Analysis Overview
SHA256
dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3
Threat Level: Known bad
The file dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3 was found to be: Known bad.
Malicious Activity Summary
ZGRat
RedLine
Glupteba
RisePro
Stealc
RedLine payload
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Detect ZGRat V1
Glupteba payload
Amadey
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Blocklisted process makes network request
Modifies Windows Firewall
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Identifies Wine through registry keys
Checks BIOS information in registry
Loads dropped DLL
Reads data files stored by FTP clients
Drops startup file
UPX packed file
Reads local data of messenger clients
Reads WinSCP keys stored on the system
Executes dropped EXE
Adds Run key to start application
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMonFS driver.
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
Suspicious use of SetThreadContext
AutoIT Executable
Drops file in Windows directory
Checks for VirtualBox DLLs, possible anti-VM trick
Launches sc.exe
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of FindShellTrayWindow
Modifies system certificate store
Creates scheduled task(s)
Runs ping.exe
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-03-29 00:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-29 00:31
Reported
2024-03-29 00:34
Platform
win10v2004-20240226-en
Max time kernel
75s
Max time network
107s
Command Line
Signatures
Amadey
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RisePro
ZGRat
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\explorgu.job | C:\Users\Admin\AppData\Local\Temp\dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3.exe
"C:\Users\Admin\AppData\Local\Temp\dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3816 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\808065738166_Desktop.zip' -CompressionLevel Optimal
C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe
"C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"
C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe
"C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe"
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe
"C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe"
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
C:\Users\Admin\AppData\Local\Temp\1000042001\d3e3ae4be0.exe
"C:\Users\Admin\AppData\Local\Temp\1000042001\d3e3ae4be0.exe"
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe
"C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe
"C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe"
C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe
"C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe" /F
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\808065738166_Desktop.zip' -CompressionLevel Optimal
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe
"C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=3912 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=4076 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=4912 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3568 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=5348 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=5996 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:1
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\1001052001\Eljlre.exe
"C:\Users\Admin\AppData\Local\Temp\1001052001\Eljlre.exe"
C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe
"C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| RU | 185.215.113.32:80 | 185.215.113.32 | tcp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| US | 8.8.8.8:53 | 32.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.132.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| RU | 185.215.113.32:80 | 185.215.113.32 | tcp |
Files
memory/3316-0-0x0000000000FA0000-0x0000000001465000-memory.dmp
memory/3316-1-0x0000000077954000-0x0000000077956000-memory.dmp
memory/3316-2-0x0000000000FA0000-0x0000000001465000-memory.dmp
memory/3316-3-0x0000000000FA0000-0x0000000001465000-memory.dmp
memory/3316-4-0x00000000053D0000-0x00000000053D1000-memory.dmp
memory/3316-5-0x00000000053E0000-0x00000000053E1000-memory.dmp
memory/3316-6-0x00000000053C0000-0x00000000053C1000-memory.dmp
memory/3316-7-0x0000000005400000-0x0000000005401000-memory.dmp
memory/3316-8-0x00000000053A0000-0x00000000053A1000-memory.dmp
memory/3316-9-0x00000000053B0000-0x00000000053B1000-memory.dmp
memory/3316-10-0x0000000005430000-0x0000000005431000-memory.dmp
memory/3316-11-0x0000000005420000-0x0000000005421000-memory.dmp
memory/3316-13-0x0000000000FA0000-0x0000000001465000-memory.dmp
memory/3316-17-0x0000000000FA0000-0x0000000001465000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
| MD5 | 28c4c4931f44cd4f20398de0ca02111e |
| SHA1 | 0d69a6408633eff4900201fde8caecdbb82db6e3 |
| SHA256 | a0c47bdd71b6904b35de9a9835f2ed8becc51d647f2b81ac0adcdba224bd197e |
| SHA512 | 5a9055ce6c6e869d64933a18c79031c1bf9b1feb5b180ab25f338e318624028f52c591bb944c9f4baedbb12e528a9cb4dbd96a8cb04bea8f241f18a405c3a6c6 |
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
| MD5 | c24cc500387c37edb2c4ac0f460dd272 |
| SHA1 | bebd2b99916372d6f4293c276387e904096b50cd |
| SHA256 | dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3 |
| SHA512 | 16c07ff0c0feb7f2c64671d11737b683e5f243c63263a46dec5ca765d0d2401dde85e57a2619e87391eefaec4f3b10a5eb2aee786d7b4d456c4bcb5fcd2a8570 |
memory/4896-20-0x00000000007F0000-0x0000000000CB5000-memory.dmp
memory/4896-21-0x00000000007F0000-0x0000000000CB5000-memory.dmp
memory/4896-28-0x0000000004F20000-0x0000000004F21000-memory.dmp
memory/4896-27-0x0000000004ED0000-0x0000000004ED1000-memory.dmp
memory/4896-26-0x0000000004EC0000-0x0000000004EC1000-memory.dmp
memory/4896-25-0x0000000004F30000-0x0000000004F31000-memory.dmp
memory/4896-24-0x0000000004EE0000-0x0000000004EE1000-memory.dmp
memory/4896-23-0x0000000004F00000-0x0000000004F01000-memory.dmp
memory/4896-22-0x0000000004EF0000-0x0000000004EF1000-memory.dmp
memory/4896-30-0x0000000004F40000-0x0000000004F41000-memory.dmp
memory/4896-29-0x0000000004F50000-0x0000000004F51000-memory.dmp
memory/4896-31-0x00000000007F0000-0x0000000000CB5000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 58e1bc68cae045cd472efbd81bbb9d54 |
| SHA1 | e74cb981a49b3de7c9cd8efa2e98534150e338f5 |
| SHA256 | d7af37982bfde2086b0fc147eb551d572f595160b25bfcd700287f8ce4581621 |
| SHA512 | e0361f9e5e9fb4baf5ee38fb971aa4493d0b20d1e1e8e8c3d9f582e116a33b935cfcc57d7df259984170c932b12507b6e22c607bddf75367725cb530041f7f7d |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 92fbdfccf6a63acef2743631d16652a7 |
| SHA1 | 971968b1378dd89d59d7f84bf92f16fc68664506 |
| SHA256 | b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72 |
| SHA512 | b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117 |
memory/4896-44-0x00000000007F0000-0x0000000000CB5000-memory.dmp
memory/4572-46-0x00000179FF2E0000-0x00000179FF302000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tdcdhyf5.fz3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4572-57-0x00000179FF330000-0x00000179FF340000-memory.dmp
memory/4572-56-0x00000179FF330000-0x00000179FF340000-memory.dmp
