f9090ec7c6ff553377c9b712f3ba8dd812cdff39f3e28829928e86746a8ac6b27 |
\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282244561\assistant\dbgcore.dll
| MD5 | 8b6f64e5d3a608b434079e50a1277913 |
| SHA1 | 03f431fabf1c99a48b449099455c1575893d9f32 |
| SHA256 | 926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2 |
| SHA512 | c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c |
\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403282244561\assistant\dbghelp.dll
| MD5 | 925ea07f594d3fce3f73ede370d92ef7 |
| SHA1 | f67ea921368c288a9d3728158c3f80213d89d7c2 |
| SHA256 | 6d02ebd4ec9a6093f21cd8ccefb9445fa0ab7b1f69ac868a5cfc5d28ed8d2de9 |
| SHA512 | a809851da820d9fdd8fb860a8f549311dcc2579df2c6f6fba74f50d5d8bf94baa834b09fb5476ac248f18d1deb6b47d4fdd6d658889d5d45ca8774a9264483d2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 34cbce7a86066983ddec1c5c7316fa24 |
| SHA1 | a1135a1ddbfd3ae8079f7e449d7978fdb92f3bd9 |
| SHA256 | 23bf6d99f757f6728c8c896676b0707e190e1acb80ec8758696fa3efa8d6cb42 |
| SHA512 | f6537a61341ef316200de61d4185d7fdf8169fa5f01446241d34dc74ffdf9edfd520c5d06d54c9df8a8d1eb0eeab53141d75c88f157b72cbcb6b7f0bdb84e769 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | ec1a341def23c1a8b14771eb3f6cec4d |
| SHA1 | 68d85fac7d2668eccb43cc87e362f99a432a82ce |
| SHA256 | f756988c36715c2c4f6378e11a29ef492804bcf56faabb0dc80110ff45f41f0a |
| SHA512 | b5c14b976788f8e26f662f48a5419add56d1c00dda971cac8bef2fc82467d94e68ade11a2a24d687ea636e34411b0e712d8f1664114b52642173328685197a3f |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 1c19c16e21c97ed42d5beabc93391fc5 |
| SHA1 | 8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68 |
| SHA256 | 1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05 |
| SHA512 | 7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c |
memory/1644-1459-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/1716-1473-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/4608-1466-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/1644-1475-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/4608-1481-0x0000000000400000-0x0000000000ECD000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 06b2f5213698f22886b3c4596dec2e94 |
| SHA1 | 9c2c790b23772625483adc3ecc8976e6e35fb0b9 |
| SHA256 | dddd0950371fb0cf8f79c00b8323aa0edfc7c6a884428df77f0f6c9ea93051fa |
| SHA512 | 34b804449f0434df1eac975c5aaf05ad6b0c71d58a2f37c4b037708e24d5aa135795ceb1afd5f93baed15fa4853c312d4cea0d50f9c9ad9ab81de556f5d2eac8 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 9d7294e10a1e3b3dca39775d323799e4 |
| SHA1 | 4a6c665b09f74864d0addf2731b707514825117c |
| SHA256 | 35e3be39d19c358f6e3e5cfd7384d9734aa37444fccd66cea85d8c4b2e0b954c |
| SHA512 | e3ffcca84cdd2a7d963d2ee37ee591f27a34c4e3c4a058c388cd22cf5b9696233f290f39721645b72dda183fa3b922b83f4ffb1081a911cb9806fe141a84c019 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 0f38a17bbaa7b6f75f51c671be981097 |
| SHA1 | ee95e5225cfb623b6ddd58902bf72504993e2030 |
| SHA256 | 03f4d293b34e18f429d34282179a04a705d448f3b88b88982486997f6cd51f39 |
| SHA512 | 429100ae213ea857fa3fefea7b512bb616219f76cf2a55a4735776650806d42582ff886cd4779a1406d2bc9d0f514c93e40c3d12d9e764ffa8b880067bd704a2 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 5b755164730760a544f34b686d619f89 |
| SHA1 | ea6f5168560f5079191f1d1893ab18b85928c849 |
| SHA256 | c3590f597a3d72962f30af37b7e03ffc6aa57cd411a98796433d19b7802bb4d0 |
