Malware Analysis Report

2024-11-30 02:09

Sample ID 240329-avdhfacf6v
Target dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3
SHA256 dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3
Tags
amadey redline risepro zgrat @oleh_psp jok123 evasion infostealer rat stealer trojan glupteba rhadamanthys stealc discovery dropper loader persistence rootkit spyware upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3

Threat Level: Known bad

The file dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3 was found to be: Known bad.

Malicious Activity Summary

amadey redline risepro zgrat @oleh_psp jok123 evasion infostealer rat stealer trojan glupteba rhadamanthys stealc discovery dropper loader persistence rootkit spyware upx

ZGRat

RedLine

Glupteba

RisePro

Stealc

RedLine payload

Rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Detect ZGRat V1

Glupteba payload

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Blocklisted process makes network request

Modifies Windows Firewall

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Identifies Wine through registry keys

Checks BIOS information in registry

Loads dropped DLL

Reads data files stored by FTP clients

Drops startup file

UPX packed file

Reads local data of messenger clients

Reads WinSCP keys stored on the system

Executes dropped EXE

Adds Run key to start application

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Manipulates WinMonFS driver.

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Suspicious use of SetThreadContext

AutoIT Executable

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of FindShellTrayWindow

Modifies system certificate store

Creates scheduled task(s)

Runs ping.exe

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-29 00:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-29 00:31

Reported

2024-03-29 00:34

Platform

win10v2004-20240226-en

Max time kernel

75s

Max time network

107s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorgu.job C:\Users\Admin\AppData\Local\Temp\dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3.exe

"C:\Users\Admin\AppData\Local\Temp\dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3816 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\808065738166_Desktop.zip' -CompressionLevel Optimal

C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe

"C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"

C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"

C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe

"C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe"

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"

C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe

"C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe"

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"

C:\Users\Admin\AppData\Local\Temp\1000042001\d3e3ae4be0.exe

"C:\Users\Admin\AppData\Local\Temp\1000042001\d3e3ae4be0.exe"

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe

"C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"

C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe

"C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe"

C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe

"C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe" /F

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\808065738166_Desktop.zip' -CompressionLevel Optimal

C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe

"C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=3912 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=4076 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=4912 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3568 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=5348 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=5996 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:1

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\1001052001\Eljlre.exe

"C:\Users\Admin\AppData\Local\Temp\1001052001\Eljlre.exe"

C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe

"C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
RU 185.215.113.32:80 185.215.113.32 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 32.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 167.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 185.215.113.32:80 185.215.113.32 tcp

Files

memory/3316-0-0x0000000000FA0000-0x0000000001465000-memory.dmp

memory/3316-1-0x0000000077954000-0x0000000077956000-memory.dmp

memory/3316-2-0x0000000000FA0000-0x0000000001465000-memory.dmp

memory/3316-3-0x0000000000FA0000-0x0000000001465000-memory.dmp

memory/3316-4-0x00000000053D0000-0x00000000053D1000-memory.dmp

memory/3316-5-0x00000000053E0000-0x00000000053E1000-memory.dmp

memory/3316-6-0x00000000053C0000-0x00000000053C1000-memory.dmp

memory/3316-7-0x0000000005400000-0x0000000005401000-memory.dmp

memory/3316-8-0x00000000053A0000-0x00000000053A1000-memory.dmp

memory/3316-9-0x00000000053B0000-0x00000000053B1000-memory.dmp

memory/3316-10-0x0000000005430000-0x0000000005431000-memory.dmp

memory/3316-11-0x0000000005420000-0x0000000005421000-memory.dmp

memory/3316-13-0x0000000000FA0000-0x0000000001465000-memory.dmp

memory/3316-17-0x0000000000FA0000-0x0000000001465000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

MD5 28c4c4931f44cd4f20398de0ca02111e
SHA1 0d69a6408633eff4900201fde8caecdbb82db6e3
SHA256 a0c47bdd71b6904b35de9a9835f2ed8becc51d647f2b81ac0adcdba224bd197e
SHA512 5a9055ce6c6e869d64933a18c79031c1bf9b1feb5b180ab25f338e318624028f52c591bb944c9f4baedbb12e528a9cb4dbd96a8cb04bea8f241f18a405c3a6c6

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

MD5 c24cc500387c37edb2c4ac0f460dd272
SHA1 bebd2b99916372d6f4293c276387e904096b50cd
SHA256 dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3
SHA512 16c07ff0c0feb7f2c64671d11737b683e5f243c63263a46dec5ca765d0d2401dde85e57a2619e87391eefaec4f3b10a5eb2aee786d7b4d456c4bcb5fcd2a8570

memory/4896-20-0x00000000007F0000-0x0000000000CB5000-memory.dmp

memory/4896-21-0x00000000007F0000-0x0000000000CB5000-memory.dmp

memory/4896-28-0x0000000004F20000-0x0000000004F21000-memory.dmp

memory/4896-27-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

memory/4896-26-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

memory/4896-25-0x0000000004F30000-0x0000000004F31000-memory.dmp

memory/4896-24-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

memory/4896-23-0x0000000004F00000-0x0000000004F01000-memory.dmp

memory/4896-22-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

memory/4896-30-0x0000000004F40000-0x0000000004F41000-memory.dmp

memory/4896-29-0x0000000004F50000-0x0000000004F51000-memory.dmp

memory/4896-31-0x00000000007F0000-0x0000000000CB5000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 58e1bc68cae045cd472efbd81bbb9d54
SHA1 e74cb981a49b3de7c9cd8efa2e98534150e338f5
SHA256 d7af37982bfde2086b0fc147eb551d572f595160b25bfcd700287f8ce4581621
SHA512 e0361f9e5e9fb4baf5ee38fb971aa4493d0b20d1e1e8e8c3d9f582e116a33b935cfcc57d7df259984170c932b12507b6e22c607bddf75367725cb530041f7f7d

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 92fbdfccf6a63acef2743631d16652a7
SHA1 971968b1378dd89d59d7f84bf92f16fc68664506
SHA256 b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512 b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

memory/4896-44-0x00000000007F0000-0x0000000000CB5000-memory.dmp

memory/4572-46-0x00000179FF2E0000-0x00000179FF302000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tdcdhyf5.fz3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4572-57-0x00000179FF330000-0x00000179FF340000-memory.dmp

memory/4572-56-0x00000179FF330000-0x00000179FF340000-memory.dmp

memory/4572-55-0x00007FF9D4770000-0x00007FF9D5231000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe

MD5 1f053e1ea0a8868c5f5951fb39c85272
SHA1 7d133be14b6c32902314bd80c455eb2a3907bab4
SHA256 41704d38b0c77e23ad5ac03be2b65cc5d83ed63143449e59ea86921dc35f2574
SHA512 fce0193e4d7b27e544b5ea1c990c624ff67f286a514dda2ca9c555e130b7a17b2333ea3c2ef59b02919b36d3688288685beb12b63466ade2ead8943c52d435c1

C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe

MD5 8f596cf662d3070c4778030b0ebf1697
SHA1 ca4e9791887dfd346392e84670f3606e08b0da70
SHA256 beac4e6145269334ebaf3d723fa089c0b336dac94ad12da55574b713c496516a
SHA512 6db0f316dacf5ee6191d1574316ecc1ac7c90c21faf3d60795cb4fd2f9c57724bb1162286a37b104741ce64e63366480a1468a49bdd114e28110c8577f4b820c

memory/3212-78-0x0000000000E60000-0x00000000011FD000-memory.dmp

memory/4896-77-0x00000000007F0000-0x0000000000CB5000-memory.dmp

memory/4572-80-0x00000179FF7A0000-0x00000179FF7B2000-memory.dmp

memory/4572-81-0x00000179E7250000-0x00000179E725A000-memory.dmp

memory/3212-79-0x0000000000E60000-0x00000000011FD000-memory.dmp

memory/4572-87-0x00007FF9D4770000-0x00007FF9D5231000-memory.dmp

memory/4896-88-0x00000000007F0000-0x0000000000CB5000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 2afdbe3b99a4736083066a13e4b5d11a
SHA1 4d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA256 8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512 d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

memory/3212-100-0x0000000000E60000-0x00000000011FD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe

MD5 894c8d2fb6e086c7770e622e0924b076
SHA1 ba4774b82c45a0aac5e0005ea853420d33cb5fb5
SHA256 fd95a40561cbcba0cc5d1072dfce829accfe76227da40fd52e715ed3279b14b2
SHA512 048b3b9c65b9935eab7319c7f77811f8386a23c0b6e826515ba5ca5624cbe41798ffc689a36d46701225f1837bfc232177353fd56c31056661e40b840e3e06aa

C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe

MD5 85a15f080b09acace350ab30460c8996
SHA1 3fc515e60e4cfa5b3321f04a96c7fb463e4b9d02
SHA256 3a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b
SHA512 ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f

memory/4896-119-0x00000000007F0000-0x0000000000CB5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe

MD5 0e0a8795472dd2e6918bd0b3656e14a6
SHA1 e6d1343e9de5e16f39b234c07da54867b8570492
SHA256 dae9dda264a496a3a5d56ccc8d3e2499ae965b89e3405808143215d143688cfb
SHA512 4b5aaf7245dc015156173ca6002303ebef94f0ba14f670006fb73f622249e0b6c97c15fe1c545912027b8e875ec220d6f97c1a55935da1f36f36e787693f2e48

memory/788-121-0x0000000072F70000-0x0000000073720000-memory.dmp

memory/788-122-0x0000000000ED0000-0x000000000108C000-memory.dmp

memory/788-123-0x0000000005B70000-0x0000000005B80000-memory.dmp

memory/3212-124-0x0000000000E60000-0x00000000011FD000-memory.dmp

memory/3212-125-0x0000000000E60000-0x00000000011FD000-memory.dmp

memory/4896-128-0x00000000007F0000-0x0000000000CB5000-memory.dmp

memory/4400-129-0x0000000000400000-0x0000000000592000-memory.dmp

memory/788-131-0x0000000003650000-0x0000000005650000-memory.dmp

memory/788-134-0x0000000072F70000-0x0000000073720000-memory.dmp

memory/4400-133-0x0000000072F70000-0x0000000073720000-memory.dmp

memory/4400-135-0x00000000055D0000-0x00000000055E0000-memory.dmp

C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe

MD5 cc90e3326d7b20a33f8037b9aab238e4
SHA1 236d173a6ac462d85de4e866439634db3b9eeba3
SHA256 bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7
SHA512 b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521

memory/4572-158-0x0000000072F70000-0x0000000073720000-memory.dmp

memory/4572-157-0x00000000003C0000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe

MD5 1fc4b9014855e9238a361046cfbf6d66
SHA1 c17f18c8246026c9979ab595392a14fe65cc5e9f
SHA256 f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50
SHA512 2af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12

memory/4572-160-0x00000000051E0000-0x0000000005784000-memory.dmp

memory/3248-161-0x00000000003B0000-0x000000000043C000-memory.dmp

memory/3248-162-0x00007FF9D4B10000-0x00007FF9D55D1000-memory.dmp

memory/4572-163-0x0000000004CD0000-0x0000000004D62000-memory.dmp

memory/3248-164-0x000000001B220000-0x000000001B230000-memory.dmp

memory/4572-165-0x0000000004E80000-0x0000000004E8A000-memory.dmp

memory/3212-166-0x0000000000E60000-0x00000000011FD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe

MD5 22aeb43ba6ab6f8985f494951dd988d5
SHA1 52dbcc33bd585750d8cad31bf2e5d0525cf77440
SHA256 a86a6393ad59f0bd81c9bd96d575bab8d34990faeff17a983d384ac31225cbeb
SHA512 3432e70efae0c0f2b5dd590e3bf00457c27958905dbf5453ca3a3687509787f8b1fb264ccbe1daccd9bce5dafc2987a8f4a7ab473a9f5effc4dd9d61b5bffaaa

memory/4516-183-0x00000000001C0000-0x0000000000680000-memory.dmp

memory/4516-184-0x00000000001C0000-0x0000000000680000-memory.dmp

memory/4516-187-0x0000000004B90000-0x0000000004B91000-memory.dmp

memory/4516-188-0x0000000004B20000-0x0000000004B21000-memory.dmp

memory/4516-189-0x0000000004B40000-0x0000000004B41000-memory.dmp

memory/4516-190-0x0000000004B30000-0x0000000004B31000-memory.dmp

memory/4516-191-0x0000000004B80000-0x0000000004B81000-memory.dmp

memory/4516-186-0x0000000004B50000-0x0000000004B51000-memory.dmp

memory/4516-185-0x0000000004B60000-0x0000000004B61000-memory.dmp

memory/4896-192-0x00000000007F0000-0x0000000000CB5000-memory.dmp

memory/4400-193-0x0000000072F70000-0x0000000073720000-memory.dmp

memory/4516-195-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

memory/4516-196-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

MD5 2e5f7a5a55215fb109d7379cacd37a84
SHA1 dd65938f54a6251b45172f20d51e1655289bb75d
SHA256 b69e2b06abe3f49b7867b8ec633916b5a9018743af19a3c34bf414e091a3ec95
SHA512 06608e208573579bb0bc046e4565d268eaa777395e382631a279417f55a3671c1462fd711091bba17cc00b0e8ada6e710b84f7a5dc5928a34c4cb65971b5cea4

memory/4516-206-0x00000000001C0000-0x0000000000680000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe

MD5 832eb4dc3ed8ceb9a1735bd0c7acaf1b
SHA1 b622a406927fbb8f6cd5081bd4455fb831948fca
SHA256 2a82243697e2eec45bedc754adcdc1f6f41724a40c6d7d96fd41ad144899b6f7
SHA512 3ab8b25732a7152608be101a3daf0d55833c554ab968be8b3b79a49e1831f3ee0eeeb9586a3334fa387b1f160fd15e98a80dcfece559c9c257b44ef962874894

memory/4624-217-0x00000000008F0000-0x0000000000DB0000-memory.dmp

memory/564-229-0x0000000000070000-0x00000000000C0000-memory.dmp

memory/4572-228-0x0000000072F70000-0x0000000073720000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BHC2O5WS\random[1].exe

MD5 2375e217c2858b273cfcc18d89594203
SHA1 ad7ef4562791da218f124555c8fa0d2850e092aa
SHA256 5ea7f8142718302e7b5d6ad9d7ce7ab072e9696730201cbe565c4673e2727ab7
SHA512 9c29e315eaad4ef0391bd75b9376432ac1b14eee2d6529249c224c390e0da4e462f6e18ea1b776fee62acf0a5e23773f1fe6d8f2b1288abbcfea773e8baf7e95

C:\Users\Admin\AppData\Local\Temp\TmpDA1A.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

C:\Users\Admin\AppData\Local\Temp\1000042001\d3e3ae4be0.exe

MD5 1a4408075444c710fa7ea965ee4fdff6
SHA1 fcb2c1fa874b9a40fb7136666fc8743780c317f3
SHA256 fdcd0d7d7a39d2012cf48d1ad2400cd115eae097d2f7341d8a29d6d0a6a4d05e
SHA512 2484ea421580fc4d92c9155a9ed9800848d9d6a1b4d3ed9b5d90b1090011e0b0fe6f4d8a36f6aaa6c47541169779c4c9d0016dec4081f0e145c7e2ffaad840a8

C:\Users\Admin\AppData\Local\Temp\1000042001\d3e3ae4be0.exe

MD5 fc95de28e1f880517d5e9d338ad46a1f
SHA1 d8617a46797fb372f113d80884a0e86916dbcd88
SHA256 b6b76009e1ce63429729d41a64ad753a7f12bf779ac459c4fe05ecff4e24468d
SHA512 6e05f258fa88225674d797cb802ed5d678c32ba4e081f621606abd3ca96a802d76219de28b8303c8dfcabca0a2662e597302f18828701e3437cdf3d09f8aee87

memory/2176-288-0x0000000000400000-0x000000000079D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