memory/4572-55-0x00007FF9D4770000-0x00007FF9D5231000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe
| MD5 | 1f053e1ea0a8868c5f5951fb39c85272 |
| SHA1 | 7d133be14b6c32902314bd80c455eb2a3907bab4 |
| SHA256 | 41704d38b0c77e23ad5ac03be2b65cc5d83ed63143449e59ea86921dc35f2574 |
| SHA512 | fce0193e4d7b27e544b5ea1c990c624ff67f286a514dda2ca9c555e130b7a17b2333ea3c2ef59b02919b36d3688288685beb12b63466ade2ead8943c52d435c1 |
C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe
| MD5 | 8f596cf662d3070c4778030b0ebf1697 |
| SHA1 | ca4e9791887dfd346392e84670f3606e08b0da70 |
| SHA256 | beac4e6145269334ebaf3d723fa089c0b336dac94ad12da55574b713c496516a |
| SHA512 | 6db0f316dacf5ee6191d1574316ecc1ac7c90c21faf3d60795cb4fd2f9c57724bb1162286a37b104741ce64e63366480a1468a49bdd114e28110c8577f4b820c |
memory/3212-78-0x0000000000E60000-0x00000000011FD000-memory.dmp
memory/4896-77-0x00000000007F0000-0x0000000000CB5000-memory.dmp
memory/4572-80-0x00000179FF7A0000-0x00000179FF7B2000-memory.dmp
memory/4572-81-0x00000179E7250000-0x00000179E725A000-memory.dmp
memory/3212-79-0x0000000000E60000-0x00000000011FD000-memory.dmp
memory/4572-87-0x00007FF9D4770000-0x00007FF9D5231000-memory.dmp
memory/4896-88-0x00000000007F0000-0x0000000000CB5000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 2afdbe3b99a4736083066a13e4b5d11a |
| SHA1 | 4d4856cf02b3123ac16e63d4a448cdbcb1633546 |
| SHA256 | 8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee |
| SHA512 | d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f |
memory/3212-100-0x0000000000E60000-0x00000000011FD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe
| MD5 | 894c8d2fb6e086c7770e622e0924b076 |
| SHA1 | ba4774b82c45a0aac5e0005ea853420d33cb5fb5 |
| SHA256 | fd95a40561cbcba0cc5d1072dfce829accfe76227da40fd52e715ed3279b14b2 |
| SHA512 | 048b3b9c65b9935eab7319c7f77811f8386a23c0b6e826515ba5ca5624cbe41798ffc689a36d46701225f1837bfc232177353fd56c31056661e40b840e3e06aa |
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe
| MD5 | 85a15f080b09acace350ab30460c8996 |
| SHA1 | 3fc515e60e4cfa5b3321f04a96c7fb463e4b9d02 |
| SHA256 | 3a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b |
| SHA512 | ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f |
memory/4896-119-0x00000000007F0000-0x0000000000CB5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe
| MD5 | 0e0a8795472dd2e6918bd0b3656e14a6 |
| SHA1 | e6d1343e9de5e16f39b234c07da54867b8570492 |
| SHA256 | dae9dda264a496a3a5d56ccc8d3e2499ae965b89e3405808143215d143688cfb |
| SHA512 | 4b5aaf7245dc015156173ca6002303ebef94f0ba14f670006fb73f622249e0b6c97c15fe1c545912027b8e875ec220d6f97c1a55935da1f36f36e787693f2e48 |
memory/788-121-0x0000000072F70000-0x0000000073720000-memory.dmp
memory/788-122-0x0000000000ED0000-0x000000000108C000-memory.dmp
memory/788-123-0x0000000005B70000-0x0000000005B80000-memory.dmp
memory/3212-124-0x0000000000E60000-0x00000000011FD000-memory.dmp
memory/3212-125-0x0000000000E60000-0x00000000011FD000-memory.dmp
memory/4896-128-0x00000000007F0000-0x0000000000CB5000-memory.dmp
memory/4400-129-0x0000000000400000-0x0000000000592000-memory.dmp
memory/788-131-0x0000000003650000-0x0000000005650000-memory.dmp
memory/788-134-0x0000000072F70000-0x0000000073720000-memory.dmp
memory/4400-133-0x0000000072F70000-0x0000000073720000-memory.dmp
memory/4400-135-0x00000000055D0000-0x00000000055E0000-memory.dmp
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
| MD5 | cc90e3326d7b20a33f8037b9aab238e4 |
| SHA1 | 236d173a6ac462d85de4e866439634db3b9eeba3 |
| SHA256 | bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7 |
| SHA512 | b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521 |
memory/4572-158-0x0000000072F70000-0x0000000073720000-memory.dmp
memory/4572-157-0x00000000003C0000-0x0000000000412000-memory.dmp
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
| MD5 | 1fc4b9014855e9238a361046cfbf6d66 |
| SHA1 | c17f18c8246026c9979ab595392a14fe65cc5e9f |
| SHA256 | f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50 |
| SHA512 | 2af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12 |
memory/4572-160-0x00000000051E0000-0x0000000005784000-memory.dmp
memory/3248-161-0x00000000003B0000-0x000000000043C000-memory.dmp
memory/3248-162-0x00007FF9D4B10000-0x00007FF9D55D1000-memory.dmp
memory/4572-163-0x0000000004CD0000-0x0000000004D62000-memory.dmp
memory/3248-164-0x000000001B220000-0x000000001B230000-memory.dmp
memory/4572-165-0x0000000004E80000-0x0000000004E8A000-memory.dmp
memory/3212-166-0x0000000000E60000-0x00000000011FD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe
| MD5 | 22aeb43ba6ab6f8985f494951dd988d5 |
| SHA1 | 52dbcc33bd585750d8cad31bf2e5d0525cf77440 |
| SHA256 | a86a6393ad59f0bd81c9bd96d575bab8d34990faeff17a983d384ac31225cbeb |
| SHA512 | 3432e70efae0c0f2b5dd590e3bf00457c27958905dbf5453ca3a3687509787f8b1fb264ccbe1daccd9bce5dafc2987a8f4a7ab473a9f5effc4dd9d61b5bffaaa |
memory/4516-183-0x00000000001C0000-0x0000000000680000-memory.dmp
memory/4516-184-0x00000000001C0000-0x0000000000680000-memory.dmp
memory/4516-187-0x0000000004B90000-0x0000000004B91000-memory.dmp
memory/4516-188-0x0000000004B20000-0x0000000004B21000-memory.dmp
memory/4516-189-0x0000000004B40000-0x0000000004B41000-memory.dmp
memory/4516-190-0x0000000004B30000-0x0000000004B31000-memory.dmp
memory/4516-191-0x0000000004B80000-0x0000000004B81000-memory.dmp
memory/4516-186-0x0000000004B50000-0x0000000004B51000-memory.dmp
memory/4516-185-0x0000000004B60000-0x0000000004B61000-memory.dmp
memory/4896-192-0x00000000007F0000-0x0000000000CB5000-memory.dmp
memory/4400-193-0x0000000072F70000-0x0000000073720000-memory.dmp
memory/4516-195-0x0000000004BB0000-0x0000000004BB1000-memory.dmp
memory/4516-196-0x0000000004BA0000-0x0000000004BA1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
| MD5 | 2e5f7a5a55215fb109d7379cacd37a84 |
| SHA1 | dd65938f54a6251b45172f20d51e1655289bb75d |
| SHA256 | b69e2b06abe3f49b7867b8ec633916b5a9018743af19a3c34bf414e091a3ec95 |
| SHA512 | 06608e208573579bb0bc046e4565d268eaa777395e382631a279417f55a3671c1462fd711091bba17cc00b0e8ada6e710b84f7a5dc5928a34c4cb65971b5cea4 |
memory/4516-206-0x00000000001C0000-0x0000000000680000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe
| MD5 | 832eb4dc3ed8ceb9a1735bd0c7acaf1b |
| SHA1 | b622a406927fbb8f6cd5081bd4455fb831948fca |
| SHA256 | 2a82243697e2eec45bedc754adcdc1f6f41724a40c6d7d96fd41ad144899b6f7 |
| SHA512 | 3ab8b25732a7152608be101a3daf0d55833c554ab968be8b3b79a49e1831f3ee0eeeb9586a3334fa387b1f160fd15e98a80dcfece559c9c257b44ef962874894 |
memory/4624-217-0x00000000008F0000-0x0000000000DB0000-memory.dmp
memory/564-229-0x0000000000070000-0x00000000000C0000-memory.dmp
memory/4572-228-0x0000000072F70000-0x0000000073720000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BHC2O5WS\random[1].exe
| MD5 | 2375e217c2858b273cfcc18d89594203 |
| SHA1 | ad7ef4562791da218f124555c8fa0d2850e092aa |
| SHA256 | 5ea7f8142718302e7b5d6ad9d7ce7ab072e9696730201cbe565c4673e2727ab7 |
| SHA512 | 9c29e315eaad4ef0391bd75b9376432ac1b14eee2d6529249c224c390e0da4e462f6e18ea1b776fee62acf0a5e23773f1fe6d8f2b1288abbcfea773e8baf7e95 |
C:\Users\Admin\AppData\Local\Temp\TmpDA1A.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
C:\Users\Admin\AppData\Local\Temp\1000042001\d3e3ae4be0.exe
| MD5 | 1a4408075444c710fa7ea965ee4fdff6 |
| SHA1 | fcb2c1fa874b9a40fb7136666fc8743780c317f3 |