| SHA512 | 5dd5d48930327baef0c4d170ae64947051cb2d80e6fde895d61a64801d52c3998d3376508792b5b167fe4556e654bf4507f00381b02d2b83c7af52ca32c24700 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 8938bf8f5c3202eeadf1f6003f096a4a |
| SHA1 | b6eba25d172060a63d8b4145c195b738e00ffd1b |
| SHA256 | 5d53fb5f5d9b720a43af10335c06a6bf7cdd2742aa8b23f5044a1db708b85067 |
| SHA512 | 18d6100bf0777f8a9653479858da86710768921eb1b4b8601936cec6a61b38801152de747b3755d9ba294cc722eb5e514ff524f732114914ce9067ba028dfc95 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 41211b9b622ffa5a0ae1f00710aaacf7 |
| SHA1 | fdc47c433d88460e83654d7f59a8a9912451248a |
| SHA256 | 9bdb92fade5ceeac6e8eb8dd5ef9af1be5b430cb646ea943ee356d7d098cd374 |
| SHA512 | 575c87bcd513ee6d30ca180c2109a881376324ae45adb477ddba40463ca523183bba35c65c31aaa8bcba50cd68272fcb34b0cca6a86aef817b291b6a0299e34a |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 7c8c8e13c796becd6ac60447255feb8f |
| SHA1 | 35a6882d2e40076857c6a4fdc340671010f4c849 |
| SHA256 | 81acc2730ee137604c1a8f5a27e78fbf21d0b1404dcb3de41d74312a7a4def57 |
| SHA512 | 03de180f60a0f1a57c3f8e2df88986ff2d91aa6c11b04736798d14139a0e18ff1d5ce7b25ea50b854beeb4416d565544647bd88efee86bec29dc3885c404efc6 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-28 22:44
Reported
2024-03-28 22:45
Platform
win7-20240221-en
Max time kernel
20s
Max time network
60s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nWXq7sSD38uxnt6PqA8rjNUY.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5HR4Al8JFMoEXmvkrFB6wr6C.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\om5MZPVFzRjs7Oe7Do2VWu9o.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HvdEK8dT2ZzMXlV30GtW4yty.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SWkCKGdDgPIXNC5FYCMIe3D0.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tNJPUkaSFseiBqHrq0uXNFQl.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scKaU59asNjbM0q8q6X5Pq3c.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f8B0eUHv1FEGOiAJCdhdYgow.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4S7Ee9Cbjo4wL4X7Poh14baV.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Pictures\7o56DVApUKTmAT5UroG05piN.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\rNOzzj2Uh3ChYSTBiitKKoUQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\Q3LqMhlriYkUdOHRMxvVlzL7.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\7ky6tAb6cgfC5fE0ZpNsZxel.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\2j2ahiLUuoeQcLy53c0Ix8uk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1g0.0.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\7o56DVApUKTmAT5UroG05piN.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\7o56DVApUKTmAT5UroG05piN.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\7o56DVApUKTmAT5UroG05piN.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\7o56DVApUKTmAT5UroG05piN.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\.BLRVzdv\\svchost.exe\"" | C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3060 set thread context of 2580 | N/A | C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe
"C:\Users\Admin\AppData\Local\Temp\cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\.BLRVzdv\svchost.exe"' & exit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\.BLRVzdv\svchost.exe"'
C:\Users\Admin\Pictures\7o56DVApUKTmAT5UroG05piN.exe
"C:\Users\Admin\Pictures\7o56DVApUKTmAT5UroG05piN.exe"
C:\Users\Admin\Pictures\rNOzzj2Uh3ChYSTBiitKKoUQ.exe
"C:\Users\Admin\Pictures\rNOzzj2Uh3ChYSTBiitKKoUQ.exe"