MD5 dac7ea5bf9023a41a76d983e899a7f93
SHA1 7107b47686cd1c4de755c87753e165e6ba388c31
SHA256 1bc9767a55b42d6f24dfcb207c1764d6b7c9ec33cfd3bdc9d487bdf4e3b6c688
SHA512 addd9920141c4c33cb4455283c370afe1f189a47f7d84619ac70f0d229a5d966f9d8c1e92d3094416ace34fac3b7f4ff10049478c729f6078041c9f706ae5573

memory/2176-292-0x0000000000400000-0x000000000079D000-memory.dmp

memory/2176-295-0x0000000000400000-0x000000000079D000-memory.dmp

memory/2176-294-0x0000000000400000-0x000000000079D000-memory.dmp

memory/2176-296-0x0000000000400000-0x000000000079D000-memory.dmp

memory/2176-299-0x0000000000400000-0x000000000079D000-memory.dmp

memory/2176-300-0x0000000000400000-0x000000000079D000-memory.dmp

memory/2176-302-0x0000000000400000-0x000000000079D000-memory.dmp

memory/2176-301-0x0000000000400000-0x000000000079D000-memory.dmp

memory/2176-303-0x0000000000400000-0x000000000079D000-memory.dmp

memory/2176-306-0x0000000000400000-0x000000000079D000-memory.dmp

memory/2176-307-0x0000000000400000-0x000000000079D000-memory.dmp

memory/2176-308-0x0000000000400000-0x000000000079D000-memory.dmp

memory/2176-310-0x0000000000400000-0x000000000079D000-memory.dmp

memory/2176-309-0x0000000000400000-0x000000000079D000-memory.dmp

memory/2176-311-0x0000000000400000-0x000000000079D000-memory.dmp

memory/2176-312-0x0000000000400000-0x000000000079D000-memory.dmp

memory/2176-315-0x0000000000400000-0x000000000079D000-memory.dmp

memory/2176-314-0x0000000000400000-0x000000000079D000-memory.dmp

memory/2176-316-0x0000000000400000-0x000000000079D000-memory.dmp

memory/2176-305-0x0000000000400000-0x000000000079D000-memory.dmp

memory/2176-317-0x0000000000400000-0x000000000079D000-memory.dmp

memory/2176-320-0x0000000000400000-0x000000000079D000-memory.dmp

memory/2176-304-0x0000000000400000-0x000000000079D000-memory.dmp

memory/2176-321-0x0000000000400000-0x000000000079D000-memory.dmp

memory/2176-324-0x0000000000400000-0x000000000079D000-memory.dmp

memory/2176-325-0x0000000000400000-0x000000000079D000-memory.dmp

memory/3212-328-0x0000000000E60000-0x00000000011FD000-memory.dmp

memory/4896-327-0x00000000007F0000-0x0000000000CB5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

MD5 e921340bf5a9d5152af86d09b5e356cf
SHA1 e9f6802fddd4a4d86aa4e7db2a932656103a35ca
SHA256 e45b084c3b6081c5b8eef6168ac26bb8b5cd2efae478147b67136695080648b2
SHA512 7b086a8a67d58d9620cdd097d862bf62eabc6cef242edc7ab49569d2f45cb5fa97f86e572e843ed158d311a5b9b24f1b73b3cfe5233e5487968f7d5c20f23ad7

memory/2176-322-0x0000000000400000-0x000000000079D000-memory.dmp

memory/2176-323-0x0000000000400000-0x000000000079D000-memory.dmp

memory/2176-298-0x0000000000400000-0x000000000079D000-memory.dmp

memory/2176-297-0x0000000000400000-0x000000000079D000-memory.dmp

memory/4624-334-0x00000000008F0000-0x0000000000DB0000-memory.dmp

memory/1356-343-0x00000000008F0000-0x0000000000DB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe

MD5 2f8912af892c160c1c24c9f38a60c1ab
SHA1 d2deae508e262444a8f15c29ebcc7ebbe08a3fdb
SHA256 59ff8e0aa665fbbf749c7548906a655cb1869bb58a3b7546efa5b416d19e6308
SHA512 0395383bde98d358b0a7f2224f903dff026ce0c6d90feb49ac0e6993ef692143b0eb25da84d9cdc9e7b373a7b75a6dbaef14746eda1bff165d59f07ca51a16bb

C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe

MD5 83d0b41c7a3a0d29a268b49a313c5de5
SHA1 46f3251c771b67b40b1f3268caef8046174909a5
SHA256 09cc3364d5e1c15228822926bc65ce290c487dc3b7c0345bf265538110fa9cc9
SHA512 705ecc7c421338e37ed0d58c2d9fad03fb3565db422a0c9d895e75a399bf5f2a70cfe3ffdc860ffe010d4d1a213e0a844aeadb89ea8e0c830a2fc8c03b7669b5

C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe

MD5 0099a99f5ffb3c3ae78af0084136fab3
SHA1 0205a065728a9ec1133e8a372b1e3864df776e8c
SHA256 919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA512 5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 15a42d3e4579da615a384c717ab2109b
SHA1 22aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA256 3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA512 1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 fc3cbe1b3fd81889d158214e9160ed24
SHA1 399861ae01cedacef572e5fd9a6c988e97df4aaf
SHA256 07867cc25a0b7ca282ec74519c3b7f170d760d0a1ce2ade0267b4f5c89598fbf
SHA512 ffd80ec7af3d0eab3c1e20b703423a883353c3abab4c300330029e88acfe49c7d8e5117624d63de399afbfa36896f27ba68d10f05dcd77feba2a3c1a51360920

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 0d532393ab661158b6081cb773d884a5
SHA1 9c28dc71b81c6e0fa52b552cbf24592e99ba446a
SHA256 0673988021715e4ea786d0bb835bc1c9120ff7375467b8ccf33ea9f0e14d0810
SHA512 44c250cf97f771c78f0b949db118efedbb7f19eacc5cbe070b4dd4bfdc25858557d259b4edf77d1dd18fe3b42f4a7795bff4aff5b8e51ffb6fd3950f719f975e

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 6963195e4d71b82d970ff64c4bd67778
SHA1 0aef6424c53ea6303e7e49e1ffd6cfcdfdee1ef4
SHA256 b7140113c2465ef467811976441e3e9796d99d076f85e7f6d12720005b74e755
SHA512 6fbe3aa17032358a2ba2a95d980d2620265fe14e99c13ab7e9968f6d3bda34f3e1154803fd9a063f90c40112fd0e4f6d230d1524de40d0dbe297a1d42fc830d6

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3808065738-1666277613-1125846146-1000\76b53b3ec448f7ccdda2063b15d2bfc3_2397ee06-28fe-4eaa-8777-f7014368c353

MD5 afd41eb6cc25ce0c3483581be311187f
SHA1 fa8dbf1d63505fed82e6734f0f3e52a5d861849b
SHA256 a94e4b79a7450f914d1f513758263e9720239d930d96e0bac06e17e5af2b65b6
SHA512 42dd2c2031a5f9c8d9903b368f4af376c5ed165c70502badba62693757b81b5ea79f46791e432197725af9453332faeb3ffeaf7064f368e4bec3af74c3b96e48

C:\Users\Admin\Desktop\Microsoft Edge.lnk

MD5 3b839aa775eaa61619da85a6ee19e928
SHA1 56768ea9b0222b18f07b3bce168c5e59c1f1f478
SHA256 e69b2cce41aa22708b428a98a8c67bf70901d0b608361a5293608b305ef094b1
SHA512 425792bd70c3fbe1f8d1eb28b73f02902f47dbd0b419c82dfb71bc3116440507b91be3a3de7c8779be42ac0093284d7e763683db2fac227c7982e01fed4f11a3

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 1aa4c8a8b942fc6bcb48eb0074a8115a
SHA1 9fd64716658829032a272d64fba6b5b0fcc2faff
SHA256 bde42a06c4b56700c437c20f3c8559ebbecb8470eb13f67ea0654e69c62441e4
SHA512 d14ff2c99de25c3cf0398892a1a5c34cf97a2a301c6d8391b14925f9d6105c3d0e25e4e19788db336d75a36b7274e6761beeebbda66ec0ada40f060e2d25afa3