| SHA256 | fdcd0d7d7a39d2012cf48d1ad2400cd115eae097d2f7341d8a29d6d0a6a4d05e |
| SHA512 | 2484ea421580fc4d92c9155a9ed9800848d9d6a1b4d3ed9b5d90b1090011e0b0fe6f4d8a36f6aaa6c47541169779c4c9d0016dec4081f0e145c7e2ffaad840a8 |
C:\Users\Admin\AppData\Local\Temp\1000042001\d3e3ae4be0.exe
| MD5 | fc95de28e1f880517d5e9d338ad46a1f |
| SHA1 | d8617a46797fb372f113d80884a0e86916dbcd88 |
| SHA256 | b6b76009e1ce63429729d41a64ad753a7f12bf779ac459c4fe05ecff4e24468d |
| SHA512 | 6e05f258fa88225674d797cb802ed5d678c32ba4e081f621606abd3ca96a802d76219de28b8303c8dfcabca0a2662e597302f18828701e3437cdf3d09f8aee87 |
memory/2176-288-0x0000000000400000-0x000000000079D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
| MD5 | dac7ea5bf9023a41a76d983e899a7f93 |
| SHA1 | 7107b47686cd1c4de755c87753e165e6ba388c31 |
| SHA256 | 1bc9767a55b42d6f24dfcb207c1764d6b7c9ec33cfd3bdc9d487bdf4e3b6c688 |
| SHA512 | addd9920141c4c33cb4455283c370afe1f189a47f7d84619ac70f0d229a5d966f9d8c1e92d3094416ace34fac3b7f4ff10049478c729f6078041c9f706ae5573 |
memory/2176-292-0x0000000000400000-0x000000000079D000-memory.dmp
memory/2176-295-0x0000000000400000-0x000000000079D000-memory.dmp
memory/2176-294-0x0000000000400000-0x000000000079D000-memory.dmp
memory/2176-296-0x0000000000400000-0x000000000079D000-memory.dmp
memory/2176-299-0x0000000000400000-0x000000000079D000-memory.dmp
memory/2176-300-0x0000000000400000-0x000000000079D000-memory.dmp
memory/2176-302-0x0000000000400000-0x000000000079D000-memory.dmp
memory/2176-301-0x0000000000400000-0x000000000079D000-memory.dmp
memory/2176-303-0x0000000000400000-0x000000000079D000-memory.dmp
memory/2176-306-0x0000000000400000-0x000000000079D000-memory.dmp
memory/2176-307-0x0000000000400000-0x000000000079D000-memory.dmp
memory/2176-308-0x0000000000400000-0x000000000079D000-memory.dmp
memory/2176-310-0x0000000000400000-0x000000000079D000-memory.dmp
memory/2176-309-0x0000000000400000-0x000000000079D000-memory.dmp
memory/2176-311-0x0000000000400000-0x000000000079D000-memory.dmp
memory/2176-312-0x0000000000400000-0x000000000079D000-memory.dmp
memory/2176-315-0x0000000000400000-0x000000000079D000-memory.dmp
memory/2176-314-0x0000000000400000-0x000000000079D000-memory.dmp
memory/2176-316-0x0000000000400000-0x000000000079D000-memory.dmp
memory/2176-305-0x0000000000400000-0x000000000079D000-memory.dmp
memory/2176-317-0x0000000000400000-0x000000000079D000-memory.dmp
memory/2176-320-0x0000000000400000-0x000000000079D000-memory.dmp
memory/2176-304-0x0000000000400000-0x000000000079D000-memory.dmp
memory/2176-321-0x0000000000400000-0x000000000079D000-memory.dmp
memory/2176-324-0x0000000000400000-0x000000000079D000-memory.dmp
memory/2176-325-0x0000000000400000-0x000000000079D000-memory.dmp
memory/3212-328-0x0000000000E60000-0x00000000011FD000-memory.dmp
memory/4896-327-0x00000000007F0000-0x0000000000CB5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
| MD5 | e921340bf5a9d5152af86d09b5e356cf |
| SHA1 | e9f6802fddd4a4d86aa4e7db2a932656103a35ca |
| SHA256 | e45b084c3b6081c5b8eef6168ac26bb8b5cd2efae478147b67136695080648b2 |
| SHA512 | 7b086a8a67d58d9620cdd097d862bf62eabc6cef242edc7ab49569d2f45cb5fa97f86e572e843ed158d311a5b9b24f1b73b3cfe5233e5487968f7d5c20f23ad7 |
memory/2176-322-0x0000000000400000-0x000000000079D000-memory.dmp
memory/2176-323-0x0000000000400000-0x000000000079D000-memory.dmp
memory/2176-298-0x0000000000400000-0x000000000079D000-memory.dmp
memory/2176-297-0x0000000000400000-0x000000000079D000-memory.dmp
memory/4624-334-0x00000000008F0000-0x0000000000DB0000-memory.dmp
memory/1356-343-0x00000000008F0000-0x0000000000DB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe
| MD5 | 2f8912af892c160c1c24c9f38a60c1ab |
| SHA1 | d2deae508e262444a8f15c29ebcc7ebbe08a3fdb |
| SHA256 | 59ff8e0aa665fbbf749c7548906a655cb1869bb58a3b7546efa5b416d19e6308 |
| SHA512 | 0395383bde98d358b0a7f2224f903dff026ce0c6d90feb49ac0e6993ef692143b0eb25da84d9cdc9e7b373a7b75a6dbaef14746eda1bff165d59f07ca51a16bb |
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe
| MD5 | 83d0b41c7a3a0d29a268b49a313c5de5 |
| SHA1 | 46f3251c771b67b40b1f3268caef8046174909a5 |
| SHA256 | 09cc3364d5e1c15228822926bc65ce290c487dc3b7c0345bf265538110fa9cc9 |
| SHA512 | 705ecc7c421338e37ed0d58c2d9fad03fb3565db422a0c9d895e75a399bf5f2a70cfe3ffdc860ffe010d4d1a213e0a844aeadb89ea8e0c830a2fc8c03b7669b5 |
C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe
| MD5 | 0099a99f5ffb3c3ae78af0084136fab3 |
| SHA1 | 0205a065728a9ec1133e8a372b1e3864df776e8c |
| SHA256 | 919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226 |
| SHA512 | 5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
| MD5 | 15a42d3e4579da615a384c717ab2109b |
| SHA1 | 22aeedeb2307b1370cdab70d6a6b6d2c13ad2301 |
| SHA256 | 3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103 |
| SHA512 | 1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
| MD5 | fc3cbe1b3fd81889d158214e9160ed24 |
| SHA1 | 399861ae01cedacef572e5fd9a6c988e97df4aaf |
| SHA256 | 07867cc25a0b7ca282ec74519c3b7f170d760d0a1ce2ade0267b4f5c89598fbf |
| SHA512 | ffd80ec7af3d0eab3c1e20b703423a883353c3abab4c300330029e88acfe49c7d8e5117624d63de399afbfa36896f27ba68d10f05dcd77feba2a3c1a51360920 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
| MD5 | 0d532393ab661158b6081cb773d884a5 |
| SHA1 | 9c28dc71b81c6e0fa52b552cbf24592e99ba446a |
| SHA256 | 0673988021715e4ea786d0bb835bc1c9120ff7375467b8ccf33ea9f0e14d0810 |
| SHA512 | 44c250cf97f771c78f0b949db118efedbb7f19eacc5cbe070b4dd4bfdc25858557d259b4edf77d1dd18fe3b42f4a7795bff4aff5b8e51ffb6fd3950f719f975e |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
| MD5 | 6963195e4d71b82d970ff64c4bd67778 |
| SHA1 | 0aef6424c53ea6303e7e49e1ffd6cfcdfdee1ef4 |
| SHA256 | b7140113c2465ef467811976441e3e9796d99d076f85e7f6d12720005b74e755 |
| SHA512 | 6fbe3aa17032358a2ba2a95d980d2620265fe14e99c13ab7e9968f6d3bda34f3e1154803fd9a063f90c40112fd0e4f6d230d1524de40d0dbe297a1d42fc830d6 |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3808065738-1666277613-1125846146-1000\76b53b3ec448f7ccdda2063b15d2bfc3_2397ee06-28fe-4eaa-8777-f7014368c353
| MD5 | afd41eb6cc25ce0c3483581be311187f |
| SHA1 | fa8dbf1d63505fed82e6734f0f3e52a5d861849b |
| SHA256 | a94e4b79a7450f914d1f513758263e9720239d930d96e0bac06e17e5af2b65b6 |
| SHA512 | 42dd2c2031a5f9c8d9903b368f4af376c5ed165c70502badba62693757b81b5ea79f46791e432197725af9453332faeb3ffeaf7064f368e4bec3af74c3b96e48 |
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | 3b839aa775eaa61619da85a6ee19e928 |
| SHA1 | 56768ea9b0222b18f07b3bce168c5e59c1f1f478 |
| SHA256 | e69b2cce41aa22708b428a98a8c67bf70901d0b608361a5293608b305ef094b1 |
| SHA512 | 425792bd70c3fbe1f8d1eb28b73f02902f47dbd0b419c82dfb71bc3116440507b91be3a3de7c8779be42ac0093284d7e763683db2fac227c7982e01fed4f11a3 |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | 1aa4c8a8b942fc6bcb48eb0074a8115a |
| SHA1 | 9fd64716658829032a272d64fba6b5b0fcc2faff |
| SHA256 | bde42a06c4b56700c437c20f3c8559ebbecb8470eb13f67ea0654e69c62441e4 |
| SHA512 | d14ff2c99de25c3cf0398892a1a5c34cf97a2a301c6d8391b14925f9d6105c3d0e25e4e19788db336d75a36b7274e6761beeebbda66ec0ada40f060e2d25afa3 |
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe
| MD5 | 4b43170b7ee46bc9945587dbbaa6e158 |
| SHA1 | 7fdb4e69de5a5488ba63e6f656174ce9ced9441b |
| SHA256 | 05a587cb85ca8f0f1a75dbe6cbb75b534ceb1cabfd44a8620764e25ba6898b41 |