C:\Users\Admin\Pictures\Q3LqMhlriYkUdOHRMxvVlzL7.exe
"C:\Users\Admin\Pictures\Q3LqMhlriYkUdOHRMxvVlzL7.exe"
C:\Users\Admin\Pictures\7ky6tAb6cgfC5fE0ZpNsZxel.exe
"C:\Users\Admin\Pictures\7ky6tAb6cgfC5fE0ZpNsZxel.exe"
C:\Users\Admin\Pictures\2j2ahiLUuoeQcLy53c0Ix8uk.exe
"C:\Users\Admin\Pictures\2j2ahiLUuoeQcLy53c0Ix8uk.exe"
C:\Users\Admin\AppData\Local\Temp\u1g0.0.exe
"C:\Users\Admin\AppData\Local\Temp\u1g0.0.exe"
C:\Users\Admin\AppData\Local\Temp\u1g0.1.exe
"C:\Users\Admin\AppData\Local\Temp\u1g0.1.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240328224503.log C:\Windows\Logs\CBS\CbsPersist_20240328224503.cab
C:\Users\Admin\Pictures\2j2ahiLUuoeQcLy53c0Ix8uk.exe
"C:\Users\Admin\Pictures\2j2ahiLUuoeQcLy53c0Ix8uk.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Users\Admin\Pictures\Q3LqMhlriYkUdOHRMxvVlzL7.exe
"C:\Users\Admin\Pictures\Q3LqMhlriYkUdOHRMxvVlzL7.exe"
C:\Users\Admin\Pictures\7ky6tAb6cgfC5fE0ZpNsZxel.exe
"C:\Users\Admin\Pictures\7ky6tAb6cgfC5fE0ZpNsZxel.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 104.21.79.77:443 | yip.su | tcp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | piramidglobaltobacco.id | udp |
| US | 8.8.8.8:53 | shipofdestiny.com | udp |
| US | 8.8.8.8:53 | sty.ink | udp |
| US | 8.8.8.8:53 | operandotwo.com | udp |
| US | 8.8.8.8:53 | shipofdestiny.com | udp |
| US | 8.8.8.8:53 | sty.ink | udp |
| US | 8.8.8.8:53 | namemail.org | udp |
| DE | 185.172.128.144:80 | 185.172.128.144 | tcp |
| US | 8.8.8.8:53 | cu82342.tw1.ru | udp |
| AT | 5.42.64.17:80 | 5.42.64.17 | tcp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| US | 172.67.152.98:443 | shipofdestiny.com | tcp |
| US | 172.67.152.98:443 | shipofdestiny.com | tcp |
| US | 172.67.200.219:443 | sty.ink | tcp |
| NL | 185.26.182.112:80 | net.geo.opera.com | tcp |
| US | 104.21.13.170:443 | sty.ink | tcp |
| US | 172.67.160.247:443 | operandotwo.com | tcp |
| RU | 176.57.210.144:443 | cu82342.tw1.ru | tcp |
| NL | 185.26.182.112:443 | net.geo.opera.com | tcp |
| US | 8.8.8.8:53 | lawyerbuyer.org | udp |
| US | 8.8.8.8:53 | lawyerbuyer.org | udp |
| US | 172.67.170.65:443 | lawyerbuyer.org | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 172.67.170.65:443 | lawyerbuyer.org | tcp |
| GB | 95.101.143.18:80 | apps.identrust.com | tcp |
| SG | 217.21.73.190:443 | piramidglobaltobacco.id | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 8.8.8.8:53 | guseman.org | udp |
| US | 104.21.80.30:443 | guseman.org | tcp |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| DE | 185.172.128.144:80 | 185.172.128.144 | tcp |
| US | 8.8.8.8:53 | iplogger.com | udp |
| US | 172.67.188.178:443 | iplogger.com | tcp |
| DE | 185.172.128.209:80 | 185.172.128.209 | tcp |
| US | 8.8.8.8:53 | svc.iolo.com | udp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 8.8.8.8:53 | download.iolo.net | udp |
| FR | 185.93.2.251:80 | download.iolo.net | tcp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
Files
memory/3008-4-0x000000001B1F0000-0x000000001B4D2000-memory.dmp
memory/3008-5-0x00000000026E0000-0x00000000026E8000-memory.dmp
memory/3008-8-0x000007FEF6270000-0x000007FEF6C0D000-memory.dmp
memory/3008-9-0x00000000028C0000-0x0000000002940000-memory.dmp
memory/3008-10-0x000007FEF6270000-0x000007FEF6C0D000-memory.dmp
memory/3008-12-0x000007FEF6270000-0x000007FEF6C0D000-memory.dmp
memory/3008-11-0x00000000028C0000-0x0000000002940000-memory.dmp