C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe

MD5 4b43170b7ee46bc9945587dbbaa6e158
SHA1 7fdb4e69de5a5488ba63e6f656174ce9ced9441b
SHA256 05a587cb85ca8f0f1a75dbe6cbb75b534ceb1cabfd44a8620764e25ba6898b41
SHA512 44a3640188775da02f12a53e70dba5addbaa48f67b3b9813f6cb51e791546252ca338cdbb02a18e0e3c7740e9358a52fd59b96d67b2de39fd635c827985eb640

C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe

MD5 d4715e1265bfc8eff59fd33440488b54
SHA1 d1fdec8babd5fd1b9973d0a5e28df57e195aa156
SHA256 2515e4db9f9ce6c66a6fb17c781ac90ca93dbb9087c9eb91508f3a4befadeb57
SHA512 75c94ec20b9ac778e89e05d651c643d052502c318734f53b99cd83f571ae4d8226fdfa0cd4af245e93f0058adb9ef0c6ed49cbb238d1b41923294c576fdd4942

C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe

MD5 8200ef6d8091bf3e313b487844823db2
SHA1 043167030174d1fa867327ab669e314631ca4008
SHA256 69a6357914af64dbcdfd81b44a711662165101ee79f9f3c66adadd9aa5160609
SHA512 1035ef27aee2b9a1a89fcc5eaa1edbbe70969588bcabf75d6d1edfb432b2e65df3697e39a4db1bc519e3d6bb66761df95b2d6617bf23db5cdfd68c1bcc642f62

memory/3212-452-0x0000000000E60000-0x00000000011FD000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 fe3aab3ae544a134b68e881b82b70169
SHA1 926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6
SHA256 bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b
SHA512 3fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280

memory/4896-454-0x00000000007F0000-0x0000000000CB5000-memory.dmp

memory/4624-458-0x00000000008F0000-0x0000000000DB0000-memory.dmp

memory/5324-462-0x0000000000740000-0x0000000000C05000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4b6a25a6c2228d5e8c6d21de29f7ab9b
SHA1 08b46ff30e31bb8b32ed835458f40885d5f3f305
SHA256 a2ac48e136a9d05230a7710bf2a0777dc5537066ba16a4dd0cc5f904040677e7
SHA512 c67ac96967fcd644d2c6c27de99bda74e05adf169a10b0126af3558f71ec019882df92a554e9fdd368eed797a3c27b2afb409a681e9c35ae879ad93ee08cad7a

memory/1840-478-0x00000000002D0000-0x000000000066D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1001052001\Eljlre.exe

MD5 a3cb9f7dc246756a8d5050c1ae736eb4
SHA1 dfb8c1f5c9eb1d6cb1a1308cc13d9abc03f0a379
SHA256 a02ea10847b32e2b39de6f8e85dcb68d0711ea26a57ac036ad68f19dfc9fd77a
SHA512 68c941aef82ca87622a4c7676617b2900ce12fddce7386ec28dc4e7b0ad129ad57655a329ea9748ffad264214c03ab89701f18901e47291b95561851dd3b850e

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 726cd06231883a159ec1ce28dd538699
SHA1 404897e6a133d255ad5a9c26ac6414d7134285a2
SHA256 12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA512 9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

C:\Users\Admin\AppData\Local\Temp\tmp3452.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmp361D.tmp

MD5 d444c807029c83b8a892ac0c4971f955
SHA1 fa58ce7588513519dc8fed939b26b05dc25e53b5
SHA256 8297a7698f19bb81539a18363db100c55e357fa73f773c2b883d2c4161f6a259
SHA512 b7958b843639d4223bef65cdc6c664d7d15b76ac4e0a8b1575201dd47a32899feff32389dcc047314f47944ebe7b774cd59e51d49202f49541bbd70ecbb31a2e

C:\Users\Admin\AppData\Local\Temp\1001052001\Eljlre.exe

MD5 072593a07a4cae9c6b02d282d4f1514a
SHA1 d6cae73f488f7c4b2b66f90d1e3b0c4e0fb0fd8a
SHA256 27f086dd55e722a67249dd511d62f391fae9e240118c888f69027c905182bd77
SHA512 6c2405b1685dd62e3a8364accfa20e64eb5e9110ab4745733ebf6e2e46dd0e0fbeffd1ca3a28307de5451f01a36467a303278a3f76cbf9c8fc6baabd34d49813

C:\Users\Admin\AppData\Local\Temp\tmp365E.tmp

MD5 568f1b99bed86691e4117ef061008380
SHA1 4ae332f6c14b0c6440e4a339eb2a4b6cea238554
SHA256 e3d4ae5acddea28f2d5f67ce7adbba95841b8c4096b586e6b14f860739fc46ca
SHA512 a69bf696f713b5c35f047cfd5fbb6202950b24054d235756b8ea29eb646668a409b02d5014196ad7fb6dd4923ee4eaea02be1ba6d5832cc155be4c963336004f

C:\Users\Admin\AppData\Local\Temp\1001052001\Eljlre.exe

MD5 9d9352185759b2cf7ef4f9b01b87700f
SHA1 8aca943d4e868080d7cbad57f2ae8693352f75a1
SHA256 32496cc9a758ecb4f90a6a2c82662d9394b639dcb2668ad6e88b36c86760e891
SHA512 fae86293520ece96e0cf190f46cd8980e3ab110e99830bfea15662fe7e15ecdbeadb584af422e6cf494c85f690142c19b80076bf0a331b94f21a22264ec0ff25

memory/5804-560-0x0000000004FE0000-0x00000000051F6000-memory.dmp

memory/5804-561-0x0000000004FE0000-0x00000000051F6000-memory.dmp

memory/5804-563-0x0000000004FE0000-0x00000000051F6000-memory.dmp

memory/5804-565-0x0000000004FE0000-0x00000000051F6000-memory.dmp

memory/5804-567-0x0000000004FE0000-0x00000000051F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe

MD5 2ae646180cdf6fba58598457afaa4cf2
SHA1 0dcef001bbe3c4d06a84868445f9fa41dd4b2267
SHA256 9f865677501f44312a5d13f3ad7ad712d3ebd79b16be38473c1ea9f75e8e4388
SHA512 64e056539761ba2a866045b1e266eaa4cc8a040237733df6200e55fdad47652c4819e15145571725cebecc9b42f88d4ca1fcf13881e8ba8ace1d140492e19ab7

C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe

MD5 f88537ab4513ac9aaab3e57bb03cd7f2
SHA1 a8837d37a2efb0931270eebea98e21a3bcf3f4be
SHA256 19953a62f44091cb5bc5a425e681b2a4affc2299dff595acefa5ee9958e7ab6b
SHA512 19e3daab56b2f2965c1a9423ad7724e4ef708166587c62d731074c9bbdcd566f4b5ad10ba5afd767e8a1df9a16f05c958887bd526fc075016a22a544b46bf792

C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe

MD5 53dd90584774afdb6d1798a8b343ee0d
SHA1 c9f3e5d8ac0f3bb6033a21c75983189ce7de2296
SHA256 4964d131ec37621e720d70790bb1c654f34e40d0905422c072fa64bfe7d4aa43
SHA512 f8da6ee01810548fae1fe6948fb1ed43e22f67d19003b4a6abb34a97800b035e38b388232e557afb37a6f7509e80b4a375d764a66f1daba9e2080ee6a7b05e8a