| SHA512 | 44a3640188775da02f12a53e70dba5addbaa48f67b3b9813f6cb51e791546252ca338cdbb02a18e0e3c7740e9358a52fd59b96d67b2de39fd635c827985eb640 |
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe
| MD5 | d4715e1265bfc8eff59fd33440488b54 |
| SHA1 | d1fdec8babd5fd1b9973d0a5e28df57e195aa156 |
| SHA256 | 2515e4db9f9ce6c66a6fb17c781ac90ca93dbb9087c9eb91508f3a4befadeb57 |
| SHA512 | 75c94ec20b9ac778e89e05d651c643d052502c318734f53b99cd83f571ae4d8226fdfa0cd4af245e93f0058adb9ef0c6ed49cbb238d1b41923294c576fdd4942 |
C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe
| MD5 | 8200ef6d8091bf3e313b487844823db2 |
| SHA1 | 043167030174d1fa867327ab669e314631ca4008 |
| SHA256 | 69a6357914af64dbcdfd81b44a711662165101ee79f9f3c66adadd9aa5160609 |
| SHA512 | 1035ef27aee2b9a1a89fcc5eaa1edbbe70969588bcabf75d6d1edfb432b2e65df3697e39a4db1bc519e3d6bb66761df95b2d6617bf23db5cdfd68c1bcc642f62 |
memory/3212-452-0x0000000000E60000-0x00000000011FD000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | fe3aab3ae544a134b68e881b82b70169 |
| SHA1 | 926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6 |
| SHA256 | bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b |
| SHA512 | 3fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280 |
memory/4896-454-0x00000000007F0000-0x0000000000CB5000-memory.dmp
memory/4624-458-0x00000000008F0000-0x0000000000DB0000-memory.dmp
memory/5324-462-0x0000000000740000-0x0000000000C05000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4b6a25a6c2228d5e8c6d21de29f7ab9b |
| SHA1 | 08b46ff30e31bb8b32ed835458f40885d5f3f305 |
| SHA256 | a2ac48e136a9d05230a7710bf2a0777dc5537066ba16a4dd0cc5f904040677e7 |
| SHA512 | c67ac96967fcd644d2c6c27de99bda74e05adf169a10b0126af3558f71ec019882df92a554e9fdd368eed797a3c27b2afb409a681e9c35ae879ad93ee08cad7a |
memory/1840-478-0x00000000002D0000-0x000000000066D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1001052001\Eljlre.exe
| MD5 | a3cb9f7dc246756a8d5050c1ae736eb4 |
| SHA1 | dfb8c1f5c9eb1d6cb1a1308cc13d9abc03f0a379 |
| SHA256 | a02ea10847b32e2b39de6f8e85dcb68d0711ea26a57ac036ad68f19dfc9fd77a |
| SHA512 | 68c941aef82ca87622a4c7676617b2900ce12fddce7386ec28dc4e7b0ad129ad57655a329ea9748ffad264214c03ab89701f18901e47291b95561851dd3b850e |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | 726cd06231883a159ec1ce28dd538699 |
| SHA1 | 404897e6a133d255ad5a9c26ac6414d7134285a2 |
| SHA256 | 12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46 |
| SHA512 | 9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e |
C:\Users\Admin\AppData\Local\Temp\tmp3452.tmp
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\Users\Admin\AppData\Local\Temp\tmp361D.tmp
| MD5 | d444c807029c83b8a892ac0c4971f955 |
| SHA1 | fa58ce7588513519dc8fed939b26b05dc25e53b5 |
| SHA256 | 8297a7698f19bb81539a18363db100c55e357fa73f773c2b883d2c4161f6a259 |
| SHA512 | b7958b843639d4223bef65cdc6c664d7d15b76ac4e0a8b1575201dd47a32899feff32389dcc047314f47944ebe7b774cd59e51d49202f49541bbd70ecbb31a2e |
C:\Users\Admin\AppData\Local\Temp\1001052001\Eljlre.exe
| MD5 | 072593a07a4cae9c6b02d282d4f1514a |
| SHA1 | d6cae73f488f7c4b2b66f90d1e3b0c4e0fb0fd8a |
| SHA256 | 27f086dd55e722a67249dd511d62f391fae9e240118c888f69027c905182bd77 |
| SHA512 | 6c2405b1685dd62e3a8364accfa20e64eb5e9110ab4745733ebf6e2e46dd0e0fbeffd1ca3a28307de5451f01a36467a303278a3f76cbf9c8fc6baabd34d49813 |
C:\Users\Admin\AppData\Local\Temp\tmp365E.tmp
| MD5 | 568f1b99bed86691e4117ef061008380 |
| SHA1 | 4ae332f6c14b0c6440e4a339eb2a4b6cea238554 |
| SHA256 | e3d4ae5acddea28f2d5f67ce7adbba95841b8c4096b586e6b14f860739fc46ca |
| SHA512 | a69bf696f713b5c35f047cfd5fbb6202950b24054d235756b8ea29eb646668a409b02d5014196ad7fb6dd4923ee4eaea02be1ba6d5832cc155be4c963336004f |
C:\Users\Admin\AppData\Local\Temp\1001052001\Eljlre.exe
| MD5 | 9d9352185759b2cf7ef4f9b01b87700f |
| SHA1 | 8aca943d4e868080d7cbad57f2ae8693352f75a1 |
| SHA256 | 32496cc9a758ecb4f90a6a2c82662d9394b639dcb2668ad6e88b36c86760e891 |
| SHA512 | fae86293520ece96e0cf190f46cd8980e3ab110e99830bfea15662fe7e15ecdbeadb584af422e6cf494c85f690142c19b80076bf0a331b94f21a22264ec0ff25 |
memory/5804-560-0x0000000004FE0000-0x00000000051F6000-memory.dmp
memory/5804-561-0x0000000004FE0000-0x00000000051F6000-memory.dmp
memory/5804-563-0x0000000004FE0000-0x00000000051F6000-memory.dmp
memory/5804-565-0x0000000004FE0000-0x00000000051F6000-memory.dmp
memory/5804-567-0x0000000004FE0000-0x00000000051F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe
| MD5 | 2ae646180cdf6fba58598457afaa4cf2 |
| SHA1 | 0dcef001bbe3c4d06a84868445f9fa41dd4b2267 |
| SHA256 | 9f865677501f44312a5d13f3ad7ad712d3ebd79b16be38473c1ea9f75e8e4388 |
| SHA512 | 64e056539761ba2a866045b1e266eaa4cc8a040237733df6200e55fdad47652c4819e15145571725cebecc9b42f88d4ca1fcf13881e8ba8ace1d140492e19ab7 |
C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe
| MD5 | f88537ab4513ac9aaab3e57bb03cd7f2 |
| SHA1 | a8837d37a2efb0931270eebea98e21a3bcf3f4be |
| SHA256 | 19953a62f44091cb5bc5a425e681b2a4affc2299dff595acefa5ee9958e7ab6b |
| SHA512 | 19e3daab56b2f2965c1a9423ad7724e4ef708166587c62d731074c9bbdcd566f4b5ad10ba5afd767e8a1df9a16f05c958887bd526fc075016a22a544b46bf792 |
C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe
| MD5 | 53dd90584774afdb6d1798a8b343ee0d |
| SHA1 | c9f3e5d8ac0f3bb6033a21c75983189ce7de2296 |
| SHA256 | 4964d131ec37621e720d70790bb1c654f34e40d0905422c072fa64bfe7d4aa43 |
| SHA512 | f8da6ee01810548fae1fe6948fb1ed43e22f67d19003b4a6abb34a97800b035e38b388232e557afb37a6f7509e80b4a375d764a66f1daba9e2080ee6a7b05e8a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-29 00:31
Reported
2024-03-29 00:34
Platform
win11-20240221-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Amadey
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Rhadamanthys
Stealc
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3268 created 2584 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | C:\Windows\system32\sihost.exe |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nGIYuPwBJ7KzfP8S7VkBAIEg.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cA4V9tXdRiR4XmzS0bODnqPq.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\s0jm4YCeWsnFnH3zbwmJGebX.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5O73mN5vQGLYprVhjicAbo4H.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BzSq75M6GMxC4C8JkEh3jM8W.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SXF8rhfqOOzO26vmZFaPIPpP.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QU6x8hwc6TpHZGSvlNqgGhNF.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6RuashOVcc3DwpLMmEQ7tycU.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdVucLRIzuLTbb0tPrdcc08y.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X8iEzgYQ8375X8nEoQsn4NG6.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3.exe | N/A |
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\edcxE0l3fRFjjGrjUfWc8Oej.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\nG1Fq1mbi8PR1j8Uh6fja62m.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Users\Admin\Pictures\nvEgXPvRALAzyhRcDjKRaQOF.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\Pictures\nvEgXPvRALAzyhRcDjKRaQOF.exe | N/A |