memory/2580-15-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2580-14-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2580-13-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2580-16-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2580-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2580-18-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2580-22-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2580-20-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2580-23-0x0000000074A60000-0x000000007514E000-memory.dmp
memory/2580-24-0x0000000000390000-0x00000000003D0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar5AD4.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 897e9c6f30e894c486ecf44950ffbbb7 |
| SHA1 | 6fe8bffd66ff22929925caeb5230197919cc899b |
| SHA256 | cd15de8321d6c64052612799e5cf063af9d3bb09407fb3a0fd94ab3a1f1421d0 |
| SHA512 | 1af99dd28bd1d392c2dad4b246e19e119400af696ece2303edbd3a7cae85d51ffcbb97de222e467248102ff7924a5597936e155b0b2caa69137c66df0a1e2c8f |
\Users\Admin\Pictures\7o56DVApUKTmAT5UroG05piN.exe
| MD5 | 7fcc0bae1fa98de1d16819e6f85de171 |
| SHA1 | d8ba9866840e0449ddb78d31d6bcf2762ed3e6e4 |
| SHA256 | 28249276aafcf8911cc5fc8b6adebe10efb7141f3869ab2ec2f0bf5cffc1c82a |
| SHA512 | 58cf14e662f68b61339dd3517dae6c831a5094ef01eab8e5ee64cf85a23e26b3ffce43912ba62356fdf1a4bbeba7249f55de222154b729b8d85fa48744ddbe29 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bb2d94bd3e7efb87cc9e1238474bcdad |
| SHA1 | c42843c821acd921505cef604bd1ba4544686695 |
| SHA256 | 7b331703e58a5384b91161a439a589a2006941277d9439be5992ff789e1fdf8c |
| SHA512 | 989d8ce259e0ed174e5bc8647b220748edc3ce68a746ecb7e4d34da57c402822182c9165b6eae52c2111fa0d80dd8e747b81f70342bea6887577427e56c0531d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | eb73558587435ac4387468d56b4b56e1 |
| SHA1 | 37e4ca9264c8326fecf35a3e48255d954a53bcd7 |
| SHA256 | b2851ff8b8e71684ef5589d5457addc47ca9b90809aa5bf335d831754e039e4b |
| SHA512 | dcc054629a3bb4c58aa8ea8fc9fdb634d300ec4ed240fbd327606473967e35282f1f965045c2092fc2f5a5b51e0b2a8dd1df454db45d975cc6cbc5872f81863c |
memory/1872-222-0x0000000000F30000-0x0000000001030000-memory.dmp
memory/1872-225-0x0000000000230000-0x000000000029E000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 034d5f9dc9cfb443c3b9535d874cd797 |
| SHA1 | 36ce8b4da9d4f4b69857cd44a58104e5a3bf03a0 |
| SHA256 | d488c02a441ca2a5c4f50ab6c11a3f47b75c521d80d98752a90fd6338016e8ac |
| SHA512 | 23babe045d54a89430da17d29d30eb1ca84ae4f61152398169cfebf5724776df3d1a4b7019e819606b6cc07d628e09ffbe3714ff80117de8e8bbea01dac22509 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1724b778bd23333e8e6e1128b20204e0 |
| SHA1 | 5c02c5d7e430b5eeacc7a4568f852bd493a5f3d4 |
| SHA256 | 43bbd7253e2d21a549b7e9f2e9e4211352644eae523d9d2fd140401aa1b2c1ec |
| SHA512 | ef54af2ef4cbe9902b24125fe58fbd5b03a045e0ec2d3a0d0e0a9b7775badbdd6025d8e96f2ca53a311a25aec04ac9c6d58e83c33a20517e8b7679d1f10c9cf7 |
\Users\Admin\Pictures\rNOzzj2Uh3ChYSTBiitKKoUQ.exe
| MD5 | e2a6c1f58b137874e490b8d94382fcdb |
| SHA1 | 71529c5d708091b1e1a580227dc52e62a140edd1 |
| SHA256 | 4801879a7afb9d03f7edcbe76cd9306cb024d80abc8512c4995aa97e8fd52437 |
| SHA512 | 24d12ce668e5189a4ba80520a4eaf480d17d3a07d8d0d4312964968f8489143df225881ec70e39e0c62e381061626801ead72d70cea164e2c3870bfbd7bc4eff |
memory/1872-348-0x0000000000400000-0x0000000000B0E000-memory.dmp
C:\Users\Admin\Pictures\7ky6tAb6cgfC5fE0ZpNsZxel.exe
| MD5 | 6126c6923b352edf2507639b7fe78e8a |
| SHA1 | 1fd3edb62b8d44673772fb58a05c43d5360e8e5b |