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-29 00:31

Reported

2024-03-29 00:34

Platform

win11-20240221-en

Max time kernel

149s

Max time network

150s

Command Line

sihost.exe

Signatures

Amadey

trojan amadey

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Rhadamanthys

stealer rhadamanthys

Stealc

stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3268 created 2584 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\system32\sihost.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nGIYuPwBJ7KzfP8S7VkBAIEg.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cA4V9tXdRiR4XmzS0bODnqPq.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\s0jm4YCeWsnFnH3zbwmJGebX.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5O73mN5vQGLYprVhjicAbo4H.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BzSq75M6GMxC4C8JkEh3jM8W.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SXF8rhfqOOzO26vmZFaPIPpP.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QU6x8hwc6TpHZGSvlNqgGhNF.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6RuashOVcc3DwpLMmEQ7tycU.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdVucLRIzuLTbb0tPrdcc08y.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X8iEzgYQ8375X8nEoQsn4NG6.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exe N/A
N/A N/A C:\Users\Admin\Pictures\0r481T9LSgw1MN0XLM2NcEby.exe N/A
N/A N/A C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe N/A
N/A N/A C:\Users\Admin\Pictures\S9gf1ZJXBYtCaCpnJv3DlW3T.exe N/A
N/A N/A C:\Users\Admin\Pictures\edcxE0l3fRFjjGrjUfWc8Oej.exe N/A
N/A N/A C:\Users\Admin\Pictures\nG1Fq1mbi8PR1j8Uh6fja62m.exe N/A
N/A N/A C:\Users\Admin\Pictures\WYS4ke33P3XS1lcTGteacVOU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3tw.0.exe N/A
N/A N/A C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe N/A
N/A N/A C:\Users\Admin\Pictures\edcxE0l3fRFjjGrjUfWc8Oej.exe N/A
N/A N/A C:\Users\Admin\Pictures\nG1Fq1mbi8PR1j8Uh6fja62m.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\Pictures\nvEgXPvRALAzyhRcDjKRaQOF.exe N/A
N/A N/A C:\Users\Admin\Pictures\nvEgXPvRALAzyhRcDjKRaQOF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\nvEgXPvRALAzyhRcDjKRaQOF.exe N/A
N/A N/A C:\Users\Admin\Pictures\nvEgXPvRALAzyhRcDjKRaQOF.exe N/A
N/A N/A C:\Users\Admin\Pictures\nvEgXPvRALAzyhRcDjKRaQOF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3tw.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BFBGHDGCFH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290032291\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290032291\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290032291\assistant\assistant_installer.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\edcxE0l3fRFjjGrjUfWc8Oej.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\nG1Fq1mbi8PR1j8Uh6fja62m.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\Pictures\nvEgXPvRALAzyhRcDjKRaQOF.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\nvEgXPvRALAzyhRcDjKRaQOF.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Pictures\nvEgXPvRALAzyhRcDjKRaQOF.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\nvEgXPvRALAzyhRcDjKRaQOF.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2132 set thread context of 2748 N/A C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2872 set thread context of 3268 N/A C:\Users\Admin\Pictures\WYS4ke33P3XS1lcTGteacVOU.exe C:\Windows\System32\Conhost.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\edcxE0l3fRFjjGrjUfWc8Oej.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\nG1Fq1mbi8PR1j8Uh6fja62m.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\nG1Fq1mbi8PR1j8Uh6fja62m.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\nG1Fq1mbi8PR1j8Uh6fja62m.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\edcxE0l3fRFjjGrjUfWc8Oej.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\edcxE0l3fRFjjGrjUfWc8Oej.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File created C:\Windows\Tasks\explorgu.job C:\Users\Admin\AppData\Local\Temp\dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u3tw.1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u3tw.1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u3tw.1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\u3tw.0.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\u3tw.0.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\nvEgXPvRALAzyhRcDjKRaQOF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Users\Admin\Pictures\nvEgXPvRALAzyhRcDjKRaQOF.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\nvEgXPvRALAzyhRcDjKRaQOF.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\nvEgXPvRALAzyhRcDjKRaQOF.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\nvEgXPvRALAzyhRcDjKRaQOF.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\S9gf1ZJXBYtCaCpnJv3DlW3T.exe N/A
N/A N/A C:\Users\Admin\Pictures\S9gf1ZJXBYtCaCpnJv3DlW3T.exe N/A
N/A N/A C:\Users\Admin\Pictures\S9gf1ZJXBYtCaCpnJv3DlW3T.exe N/A
N/A N/A C:\Users\Admin\Pictures\S9gf1ZJXBYtCaCpnJv3DlW3T.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3tw.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3tw.0.exe N/A
N/A N/A C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe N/A
N/A N/A C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe N/A
N/A N/A C:\Users\Admin\Pictures\edcxE0l3fRFjjGrjUfWc8Oej.exe N/A
N/A N/A C:\Users\Admin\Pictures\edcxE0l3fRFjjGrjUfWc8Oej.exe N/A
N/A N/A C:\Users\Admin\Pictures\nG1Fq1mbi8PR1j8Uh6fja62m.exe N/A
N/A N/A C:\Users\Admin\Pictures\nG1Fq1mbi8PR1j8Uh6fja62m.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe N/A
N/A N/A C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe N/A
N/A N/A C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe N/A
N/A N/A C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe N/A
N/A N/A C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe N/A
N/A N/A C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe N/A
N/A N/A C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe N/A
N/A N/A C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe N/A
N/A N/A C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe N/A
N/A N/A C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\edcxE0l3fRFjjGrjUfWc8Oej.exe N/A
N/A N/A C:\Users\Admin\Pictures\edcxE0l3fRFjjGrjUfWc8Oej.exe N/A
N/A N/A C:\Users\Admin\Pictures\nG1Fq1mbi8PR1j8Uh6fja62m.exe N/A
N/A N/A C:\Users\Admin\Pictures\nG1Fq1mbi8PR1j8Uh6fja62m.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\edcxE0l3fRFjjGrjUfWc8Oej.exe N/A
N/A N/A C:\Users\Admin\Pictures\edcxE0l3fRFjjGrjUfWc8Oej.exe N/A
N/A N/A C:\Users\Admin\Pictures\edcxE0l3fRFjjGrjUfWc8Oej.exe N/A
N/A N/A C:\Users\Admin\Pictures\edcxE0l3fRFjjGrjUfWc8Oej.exe N/A
N/A N/A C:\Users\Admin\Pictures\edcxE0l3fRFjjGrjUfWc8Oej.exe N/A
N/A N/A C:\Users\Admin\Pictures\edcxE0l3fRFjjGrjUfWc8Oej.exe N/A
N/A N/A C:\Users\Admin\Pictures\edcxE0l3fRFjjGrjUfWc8Oej.exe N/A
N/A N/A C:\Users\Admin\Pictures\edcxE0l3fRFjjGrjUfWc8Oej.exe N/A
N/A N/A C:\Users\Admin\Pictures\edcxE0l3fRFjjGrjUfWc8Oej.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\edcxE0l3fRFjjGrjUfWc8Oej.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\nG1Fq1mbi8PR1j8Uh6fja62m.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\edcxE0l3fRFjjGrjUfWc8Oej.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\nG1Fq1mbi8PR1j8Uh6fja62m.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\edcxE0l3fRFjjGrjUfWc8Oej.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\edcxE0l3fRFjjGrjUfWc8Oej.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\nG1Fq1mbi8PR1j8Uh6fja62m.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\nG1Fq1mbi8PR1j8Uh6fja62m.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4140 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exe
PID 4140 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exe
PID 2132 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2132 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2132 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2132 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2132 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2132 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2132 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2132 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2748 wrote to memory of 4964 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\0r481T9LSgw1MN0XLM2NcEby.exe
PID 2748 wrote to memory of 4964 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\0r481T9LSgw1MN0XLM2NcEby.exe
PID 2748 wrote to memory of 4964 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\0r481T9LSgw1MN0XLM2NcEby.exe
PID 2748 wrote to memory of 2500 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe
PID 2748 wrote to memory of 2500 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe
PID 2748 wrote to memory of 2500 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe
PID 2748 wrote to memory of 3648 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\S9gf1ZJXBYtCaCpnJv3DlW3T.exe
PID 2748 wrote to memory of 3648 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\S9gf1ZJXBYtCaCpnJv3DlW3T.exe
PID 2748 wrote to memory of 3648 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\S9gf1ZJXBYtCaCpnJv3DlW3T.exe
PID 2748 wrote to memory of 792 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\edcxE0l3fRFjjGrjUfWc8Oej.exe
PID 2748 wrote to memory of 792 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\edcxE0l3fRFjjGrjUfWc8Oej.exe
PID 2748 wrote to memory of 792 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\edcxE0l3fRFjjGrjUfWc8Oej.exe
PID 2748 wrote to memory of 4072 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\nG1Fq1mbi8PR1j8Uh6fja62m.exe
PID 2748 wrote to memory of 4072 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\nG1Fq1mbi8PR1j8Uh6fja62m.exe
PID 2748 wrote to memory of 4072 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\nG1Fq1mbi8PR1j8Uh6fja62m.exe
PID 2748 wrote to memory of 2872 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\WYS4ke33P3XS1lcTGteacVOU.exe
PID 2748 wrote to memory of 2872 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\WYS4ke33P3XS1lcTGteacVOU.exe
PID 2748 wrote to memory of 2872 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\WYS4ke33P3XS1lcTGteacVOU.exe
PID 2872 wrote to memory of 3104 N/A C:\Users\Admin\Pictures\WYS4ke33P3XS1lcTGteacVOU.exe C:\Windows\SysWOW64\WerFault.exe
PID 2872 wrote to memory of 3104 N/A C:\Users\Admin\Pictures\WYS4ke33P3XS1lcTGteacVOU.exe C:\Windows\SysWOW64\WerFault.exe
PID 2872 wrote to memory of 3104 N/A C:\Users\Admin\Pictures\WYS4ke33P3XS1lcTGteacVOU.exe C:\Windows\SysWOW64\WerFault.exe
PID 2872 wrote to memory of 3268 N/A C:\Users\Admin\Pictures\WYS4ke33P3XS1lcTGteacVOU.exe C:\Windows\System32\Conhost.exe
PID 2872 wrote to memory of 3268 N/A C:\Users\Admin\Pictures\WYS4ke33P3XS1lcTGteacVOU.exe C:\Windows\System32\Conhost.exe
PID 2872 wrote to memory of 3268 N/A C:\Users\Admin\Pictures\WYS4ke33P3XS1lcTGteacVOU.exe C:\Windows\System32\Conhost.exe
PID 2872 wrote to memory of 3268 N/A C:\Users\Admin\Pictures\WYS4ke33P3XS1lcTGteacVOU.exe C:\Windows\System32\Conhost.exe
PID 2872 wrote to memory of 3268 N/A C:\Users\Admin\Pictures\WYS4ke33P3XS1lcTGteacVOU.exe C:\Windows\System32\Conhost.exe
PID 2872 wrote to memory of 3268 N/A C:\Users\Admin\Pictures\WYS4ke33P3XS1lcTGteacVOU.exe C:\Windows\System32\Conhost.exe
PID 2872 wrote to memory of 3268 N/A C:\Users\Admin\Pictures\WYS4ke33P3XS1lcTGteacVOU.exe C:\Windows\System32\Conhost.exe
PID 2872 wrote to memory of 3268 N/A C:\Users\Admin\Pictures\WYS4ke33P3XS1lcTGteacVOU.exe C:\Windows\System32\Conhost.exe
PID 2872 wrote to memory of 3268 N/A C:\Users\Admin\Pictures\WYS4ke33P3XS1lcTGteacVOU.exe C:\Windows\System32\Conhost.exe
PID 2872 wrote to memory of 3268 N/A C:\Users\Admin\Pictures\WYS4ke33P3XS1lcTGteacVOU.exe C:\Windows\System32\Conhost.exe
PID 2872 wrote to memory of 3268 N/A C:\Users\Admin\Pictures\WYS4ke33P3XS1lcTGteacVOU.exe C:\Windows\System32\Conhost.exe
PID 3268 wrote to memory of 3504 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 3268 wrote to memory of 3504 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 3268 wrote to memory of 3504 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 3268 wrote to memory of 3504 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 3268 wrote to memory of 3504 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 792 wrote to memory of 3696 N/A C:\Users\Admin\Pictures\edcxE0l3fRFjjGrjUfWc8Oej.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 792 wrote to memory of 3696 N/A C:\Users\Admin\Pictures\edcxE0l3fRFjjGrjUfWc8Oej.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 792 wrote to memory of 3696 N/A C:\Users\Admin\Pictures\edcxE0l3fRFjjGrjUfWc8Oej.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4072 wrote to memory of 2728 N/A C:\Users\Admin\Pictures\nG1Fq1mbi8PR1j8Uh6fja62m.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4072 wrote to memory of 2728 N/A C:\Users\Admin\Pictures\nG1Fq1mbi8PR1j8Uh6fja62m.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4072 wrote to memory of 2728 N/A C:\Users\Admin\Pictures\nG1Fq1mbi8PR1j8Uh6fja62m.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2500 wrote to memory of 2476 N/A C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2500 wrote to memory of 2476 N/A C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2500 wrote to memory of 2476 N/A C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4964 wrote to memory of 5088 N/A C:\Users\Admin\Pictures\0r481T9LSgw1MN0XLM2NcEby.exe C:\Users\Admin\AppData\Local\Temp\u3tw.0.exe
PID 4964 wrote to memory of 5088 N/A C:\Users\Admin\Pictures\0r481T9LSgw1MN0XLM2NcEby.exe C:\Users\Admin\AppData\Local\Temp\u3tw.0.exe
PID 4964 wrote to memory of 5088 N/A C:\Users\Admin\Pictures\0r481T9LSgw1MN0XLM2NcEby.exe C:\Users\Admin\AppData\Local\Temp\u3tw.0.exe
PID 4692 wrote to memory of 3832 N/A C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4692 wrote to memory of 3832 N/A C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4692 wrote to memory of 3832 N/A C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4692 wrote to memory of 3516 N/A C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe C:\Windows\system32\cmd.exe
PID 4692 wrote to memory of 3516 N/A C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe C:\Windows\system32\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3.exe