| File opened (read-only) | \??\D: | C:\Users\Admin\Pictures\nvEgXPvRALAzyhRcDjKRaQOF.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\Pictures\nvEgXPvRALAzyhRcDjKRaQOF.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2132 set thread context of 2748 | N/A | C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe |
| PID 2872 set thread context of 3268 | N/A | C:\Users\Admin\Pictures\WYS4ke33P3XS1lcTGteacVOU.exe | C:\Windows\System32\Conhost.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe | N/A |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\edcxE0l3fRFjjGrjUfWc8Oej.exe | N/A |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\nG1Fq1mbi8PR1j8Uh6fja62m.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\nG1Fq1mbi8PR1j8Uh6fja62m.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\nG1Fq1mbi8PR1j8Uh6fja62m.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\edcxE0l3fRFjjGrjUfWc8Oej.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\edcxE0l3fRFjjGrjUfWc8Oej.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File created | C:\Windows\Tasks\explorgu.job | C:\Users\Admin\AppData\Local\Temp\dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u3tw.1.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u3tw.1.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u3tw.1.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\u3tw.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\u3tw.0.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" | C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" | C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-3051 = "Qyzylorda Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" | C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" | C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" | C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" | C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" | C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" | C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" | C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" | C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" | C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" | C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" | C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" | C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" | C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" | C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" | C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" | C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" | C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" | C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" | C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" | C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" | C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\Pictures\nvEgXPvRALAzyhRcDjKRaQOF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 | C:\Users\Admin\Pictures\nvEgXPvRALAzyhRcDjKRaQOF.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\Pictures\nvEgXPvRALAzyhRcDjKRaQOF.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\Pictures\nvEgXPvRALAzyhRcDjKRaQOF.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\Pictures\nvEgXPvRALAzyhRcDjKRaQOF.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tw.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tw.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tw.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tw.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tw.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tw.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tw.1.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tw.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tw.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tw.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tw.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tw.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tw.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tw.1.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3.exe
"C:\Users\Admin\AppData\Local\Temp\dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3.exe"
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exe
"C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
C:\Users\Admin\Pictures\0r481T9LSgw1MN0XLM2NcEby.exe
"C:\Users\Admin\Pictures\0r481T9LSgw1MN0XLM2NcEby.exe"
C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe
"C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe"
C:\Users\Admin\Pictures\S9gf1ZJXBYtCaCpnJv3DlW3T.exe
"C:\Users\Admin\Pictures\S9gf1ZJXBYtCaCpnJv3DlW3T.exe"
C:\Users\Admin\Pictures\edcxE0l3fRFjjGrjUfWc8Oej.exe
"C:\Users\Admin\Pictures\edcxE0l3fRFjjGrjUfWc8Oej.exe"
C:\Users\Admin\Pictures\nG1Fq1mbi8PR1j8Uh6fja62m.exe
"C:\Users\Admin\Pictures\nG1Fq1mbi8PR1j8Uh6fja62m.exe"
C:\Users\Admin\Pictures\WYS4ke33P3XS1lcTGteacVOU.exe
"C:\Users\Admin\Pictures\WYS4ke33P3XS1lcTGteacVOU.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2872 -ip 2872
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 876
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3268 -ip 3268
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3268 -ip 3268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 532
C:\Users\Admin\AppData\Local\Temp\u3tw.0.exe
"C:\Users\Admin\AppData\Local\Temp\u3tw.0.exe"
C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe
"C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\Pictures\edcxE0l3fRFjjGrjUfWc8Oej.exe
"C:\Users\Admin\Pictures\edcxE0l3fRFjjGrjUfWc8Oej.exe"
C:\Users\Admin\Pictures\nG1Fq1mbi8PR1j8Uh6fja62m.exe
"C:\Users\Admin\Pictures\nG1Fq1mbi8PR1j8Uh6fja62m.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3648 -ip 3648
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 1288
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\Pictures\nvEgXPvRALAzyhRcDjKRaQOF.exe
"C:\Users\Admin\Pictures\nvEgXPvRALAzyhRcDjKRaQOF.exe" --silent --allusers=0
C:\Users\Admin\Pictures\nvEgXPvRALAzyhRcDjKRaQOF.exe
C:\Users\Admin\Pictures\nvEgXPvRALAzyhRcDjKRaQOF.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2b0,0x2b4,0x2b8,0x290,0x2bc,0x6e38e1d0,0x6e38e1dc,0x6e38e1e8
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\nvEgXPvRALAzyhRcDjKRaQOF.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\nvEgXPvRALAzyhRcDjKRaQOF.exe" --version
C:\Users\Admin\Pictures\nvEgXPvRALAzyhRcDjKRaQOF.exe
"C:\Users\Admin\Pictures\nvEgXPvRALAzyhRcDjKRaQOF.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2564 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240329003229" --session-guid=c5d6640f-8db9-45b1-a531-329ec4c6ffd5 --server-tracking-blob=ZmI2ODVjNWJiZDUwM2M0NWYyZTFhMjU0NDU5OTg4ZGQzYWY2NDQ2NWQ3NGJjOTJhYmE4ZmE4MzU5YjcyOWQxYjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N180NTYiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMSIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTE2NzIzMjcuNzk5OSIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N180NTYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6IjU5YzBhZjBjLWVkMjQtNDQ2OS04YmI5LTgwNzYwNGMzMjZkMSJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=7004000000000000
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\Pictures\nvEgXPvRALAzyhRcDjKRaQOF.exe
C:\Users\Admin\Pictures\nvEgXPvRALAzyhRcDjKRaQOF.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2bc,0x2c0,0x2c4,0x28c,0x2c8,0x6da0e1d0,0x6da0e1dc,0x6da0e1e8