| SHA256 | 98db3710f7b5e68beb18c0ec584909ad3c92d66bbf093164892d5cd00d1021dd |
| SHA512 | 93fcbbc0a3f42f9fab3c5e0a5cbc83308b5d93999fa89f449c2b50653860de2fe3dbb42fc463bf34f5f5e5e69390dae8b6a1dfed8e742dcb0059a445cf041736 |
memory/2448-373-0x00000000001B0000-0x00000000001FA000-memory.dmp
memory/2448-372-0x0000000000400000-0x0000000000B06000-memory.dmp
memory/2944-375-0x0000000002960000-0x0000000002D58000-memory.dmp
memory/2448-352-0x00000000002F0000-0x00000000003F0000-memory.dmp
memory/2944-386-0x0000000002960000-0x0000000002D58000-memory.dmp
memory/2504-385-0x0000000002600000-0x00000000029F8000-memory.dmp
memory/2944-389-0x0000000000400000-0x0000000000ECD000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5f00210c99ec091f79065f4f0b5e3e3a |
| SHA1 | b71e55d8e98c501fc4a003f4cd583d473ea06bd1 |
| SHA256 | 217d71f0eb509ed1d332d966c28fd33b2ca7e0f4cc0fdff2c4271d9f02f8f082 |
| SHA512 | dbacbf55afd13980a428ff421c4c6cb3e9e440e68f2c6cd376f292a0fe4bc4de828bcf062a86f1866066aa5ae4b14e81ad1e0c5724f8e43cbf5fa922345cfdb9 |
memory/2944-410-0x0000000002D60000-0x000000000364B000-memory.dmp
memory/2504-420-0x0000000002600000-0x00000000029F8000-memory.dmp
memory/2504-425-0x0000000000400000-0x0000000000ECD000-memory.dmp
C:\Users\Admin\Pictures\2j2ahiLUuoeQcLy53c0Ix8uk.exe
| MD5 | 5f066ebf9264cad80bdb1384ce2a6b34 |
| SHA1 | a6bfd2df4ad14b8b0f90951b688a7de61f7d4bbc |
| SHA256 | 5c2b1d90d0299ff70ea73f89a9326628e602cf9f72c425b570ac5272279372e1 |
| SHA512 | 0b0ce2214f57be9155b6eb7de144a96b09a9699fd75e82e4be525a4048a027c509c3f1495f111a3cc1c62b283deb150779d6458b13022095614d502a9805f1c5 |
memory/304-433-0x00000000027A0000-0x0000000002B98000-memory.dmp
memory/2580-435-0x0000000074A60000-0x000000007514E000-memory.dmp
memory/2580-437-0x0000000000390000-0x00000000003D0000-memory.dmp
memory/304-438-0x00000000027A0000-0x0000000002B98000-memory.dmp
memory/304-439-0x0000000002BA0000-0x000000000348B000-memory.dmp
memory/304-440-0x0000000000400000-0x0000000000ECD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u1g0.0.exe
| MD5 | 4524e1a1e2725e159d68b3bca2c1b296 |
| SHA1 | 0e3b226d0ebd227b911c5fc25d6a28478ed0a957 |
| SHA256 | 12a5bac24e4e354bfc93a989c398df11ac5ec63c9d9834e0a9062bd8857cdda7 |
| SHA512 | 870e0e4e86593a3f060643b043d41f2aa6108af8075f19c0ba6c9d276a28df5c6f6e02a6cd088eb88382af35a41bcd626ea5add747494d468158abb7e610f3ca |
memory/1872-486-0x0000000000F30000-0x0000000001030000-memory.dmp
memory/1872-487-0x0000000000230000-0x000000000029E000-memory.dmp
memory/2160-488-0x0000000000C00000-0x0000000000D00000-memory.dmp
memory/2160-489-0x0000000000220000-0x0000000000247000-memory.dmp
memory/2160-490-0x0000000000400000-0x0000000000AEA000-memory.dmp
\Users\Admin\AppData\Local\Temp\u1g0.1.exe
| MD5 | 397926927bca55be4a77839b1c44de6e |
| SHA1 | e10f3434ef3021c399dbba047832f02b3c898dbd |
| SHA256 | 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7 |
| SHA512 | cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954 |
memory/1872-508-0x0000000000400000-0x0000000000B0E000-memory.dmp
memory/1872-509-0x0000000000F30000-0x0000000001030000-memory.dmp
memory/2280-510-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2160-514-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/2944-513-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/2504-519-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/2448-521-0x0000000000400000-0x0000000000B06000-memory.dmp
memory/2944-522-0x0000000002960000-0x0000000002D58000-memory.dmp