"C:\Users\Admin\AppData\Local\Temp\dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3.exe"

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exe

"C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"

C:\Users\Admin\Pictures\0r481T9LSgw1MN0XLM2NcEby.exe

"C:\Users\Admin\Pictures\0r481T9LSgw1MN0XLM2NcEby.exe"

C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe

"C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe"

C:\Users\Admin\Pictures\S9gf1ZJXBYtCaCpnJv3DlW3T.exe

"C:\Users\Admin\Pictures\S9gf1ZJXBYtCaCpnJv3DlW3T.exe"

C:\Users\Admin\Pictures\edcxE0l3fRFjjGrjUfWc8Oej.exe

"C:\Users\Admin\Pictures\edcxE0l3fRFjjGrjUfWc8Oej.exe"

C:\Users\Admin\Pictures\nG1Fq1mbi8PR1j8Uh6fja62m.exe

"C:\Users\Admin\Pictures\nG1Fq1mbi8PR1j8Uh6fja62m.exe"

C:\Users\Admin\Pictures\WYS4ke33P3XS1lcTGteacVOU.exe

"C:\Users\Admin\Pictures\WYS4ke33P3XS1lcTGteacVOU.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2872 -ip 2872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 876

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3268 -ip 3268

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3268 -ip 3268

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 532

C:\Users\Admin\AppData\Local\Temp\u3tw.0.exe

"C:\Users\Admin\AppData\Local\Temp\u3tw.0.exe"

C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe

"C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\Pictures\edcxE0l3fRFjjGrjUfWc8Oej.exe

"C:\Users\Admin\Pictures\edcxE0l3fRFjjGrjUfWc8Oej.exe"

C:\Users\Admin\Pictures\nG1Fq1mbi8PR1j8Uh6fja62m.exe

"C:\Users\Admin\Pictures\nG1Fq1mbi8PR1j8Uh6fja62m.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3648 -ip 3648

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 1288

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\Pictures\nvEgXPvRALAzyhRcDjKRaQOF.exe

"C:\Users\Admin\Pictures\nvEgXPvRALAzyhRcDjKRaQOF.exe" --silent --allusers=0

C:\Users\Admin\Pictures\nvEgXPvRALAzyhRcDjKRaQOF.exe

C:\Users\Admin\Pictures\nvEgXPvRALAzyhRcDjKRaQOF.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2b0,0x2b4,0x2b8,0x290,0x2bc,0x6e38e1d0,0x6e38e1dc,0x6e38e1e8