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\u3tw.1.exe
"C:\Users\Admin\AppData\Local\Temp\u3tw.1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4964 -ip 4964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 1164
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\930051783255_Desktop.zip' -CompressionLevel Optimal
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\BFBGHDGCFH.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5088 -ip 5088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 2760
C:\Users\Admin\AppData\Local\Temp\BFBGHDGCFH.exe
"C:\Users\Admin\AppData\Local\Temp\BFBGHDGCFH.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5088 -ip 5088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 2768
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\BFBGHDGCFH.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5088 -ip 5088
C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 2796
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290032291\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290032291\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290032291\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290032291\assistant\assistant_installer.exe" --version
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290032291\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290032291\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x1040040,0x104004c,0x1040058
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.32:80 | 185.215.113.32 | tcp |
| AT | 5.42.64.17:80 | 5.42.64.17 | tcp |
| US | 8.8.8.8:53 | 32.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.64.42.5.in-addr.arpa | udp |
| US | 172.67.169.89:443 | yip.su | tcp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| DE | 185.172.128.144:80 | 185.172.128.144 | tcp |
| AT | 5.42.64.17:80 | 5.42.64.17 | tcp |
| US | 8.8.8.8:53 | operandotwo.com | udp |
| US | 8.8.8.8:53 | sty.ink | udp |
| US | 8.8.8.8:53 | namemail.org | udp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| US | 8.8.8.8:53 | cu82342.tw1.ru | udp |
| SG | 217.21.73.190:443 | piramidglobaltobacco.id | tcp |
| US | 104.21.15.5:443 | operandotwo.com | tcp |
| US | 104.21.32.142:443 | shipofdestiny.com | tcp |
| US | 104.21.32.142:443 | shipofdestiny.com | tcp |
| US | 172.67.200.219:443 | sty.ink | tcp |
| US | 172.67.200.219:443 | sty.ink | tcp |
| RU | 176.57.210.144:443 | cu82342.tw1.ru | tcp |
| NL | 185.26.182.111:80 | net.geo.opera.com | tcp |
| NL | 185.26.182.111:443 | net.geo.opera.com | tcp |
| US | 172.67.170.65:443 | lawyerbuyer.org | tcp |
| US | 172.67.170.65:443 | lawyerbuyer.org | tcp |
| US | 172.67.173.167:443 | guseman.org | tcp |
| US | 8.8.8.8:53 | 144.210.57.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.73.21.217.in-addr.arpa | udp |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| US | 172.67.206.194:443 | tcp | |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| US | 172.67.206.194:443 | tcp | |
| US | 172.67.206.194:443 | tcp | |
| DE | 185.172.128.144:80 | 185.172.128.144 | tcp |
| DE | 185.172.128.209:80 | 185.172.128.209 | tcp |
| US | 172.67.206.194:443 | tcp | |
| US | 172.67.188.178:443 | iplogger.com | tcp |
| US | 172.67.206.194:443 | tcp | |
| NL | 82.145.216.20:443 | autoupdate.geo.opera.com | tcp |
| NL | 82.145.216.20:443 | autoupdate.geo.opera.com | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| NL | 185.26.182.112:443 | features.opera-api2.com | tcp |
| RU | 185.215.113.32:80 | 185.215.113.32 | tcp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| N/A | 185.172.128.90:80 | tcp | |
| RU | 185.215.113.32:80 | 185.215.113.32 | tcp |
| FR | 143.244.56.49:443 | download.iolo.net | tcp |
| DE | 81.3.27.44:3478 | stun.ipfire.org | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| BG | 185.82.216.104:443 | server5.datadumpcloud.org | tcp |
| US | 172.67.221.71:443 | carsalessystem.com | tcp |
| NL | 82.145.216.24:443 | tcp | |
| US | 104.18.11.89:443 | download5.operacdn.com | tcp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| DE | 185.172.128.65:80 | tcp | |
| BG | 185.82.216.104:443 | server5.datadumpcloud.org | tcp |
| NL | 52.111.243.29:443 | tcp | |
| US | 20.9.155.148:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| BG | 185.82.216.104:443 | server5.datadumpcloud.org | tcp |
Files
memory/3256-0-0x0000000000680000-0x0000000000B45000-memory.dmp
memory/3256-1-0x0000000077206000-0x0000000077208000-memory.dmp
memory/3256-2-0x0000000000680000-0x0000000000B45000-memory.dmp
memory/3256-4-0x00000000051D0000-0x00000000051D1000-memory.dmp
memory/3256-3-0x00000000051E0000-0x00000000051E1000-memory.dmp
memory/3256-6-0x00000000051B0000-0x00000000051B1000-memory.dmp
memory/3256-5-0x0000000005210000-0x0000000005211000-memory.dmp
memory/3256-7-0x00000000051C0000-0x00000000051C1000-memory.dmp
memory/3256-8-0x00000000051F0000-0x00000000051F1000-memory.dmp
memory/3256-9-0x0000000005240000-0x0000000005241000-memory.dmp
memory/3256-11-0x0000000005230000-0x0000000005231000-memory.dmp
memory/3256-15-0x0000000000680000-0x0000000000B45000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
| MD5 | c24cc500387c37edb2c4ac0f460dd272 |
| SHA1 | bebd2b99916372d6f4293c276387e904096b50cd |
| SHA256 | dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3 |
| SHA512 | 16c07ff0c0feb7f2c64671d11737b683e5f243c63263a46dec5ca765d0d2401dde85e57a2619e87391eefaec4f3b10a5eb2aee786d7b4d456c4bcb5fcd2a8570 |
memory/4140-18-0x00000000002E0000-0x00000000007A5000-memory.dmp
memory/4140-19-0x00000000002E0000-0x00000000007A5000-memory.dmp
memory/4140-21-0x0000000004D70000-0x0000000004D71000-memory.dmp
memory/4140-24-0x0000000004D60000-0x0000000004D61000-memory.dmp
memory/4140-25-0x0000000004D90000-0x0000000004D91000-memory.dmp
memory/4140-23-0x0000000004D50000-0x0000000004D51000-memory.dmp
memory/4140-22-0x0000000004DB0000-0x0000000004DB1000-memory.dmp
memory/4140-20-0x0000000004D80000-0x0000000004D81000-memory.dmp
memory/4140-26-0x0000000004DD0000-0x0000000004DD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exe
| MD5 | 16f67f1a6e10f044bc15abe8c71b3bd6 |
| SHA1 | ce0101205b919899a2a2f577100377c2a6546171 |
| SHA256 | 41cca3fa0f500dc6c17d1f02fc906d2b0c769210af9c4286760b84ecf46cab89 |
| SHA512 | a11db01bf55e3497644918c7dcc6180e0911261f39f062e653f000e1365dc9668fe5bd1d0fee0ae5c740a6477bcea510ba8c5ff6831c3bdb0d7c0590d2487e3c |
memory/2132-46-0x000002B3D55B0000-0x000002B3D55BC000-memory.dmp
memory/2132-47-0x00007FF9C6730000-0x00007FF9C71F2000-memory.dmp
memory/2132-48-0x000002B3D5A80000-0x000002B3D5A90000-memory.dmp
memory/2132-49-0x000002B3F0A50000-0x000002B3F0AC6000-memory.dmp
memory/2132-50-0x000002B3EFAE0000-0x000002B3EFAFE000-memory.dmp
memory/2132-51-0x000002B3EFD70000-0x000002B3EFDCE000-memory.dmp
memory/2132-52-0x000002B3D5A80000-0x000002B3D5A90000-memory.dmp
memory/2132-53-0x000002B3D5A80000-0x000002B3D5A90000-memory.dmp
memory/2748-54-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2748-55-0x0000000072BC0000-0x0000000073371000-memory.dmp
memory/4140-56-0x00000000002E0000-0x00000000007A5000-memory.dmp
memory/2748-57-0x0000000005040000-0x0000000005050000-memory.dmp
memory/2132-58-0x00007FF9C6730000-0x00007FF9C71F2000-memory.dmp
C:\Users\Admin\Pictures\T4H0WKmNk9KV5Hvpmuhes0mi.exe