memory/304-541-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/2160-542-0x0000000000400000-0x0000000000AEA000-memory.dmp
memory/2944-543-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/2108-556-0x00000000026C0000-0x0000000002AB8000-memory.dmp
memory/304-557-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/2504-558-0x0000000002600000-0x00000000029F8000-memory.dmp
memory/2108-562-0x00000000026C0000-0x0000000002AB8000-memory.dmp
memory/2504-563-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/2108-567-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/304-568-0x00000000027A0000-0x0000000002B98000-memory.dmp
memory/2280-580-0x0000000000400000-0x00000000008AD000-memory.dmp
memory/2944-587-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/2504-588-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/2272-595-0x0000000002840000-0x0000000002C38000-memory.dmp
memory/2944-597-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/1884-596-0x0000000002920000-0x0000000002D18000-memory.dmp
memory/2504-598-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/2160-599-0x0000000000400000-0x0000000000AEA000-memory.dmp
memory/2108-600-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/2272-601-0x0000000002840000-0x0000000002C38000-memory.dmp
memory/2272-602-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/2160-603-0x0000000000C00000-0x0000000000D00000-memory.dmp
memory/2280-604-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1884-605-0x0000000002920000-0x0000000002D18000-memory.dmp
memory/1884-606-0x0000000000400000-0x0000000000ECD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | a1cafe12ee71349ee054b5a5d8526122 |
| SHA1 | 4030e21823a8cee53e9eccf3e995ccff8fdf6301 |
| SHA256 | 02d378adda623d50a41b50544f0ea56f5083f2d068cfc6159de3269e1596c81c |
| SHA512 | abd817ed1a6c69fef7d0ee9ef2c3dec765b20a311435298170b29e8945c7f1e12a443edae413b1c27f73e06c4e8eca832ba2b8637913ce2aa2e770b435b202df |
memory/2280-613-0x0000000000400000-0x00000000008AD000-memory.dmp
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/2108-620-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/1884-621-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/2272-622-0x0000000000400000-0x0000000000ECD000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | de1621057d5f72eed9129bb176ffb052 |
| SHA1 | aca3f09868b6dfd66931b8c479f5957a8e95bc52 |
| SHA256 | f37850c99d94503c518e50fa69d15ce1c80257b4da0ed387fd2900222e44207e |
| SHA512 | 006458ac0c5bb79e769c595d4b9075b9536313a20925dc12a2a29b74cf6eb73dc6fb0fc159dc6c7f8b4259ba79dcfaf40a72bfcba3b2684ad8fcd205eb7de330 |
\Windows\rss\csrss.exe
| MD5 | efb917e745227ef243e144e819858e1a |
| SHA1 | 0cf30460bbb3f03e94559e60ab2338e317ec4118 |
| SHA256 | a6ceaa76e2e1e8253ffe11be11a7ac7d3a27e40a0d5aa21ed733c3761d7255d4 |
| SHA512 | 8e139b338c6821b712ccec1c2f46fe2ddffef9a036c5f1883a62e8c339d2b440729b2867fc4893a1d8f316d3292b0222e6038b1c2d682f037506f795802a0d4e |
memory/1740-638-0x0000000002730000-0x0000000002B28000-memory.dmp
memory/2108-639-0x0000000000400000-0x0000000000ECD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | 236471c97358ef3b84c1f067d0e78a10 |
| SHA1 | 5cd8cb28ae285b2e38c7e411dc1af57b0fc156a4 |
| SHA256 | 64c292206c1bb9d04fb3f093dfa7672131b4e749982490c6500b2acc0e20ad9e |
| SHA512 | 290268f81a2636f1fa90c6ac59aa391a3f7e505806a24a28c2f1bc8b837adbc1f76ad5de2eb52a74c9dd808af2f3f3139480ba1be7534e2a69f3e2a6b4689e9b |
memory/1740-653-0x0000000002730000-0x0000000002B28000-memory.dmp