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\nvEgXPvRALAzyhRcDjKRaQOF.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\nvEgXPvRALAzyhRcDjKRaQOF.exe" --version

C:\Users\Admin\Pictures\nvEgXPvRALAzyhRcDjKRaQOF.exe

"C:\Users\Admin\Pictures\nvEgXPvRALAzyhRcDjKRaQOF.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2564 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240329003229" --session-guid=c5d6640f-8db9-45b1-a531-329ec4c6ffd5 --server-tracking-blob=ZmI2ODVjNWJiZDUwM2M0NWYyZTFhMjU0NDU5OTg4ZGQzYWY2NDQ2NWQ3NGJjOTJhYmE4ZmE4MzU5YjcyOWQxYjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N180NTYiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMSIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTE2NzIzMjcuNzk5OSIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N180NTYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6IjU5YzBhZjBjLWVkMjQtNDQ2OS04YmI5LTgwNzYwNGMzMjZkMSJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=7004000000000000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\Pictures\nvEgXPvRALAzyhRcDjKRaQOF.exe

C:\Users\Admin\Pictures\nvEgXPvRALAzyhRcDjKRaQOF.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2bc,0x2c0,0x2c4,0x28c,0x2c8,0x6da0e1d0,0x6da0e1dc,0x6da0e1e8

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\u3tw.1.exe

"C:\Users\Admin\AppData\Local\Temp\u3tw.1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4964 -ip 4964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 1164

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\930051783255_Desktop.zip' -CompressionLevel Optimal

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\BFBGHDGCFH.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5088 -ip 5088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 2760

C:\Users\Admin\AppData\Local\Temp\BFBGHDGCFH.exe

"C:\Users\Admin\AppData\Local\Temp\BFBGHDGCFH.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5088 -ip 5088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 2768

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\BFBGHDGCFH.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5088 -ip 5088

C:\Windows\SysWOW64\PING.EXE

ping 2.2.2.2 -n 1 -w 3000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 2796

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290032291\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290032291\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290032291\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290032291\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290032291\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290032291\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x1040040,0x104004c,0x1040058

Network

Country Destination Domain Proto
RU 185.215.113.32:80 185.215.113.32 tcp
AT 5.42.64.17:80 5.42.64.17 tcp
US 8.8.8.8:53 32.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 17.64.42.5.in-addr.arpa udp
US 172.67.169.89:443 yip.su tcp
US 104.20.68.143:443 pastebin.com tcp
DE 185.172.128.144:80 185.172.128.144 tcp
AT 5.42.64.17:80 5.42.64.17 tcp
US 8.8.8.8:53 operandotwo.com udp
US 8.8.8.8:53 sty.ink udp
US 8.8.8.8:53 namemail.org udp
US 8.8.8.8:53 net.geo.opera.com udp
US 8.8.8.8:53 cu82342.tw1.ru udp
SG 217.21.73.190:443 piramidglobaltobacco.id tcp
US 104.21.15.5:443 operandotwo.com tcp
US 104.21.32.142:443 shipofdestiny.com tcp
US 104.21.32.142:443 shipofdestiny.com tcp
US 172.67.200.219:443 sty.ink tcp
US 172.67.200.219:443 sty.ink tcp
RU 176.57.210.144:443 cu82342.tw1.ru tcp
NL 185.26.182.111:80 net.geo.opera.com tcp
NL 185.26.182.111:443 net.geo.opera.com tcp
US 172.67.170.65:443 lawyerbuyer.org tcp
US 172.67.170.65:443 lawyerbuyer.org tcp
US 172.67.173.167:443 guseman.org tcp
US 8.8.8.8:53 144.210.57.176.in-addr.arpa udp
US 8.8.8.8:53 190.73.21.217.in-addr.arpa udp
DE 185.172.128.65:80 185.172.128.65 tcp
US 172.67.206.194:443 tcp
DE 185.172.128.65:80 185.172.128.65 tcp
US 172.67.206.194:443 tcp
US 172.67.206.194:443 tcp
DE 185.172.128.144:80 185.172.128.144 tcp
DE 185.172.128.209:80 185.172.128.209 tcp
US 172.67.206.194:443 tcp
US 172.67.188.178:443 iplogger.com tcp
US 172.67.206.194:443 tcp
NL 82.145.216.20:443 autoupdate.geo.opera.com tcp
NL 82.145.216.20:443 autoupdate.geo.opera.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
NL 185.26.182.112:443 features.opera-api2.com tcp
RU 185.215.113.32:80 185.215.113.32 tcp
US 20.157.87.45:80 svc.iolo.com tcp
N/A 185.172.128.90:80 tcp
RU 185.215.113.32:80 185.215.113.32 tcp
FR 143.244.56.49:443 download.iolo.net tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 162.159.134.233:443 cdn.discordapp.com tcp
BG 185.82.216.104:443 server5.datadumpcloud.org tcp
US 172.67.221.71:443 carsalessystem.com tcp
NL 82.145.216.24:443 tcp
US 104.18.11.89:443 download5.operacdn.com tcp
US 20.157.87.45:80 svc.iolo.com tcp
DE 185.172.128.65:80 tcp
BG 185.82.216.104:443 server5.datadumpcloud.org tcp
NL 52.111.243.29:443 tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
BG 185.82.216.104:443 server5.datadumpcloud.org tcp

Files

memory/3256-0-0x0000000000680000-0x0000000000B45000-memory.dmp

memory/3256-1-0x0000000077206000-0x0000000077208000-memory.dmp

memory/3256-2-0x0000000000680000-0x0000000000B45000-memory.dmp

memory/3256-4-0x00000000051D0000-0x00000000051D1000-memory.dmp

memory/3256-3-0x00000000051E0000-0x00000000051E1000-memory.dmp

memory/3256-6-0x00000000051B0000-0x00000000051B1000-memory.dmp

memory/3256-5-0x0000000005210000-0x0000000005211000-memory.dmp

memory/3256-7-0x00000000051C0000-0x00000000051C1000-memory.dmp

memory/3256-8-0x00000000051F0000-0x00000000051F1000-memory.dmp

memory/3256-9-0x0000000005240000-0x0000000005241000-memory.dmp

memory/3256-11-0x0000000005230000-0x0000000005231000-memory.dmp

memory/3256-15-0x0000000000680000-0x0000000000B45000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

MD5 c24cc500387c37edb2c4ac0f460dd272
SHA1 bebd2b99916372d6f4293c276387e904096b50cd
SHA256 dd5c31c3204545b847854f3324bd3b567508e49366dc302988af9e2fa397d1c3
SHA512 16c07ff0c0feb7f2c64671d11737b683e5f243c63263a46dec5ca765d0d2401dde85e57a2619e87391eefaec4f3b10a5eb2aee786d7b4d456c4bcb5fcd2a8570

memory/4140-18-0x00000000002E0000-0x00000000007A5000-memory.dmp

memory/4140-19-0x00000000002E0000-0x00000000007A5000-memory.dmp

memory/4140-21-0x0000000004D70000-0x0000000004D71000-memory.dmp

memory/4140-24-0x0000000004D60000-0x0000000004D61000-memory.dmp

memory/4140-25-0x0000000004D90000-0x0000000004D91000-memory.dmp

memory/4140-23-0x0000000004D50000-0x0000000004D51000-memory.dmp

memory/4140-22-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

memory/4140-20-0x0000000004D80000-0x0000000004D81000-memory.dmp

memory/4140-26-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exe

MD5 16f67f1a6e10f044bc15abe8c71b3bd6
SHA1 ce0101205b919899a2a2f577100377c2a6546171
SHA256 41cca3fa0f500dc6c17d1f02fc906d2b0c769210af9c4286760b84ecf46cab89
SHA512 a11db01bf55e3497644918c7dcc6180e0911261f39f062e653f000e1365dc9668fe5bd1d0fee0ae5c740a6477bcea510ba8c5ff6831c3bdb0d7c0590d2487e3c

memory/2132-46-0x000002B3D55B0000-0x000002B3D55BC000-memory.dmp

memory/2132-47-0x00007FF9C6730000-0x00007FF9C71F2000-memory.dmp

memory/2132-48-0x000002B3D5A80000-0x000002B3D5A90000-memory.dmp

memory/2132-49-0x000002B3F0A50000-0x000002B3F0AC6000-memory.dmp

memory/2132-50-0x000002B3EFAE0000-0x000002B3EFAFE000-memory.dmp

memory/2132-51-0x000002B3EFD70000-0x000002B3EFDCE000-memory.dmp

memory/2132-52-0x000002B3D5A80000-0x000002B3D5A90000-memory.dmp

memory/2132-53-0x000002B3D5A80000-0x000002B3D5A90000-memory.dmp

memory/2748-54-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2748-55-0x0000000072BC0000-0x0000000073371000-memory.dmp

memory/4140-56-0x00000000002E0000-0x00000000007A5000-memory.dmp

memory/2748-57-0x0000000005040000-0x0000000005050000-memory.dmp

memory/2132-58-0x00007FF9C6730000-0x00007FF9C71F2000-memory.dmp

C:\Users\Admin\Pictures\T4H0WKmNk9KV5Hvpmuhes0mi.exe

MD5 5b423612b36cde7f2745455c5dd82577
SHA1 0187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256 e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512 c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