| MD5 | 5b423612b36cde7f2745455c5dd82577 |
| SHA1 | 0187c7c80743b44e9e0c193e993294e3b969cc3d |
| SHA256 | e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09 |
| SHA512 | c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c |
C:\Users\Admin\Pictures\ovxQTMmmlShXXxtXeAw1nKYE.exe
| MD5 | 978ff4cca970ad267dc95983a6d93836 |
| SHA1 | 7f0c40c1c5917b06de2b199b85601d05a30d02d3 |
| SHA256 | 7261982e88464a33c2a40dc033a51d9aa963d731120c8a3a2fa88060a1498267 |
| SHA512 | cb44cfe4bf7d721ed97e94d2c1e19b3becdd874283ad96ab4c1addebc6414833e2ea8394a95e363e477910dc1454529e698dd268ccc3916dc887685a48682457 |
C:\Users\Admin\Pictures\0r481T9LSgw1MN0XLM2NcEby.exe
| MD5 | 5c804dea51e39d91f9c32a877a6105e3 |
| SHA1 | 0dc2e412bc8b68beb99354fb7be0e3cd115bd0fc |
| SHA256 | e83b6dab810ac2ee9f094152bbf1fda89bcfc16e5f7413cc07b83c5ff15a7cc3 |
| SHA512 | 6bd12c5008d53d094e6bdcf7f87184b6328a42e0ef32f0c8b360e8954bbec86c6178bf640c0132d03cb9c6fd92e0b636f76c2a485bcb3d1b2e79ee20240d4c14 |
C:\Users\Admin\Pictures\jze9SUcuzZWkxDlLQA5W2OXC.exe
| MD5 | a05308155e1fd4b7dd61a4822337cd63 |
| SHA1 | 0fc568dd9671e8a1dede2a063214dcc7bfa53477 |
| SHA256 | e033dd7779b0847fe394e6a0b2c77579eb36434333918a7830aeda5b6cf641b9 |
| SHA512 | a4b44f101efccc40bb29b4c3e1ec0a5303a8669bc7c872f49a8652d5e7a72768152d833edbf4788f48de41b249ee4c699f733ed6d2ebd2b051a70fc0d3234593 |
memory/4964-104-0x0000000002840000-0x00000000028AE000-memory.dmp
memory/4964-103-0x0000000000DA0000-0x0000000000EA0000-memory.dmp
memory/4964-105-0x0000000000400000-0x0000000000B10000-memory.dmp
C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe
| MD5 | 97d21b1e771c5eac429cf5b16672c07e |
| SHA1 | 961396698844f4811719249636db36b67e5543b5 |
| SHA256 | 109d87c5dea80163592dda714a6b7407538058e986808591fdbe9c3ab4d87a73 |
| SHA512 | 750d6eea1bfb668f6323a3288c1ca57c457541b43e7c02abb6e847fbe165399de877acbdd8e503482615969904e11ca08a1389bf8e174a9dafcf37399bec6cc8 |
C:\Users\Admin\Pictures\S9gf1ZJXBYtCaCpnJv3DlW3T.exe
| MD5 | e2a6c1f58b137874e490b8d94382fcdb |
| SHA1 | 71529c5d708091b1e1a580227dc52e62a140edd1 |
| SHA256 | 4801879a7afb9d03f7edcbe76cd9306cb024d80abc8512c4995aa97e8fd52437 |
| SHA512 | 24d12ce668e5189a4ba80520a4eaf480d17d3a07d8d0d4312964968f8489143df225881ec70e39e0c62e381061626801ead72d70cea164e2c3870bfbd7bc4eff |
memory/2500-146-0x0000000002C30000-0x000000000302E000-memory.dmp
memory/4140-134-0x00000000002E0000-0x00000000007A5000-memory.dmp
C:\Users\Admin\Pictures\edcxE0l3fRFjjGrjUfWc8Oej.exe
| MD5 | 68f8731e5cbc9e34ba6b923c82dfff0a |
| SHA1 | 6ff499a82e54c99c1d59569f04337705697cf86e |
| SHA256 | 9051b57caec9ad903cb5a327efaf2a745511389107518bb07954000023d288e3 |
| SHA512 | a1a327531f270752cf03c13e3a89ac046f10cc75faf97580291b4fbe3a19b4a0d992d70297e9e37c16d03dcd20de746f5f87123c2c71f0ffad71e87dcaef035c |
memory/3648-156-0x0000000000400000-0x0000000000B06000-memory.dmp
memory/3648-157-0x0000000000D70000-0x0000000000D71000-memory.dmp
C:\Users\Admin\Pictures\WYS4ke33P3XS1lcTGteacVOU.exe
| MD5 | 7960d8afbbac06f216cceeb1531093bb |
| SHA1 | 008221bf66a0749447cffcb86f2d1ec80e23fc76 |
| SHA256 | f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84 |
| SHA512 | 35d12e81eb892aeb2237049beca61a81469dea5b1c9b7a0b9f49fbf95a95c756509d9e76c732fb10b504f9f9692e1fbe83ea2fd09d791f793a928c01974b8147 |
memory/3648-161-0x0000000000DC0000-0x0000000000EC0000-memory.dmp
memory/3648-149-0x0000000002860000-0x00000000028AA000-memory.dmp
memory/2500-171-0x0000000003030000-0x000000000391B000-memory.dmp
memory/2500-172-0x0000000000400000-0x0000000000ECF000-memory.dmp
memory/2872-175-0x00000000008F0000-0x000000000095E000-memory.dmp
memory/4072-174-0x0000000002C50000-0x000000000304C000-memory.dmp
memory/4072-179-0x0000000000400000-0x0000000000ECF000-memory.dmp
memory/792-182-0x0000000002C80000-0x0000000003084000-memory.dmp
memory/3268-183-0x0000000000400000-0x000000000046D000-memory.dmp
memory/3268-178-0x0000000000400000-0x000000000046D000-memory.dmp
memory/792-184-0x0000000000400000-0x0000000000ECF000-memory.dmp
memory/2872-185-0x0000000072BC0000-0x0000000073371000-memory.dmp
memory/2872-186-0x0000000005220000-0x0000000005230000-memory.dmp
memory/2872-187-0x0000000002C60000-0x0000000004C60000-memory.dmp
memory/3268-188-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2872-189-0x0000000072BC0000-0x0000000073371000-memory.dmp
memory/3648-190-0x0000000003250000-0x0000000003350000-memory.dmp
memory/3648-191-0x0000000003250000-0x0000000003350000-memory.dmp
memory/3648-192-0x0000000003250000-0x0000000003350000-memory.dmp
memory/3648-194-0x0000000003250000-0x0000000003350000-memory.dmp
memory/3648-193-0x0000000003250000-0x0000000003350000-memory.dmp
memory/3648-196-0x0000000003250000-0x0000000003350000-memory.dmp
memory/3648-197-0x0000000003250000-0x0000000003350000-memory.dmp
memory/3648-195-0x0000000003250000-0x0000000003350000-memory.dmp
memory/4140-199-0x00000000002E0000-0x00000000007A5000-memory.dmp
memory/3648-198-0x0000000003250000-0x0000000003350000-memory.dmp
memory/3648-201-0x0000000003250000-0x0000000003350000-memory.dmp
memory/3648-200-0x0000000003250000-0x0000000003350000-memory.dmp
memory/3268-401-0x0000000004090000-0x0000000004490000-memory.dmp
memory/3268-404-0x0000000004090000-0x0000000004490000-memory.dmp
memory/3268-407-0x00007FF9E77A0000-0x00007FF9E79A9000-memory.dmp
memory/3268-411-0x0000000076E90000-0x00000000770E2000-memory.dmp
memory/3504-413-0x0000000000640000-0x0000000000649000-memory.dmp
memory/3504-425-0x0000000076E90000-0x00000000770E2000-memory.dmp
memory/3504-422-0x00007FF9E77A0000-0x00007FF9E79A9000-memory.dmp
memory/3504-419-0x0000000002390000-0x0000000002790000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_llonoco1.ota.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\u3tw.0.exe
| MD5 | bb9c579553855366be205788003e7841 |
| SHA1 | 828e5b2f7388da912c39b7336f1d361221df8021 |
| SHA256 | 970a048241568ba8350ff7b3d4ec9a4d241c981eff4ec2e97c1bf082537e5d61 |
| SHA512 | 78a60497c9deb917096c59ea86699e36ef3db1809e327ca94ae62d4d45d6fac5aca1b5fe5fc12f5e363e8c52ae42a6c72110a1f0f6b9455e00feb2fbe464a20d |
memory/4964-562-0x0000000000400000-0x0000000000B10000-memory.dmp
memory/2500-566-0x0000000000400000-0x0000000000ECF000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | ac4917a885cf6050b1a483e4bc4d2ea5 |
| SHA1 | b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f |
| SHA256 | e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9 |
| SHA512 | 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 19d93f5f22e0ed1688815aab43b1fb6c |
| SHA1 | d79067036b97dc779b6c816edcc86a445eb26164 |
| SHA256 | 1bd9351509cae5f1b9c69dc3a27cc8368ed4a3ab831ab322c1c511aafab53930 |
| SHA512 | 41f15077e0be7ed2327100c167ddf9e8ce28048b0478cfbd50d567187348d5599b55fd6716546cd7e1378aedfd9c94792ea719cbb6973e5f693e7845f85deaf6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 80e05a83b3a08c8ae1b2563d40d5dd87 |
| SHA1 | 957468a64872bf04ace81f4517adec3f0e9d25eb |
| SHA256 | 27425ba450ed614a8c5506d6a04ddbb686ecd39c69989c273d7e75fa7f3fa49e |
| SHA512 | 72da0488e5594c41c527ae003b98ebb74fe4b2058b23f6c4bf47a68a81c2dbfb73410cd51f1df51d062bac9e47ba0f12cffba1d86fdc64f3a19fec566fd65544 |
memory/3648-579-0x0000000000400000-0x0000000000B06000-memory.dmp
memory/792-585-0x0000000000400000-0x0000000000ECF000-memory.dmp
memory/4072-586-0x0000000000400000-0x0000000000ECF000-memory.dmp
memory/4140-840-0x00000000002E0000-0x00000000007A5000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | d0c46cad6c0778401e21910bd6b56b70 |
| SHA1 | 7be418951ea96326aca445b8dfe449b2bfa0dca6 |
| SHA256 | 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02 |
| SHA512 | 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | c7650cd20390daeb7169ccdb036555c9 |
| SHA1 | 2920e61155adf1e91b879116cbf7ccd7b31f4ad3 |
| SHA256 | 9bd5bc786c565655b1f4d93ce69257c98e5b0cdc9febfe90d7930e187db96ba8 |
| SHA512 | 004e435136600c0b9d2712b6b81b9b271256f0ff39836921bff1fa41ea3e5fd43dbeed6fde36feda107b22af5bf709b0005d050ddf960be02ec11e861f5f19ef |
memory/5088-963-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 5c4a046bdf0b7c4f145637425df96142 |
| SHA1 | 42795043774c1c9ec1a2023abb23a29b7a8a876d |
| SHA256 | 970a015fb4e16b87c46d6a11b01074560146b6314fb18f381434a37946216fb6 |
| SHA512 | b3fd50ab9d0d0f05bfafa6ff3841af045dccc4b9da8399bc73f9938e0c96d80f19df9ba0aac49447fc1b9b73388fa6ee5e7f122891139edfc40660ade1d9c289 |
memory/5088-1043-0x0000000000400000-0x0000000000AEC000-memory.dmp
memory/3648-1110-0x0000000000400000-0x0000000000B06000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | f0e5b81b5b774c6e45c95b9f99120135 |
| SHA1 | cad3d957247857adced4ed7f6f9bdc1255b44721 |
| SHA256 | 126ccb08589bfad4c92d47353017050d6da52708faa12bc2b671e8cd6374772e |
| SHA512 | 96b6b2e36cf944b09de14a6b926aab9ea4728ade7a52ea6f24271f5223deed19453a1eaecdca12b27c0c22ede626d06727d1fa8d000a364203da580a43594d3c |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 76c81c705846f47df261ce736f58b8a9 |
| SHA1 | ff394fedacb64c651bda20f01ab5bd981ecf975d |
| SHA256 | 51792042439163d4199fbdb72ca2f4af9ab9c171414d1a733d3ca1f4016e8743 |
| SHA512 | 441f67469b9afbae4aa3ddca7b981e6dc40a7763be91b481e56c468eab5f90afa8d56658ab0288e560511e98fb21fd341ff38290c06abc1a1ad862f06dceed99 |
memory/2500-1128-0x0000000000400000-0x0000000000ECF000-memory.dmp
memory/792-1129-0x0000000000400000-0x0000000000ECF000-memory.dmp
memory/4072-1130-0x0000000000400000-0x0000000000ECF000-memory.dmp
memory/4692-1131-0x0000000000400000-0x0000000000ECF000-memory.dmp
C:\Users\Admin\Pictures\nvEgXPvRALAzyhRcDjKRaQOF.exe
| MD5 | d5e362b4b76f8d663629014c1bb09c62 |
| SHA1 | 1dbacc95fdb2ec36fcf240110945e823e2968799 |
| SHA256 | 70c64207d3246e85c043231bf9e56d6dadf185fbcfb5474d81637fea4fd7916b |
| SHA512 | 509651fe8d57bbb7b26101bc3709fd9a9c722d98741637e60b6d65bfd128208574a2b7f099bc8373c54e682456bc76817c8efc14fe49e9604ecaa83ed625adce |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403290032291452564.dll
| MD5 | 117176ddeaf70e57d1747704942549e4 |
| SHA1 | 75e3ab6b3469d93cce9ea2f7e22b71b987ccdf2b |
| SHA256 | 3c5b34de987116a4d3240e319c0da89a951c96b81e6705476a0fea27b22b20af |
| SHA512 | ca2a356929c92d314aab63d7f3b246d72783212dfa3a4507f28d41a51ca0eedc78e85b1cd453aa8e02c12509f847a0216bb702154f903291c804c8a98ec378b9 |
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
| MD5 | 0ce1e8b741d2b68250cffdeb3fb9f4ff |
| SHA1 | 243086ca0c91f9ded65bde5b854d0b034c3f00fc |
| SHA256 | e0c9366f28fa4f5ae0e2a8f167ed2789a513c40d22556debec2e7070225f5bd4 |
| SHA512 | e94eea0d0f54af610acbdd443c3ab41d231db7dd374ae8863f38d83d707ea873f94a4941aa6a7cf27794527e1d8153d0e1ad4a3b72a3d17c8fd9c0bd73282679 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 92fbdfccf6a63acef2743631d16652a7 |
| SHA1 | 971968b1378dd89d59d7f84bf92f16fc68664506 |
| SHA256 | b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72 |
| SHA512 | b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117 |
memory/4140-1245-0x00000000002E0000-0x00000000007A5000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | d58a4630eb2866ce2f98b0758558771c |
| SHA1 | 0a50dc4c3a4684cade9786efac76970fbed1840a |
| SHA256 | 80072e3a0e14378945f981e17620d9a5162364e8b02cc321f919b2c2c097b403 |
| SHA512 | bef293f13a5d6b619d08f7ee17212c979c523919da44723abce299f60e65a54a0b32a643fdaecd94783030fa85d32be74bcb54b94858b42916e4ec048d154de8 |
memory/5076-1288-0x0000000000400000-0x0000000000ECF000-memory.dmp
memory/2248-1289-0x0000000000400000-0x0000000000ECF000-memory.dmp
memory/5088-1314-0x0000000000400000-0x0000000000AEC000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | b0f711abee6999fa9b6aeafa22866631 |
| SHA1 | d25c4cdb3eaf83361478066fac7c602e79f6012e |
| SHA256 | bc2a727c3bb9e63582311e73279b0218c64180e43ba2a2ebb1e1bb2802c1fb02 |
| SHA512 | 506c07619f0c9163b50d154181de861d2a7ceef8fc1a4640cc7811f266b0e83ba98a10bbf2bbe93f1a72ff0a290a290eb4276de048b77a8abac3ee5b01af7aaa |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | fd9948f748110a072dd4d690aae3194c |
| SHA1 | 7b1f39dbc4266274476ef5784cac159e61c9db97 |
| SHA256 | fd1a996b87adb3a1f64601363c366fd2281804237c1ca6d96b4ca18f9b551921 |
| SHA512 | a5c2506550f0459be574109c204e1507585b0fdd150cd4a72a035dd6df2b2125db114d8343447e14e2e5c806cfb53dcbe9a8168ecf263b36283e1132a246e654 |
memory/2248-1357-0x0000000000400000-0x0000000000ECF000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 13253341e352726ffeac6a95e1e736f4 |
| SHA1 | 6fc077d51d1f2f909a05a1e58aaafb33e80664f0 |
| SHA256 | 17bb6285457ede4d5b959ecf1fc79b23284982db0073b29c535171c140504989 |
| SHA512 | 96aa984d1a618ad42f2a9aba1f43215f6f7ebe64678059db9497ed029d7312f858d488360a442a4e2924240dfacca004ec7e6eab48cc672f491c6437d9fad16f |
C:\Users\Admin\AppData\Local\Temp\u3tw.1.exe
| MD5 | 397926927bca55be4a77839b1c44de6e |
| SHA1 | e10f3434ef3021c399dbba047832f02b3c898dbd |
| SHA256 | 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7 |
| SHA512 | cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954 |
memory/2724-1418-0x0000000000400000-0x0000000000ECF000-memory.dmp
memory/4964-1421-0x0000000000400000-0x0000000000B10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
memory/4140-1433-0x00000000002E0000-0x00000000007A5000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 2afdbe3b99a4736083066a13e4b5d11a |
| SHA1 | 4d4856cf02b3123ac16e63d4a448cdbcb1633546 |
| SHA256 | 8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee |
| SHA512 | d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f |
memory/5076-1445-0x0000000000400000-0x0000000000ECF000-memory.dmp
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | 2f919e2efcfe70e33d9d531b9f556b50 |
| SHA1 | b9efd61ce348219bc30d6890d2e6471b93e17d5b |
| SHA256 | 176972be9b84dd2009cfe0510ef7167b53ec9520bdcf914beec84829b690c2fd |
| SHA512 | 8c9564d8086d0f4bfaf1c66df8d4aff05f2653f598d5f51c1f2d3343f5adeed30b6528407051a27b5a88202c99aa67a2322286c94bac8f2e4ab23f4d37fd97bc |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290032291\opera_package
| MD5 | 401c352990789be2f40fe8f9c5c7a5ac |
| SHA1 | d7c1e902487511d3f4e1a57abdee8a94d5483ed4 |
| SHA256 | f62f4ebc7eca46d9cddfb02cc0305da5efdd6f3601fb0f53da555e19558869a3 |
| SHA512 | efc6d4224e3721e91efb2ea8f4b74685cba607260c69d08eac26866c52b8127080a42799d9f76ab1661b8ca63c946fcf35dddf0a63ab3cd258ea44a27dd769c8 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290032291\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
| MD5 | 20d293b9bf23403179ca48086ba88867 |
| SHA1 | dedf311108f607a387d486d812514a2defbd1b9e |
| SHA256 | fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348 |
| SHA512 | 5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6 |