C:\Users\Admin\Pictures\ovxQTMmmlShXXxtXeAw1nKYE.exe

MD5 978ff4cca970ad267dc95983a6d93836
SHA1 7f0c40c1c5917b06de2b199b85601d05a30d02d3
SHA256 7261982e88464a33c2a40dc033a51d9aa963d731120c8a3a2fa88060a1498267
SHA512 cb44cfe4bf7d721ed97e94d2c1e19b3becdd874283ad96ab4c1addebc6414833e2ea8394a95e363e477910dc1454529e698dd268ccc3916dc887685a48682457

C:\Users\Admin\Pictures\0r481T9LSgw1MN0XLM2NcEby.exe

MD5 5c804dea51e39d91f9c32a877a6105e3
SHA1 0dc2e412bc8b68beb99354fb7be0e3cd115bd0fc
SHA256 e83b6dab810ac2ee9f094152bbf1fda89bcfc16e5f7413cc07b83c5ff15a7cc3
SHA512 6bd12c5008d53d094e6bdcf7f87184b6328a42e0ef32f0c8b360e8954bbec86c6178bf640c0132d03cb9c6fd92e0b636f76c2a485bcb3d1b2e79ee20240d4c14

C:\Users\Admin\Pictures\jze9SUcuzZWkxDlLQA5W2OXC.exe

MD5 a05308155e1fd4b7dd61a4822337cd63
SHA1 0fc568dd9671e8a1dede2a063214dcc7bfa53477
SHA256 e033dd7779b0847fe394e6a0b2c77579eb36434333918a7830aeda5b6cf641b9
SHA512 a4b44f101efccc40bb29b4c3e1ec0a5303a8669bc7c872f49a8652d5e7a72768152d833edbf4788f48de41b249ee4c699f733ed6d2ebd2b051a70fc0d3234593

memory/4964-104-0x0000000002840000-0x00000000028AE000-memory.dmp

memory/4964-103-0x0000000000DA0000-0x0000000000EA0000-memory.dmp

memory/4964-105-0x0000000000400000-0x0000000000B10000-memory.dmp

C:\Users\Admin\Pictures\h9tbpGrVfB0S2Wjxl8VQCZK8.exe

MD5 97d21b1e771c5eac429cf5b16672c07e
SHA1 961396698844f4811719249636db36b67e5543b5
SHA256 109d87c5dea80163592dda714a6b7407538058e986808591fdbe9c3ab4d87a73
SHA512 750d6eea1bfb668f6323a3288c1ca57c457541b43e7c02abb6e847fbe165399de877acbdd8e503482615969904e11ca08a1389bf8e174a9dafcf37399bec6cc8

C:\Users\Admin\Pictures\S9gf1ZJXBYtCaCpnJv3DlW3T.exe

MD5 e2a6c1f58b137874e490b8d94382fcdb
SHA1 71529c5d708091b1e1a580227dc52e62a140edd1
SHA256 4801879a7afb9d03f7edcbe76cd9306cb024d80abc8512c4995aa97e8fd52437
SHA512 24d12ce668e5189a4ba80520a4eaf480d17d3a07d8d0d4312964968f8489143df225881ec70e39e0c62e381061626801ead72d70cea164e2c3870bfbd7bc4eff

memory/2500-146-0x0000000002C30000-0x000000000302E000-memory.dmp

memory/4140-134-0x00000000002E0000-0x00000000007A5000-memory.dmp

C:\Users\Admin\Pictures\edcxE0l3fRFjjGrjUfWc8Oej.exe

MD5 68f8731e5cbc9e34ba6b923c82dfff0a
SHA1 6ff499a82e54c99c1d59569f04337705697cf86e
SHA256 9051b57caec9ad903cb5a327efaf2a745511389107518bb07954000023d288e3
SHA512 a1a327531f270752cf03c13e3a89ac046f10cc75faf97580291b4fbe3a19b4a0d992d70297e9e37c16d03dcd20de746f5f87123c2c71f0ffad71e87dcaef035c

memory/3648-156-0x0000000000400000-0x0000000000B06000-memory.dmp

memory/3648-157-0x0000000000D70000-0x0000000000D71000-memory.dmp

C:\Users\Admin\Pictures\WYS4ke33P3XS1lcTGteacVOU.exe

MD5 7960d8afbbac06f216cceeb1531093bb
SHA1 008221bf66a0749447cffcb86f2d1ec80e23fc76
SHA256 f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84
SHA512 35d12e81eb892aeb2237049beca61a81469dea5b1c9b7a0b9f49fbf95a95c756509d9e76c732fb10b504f9f9692e1fbe83ea2fd09d791f793a928c01974b8147

memory/3648-161-0x0000000000DC0000-0x0000000000EC0000-memory.dmp

memory/3648-149-0x0000000002860000-0x00000000028AA000-memory.dmp

memory/2500-171-0x0000000003030000-0x000000000391B000-memory.dmp

memory/2500-172-0x0000000000400000-0x0000000000ECF000-memory.dmp

memory/2872-175-0x00000000008F0000-0x000000000095E000-memory.dmp

memory/4072-174-0x0000000002C50000-0x000000000304C000-memory.dmp

memory/4072-179-0x0000000000400000-0x0000000000ECF000-memory.dmp

memory/792-182-0x0000000002C80000-0x0000000003084000-memory.dmp

memory/3268-183-0x0000000000400000-0x000000000046D000-memory.dmp

memory/3268-178-0x0000000000400000-0x000000000046D000-memory.dmp

memory/792-184-0x0000000000400000-0x0000000000ECF000-memory.dmp

memory/2872-185-0x0000000072BC0000-0x0000000073371000-memory.dmp

memory/2872-186-0x0000000005220000-0x0000000005230000-memory.dmp

memory/2872-187-0x0000000002C60000-0x0000000004C60000-memory.dmp

memory/3268-188-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2872-189-0x0000000072BC0000-0x0000000073371000-memory.dmp

memory/3648-190-0x0000000003250000-0x0000000003350000-memory.dmp

memory/3648-191-0x0000000003250000-0x0000000003350000-memory.dmp

memory/3648-192-0x0000000003250000-0x0000000003350000-memory.dmp

memory/3648-194-0x0000000003250000-0x0000000003350000-memory.dmp

memory/3648-193-0x0000000003250000-0x0000000003350000-memory.dmp

memory/3648-196-0x0000000003250000-0x0000000003350000-memory.dmp

memory/3648-197-0x0000000003250000-0x0000000003350000-memory.dmp

memory/3648-195-0x0000000003250000-0x0000000003350000-memory.dmp

memory/4140-199-0x00000000002E0000-0x00000000007A5000-memory.dmp

memory/3648-198-0x0000000003250000-0x0000000003350000-memory.dmp

memory/3648-201-0x0000000003250000-0x0000000003350000-memory.dmp

memory/3648-200-0x0000000003250000-0x0000000003350000-memory.dmp

memory/3268-401-0x0000000004090000-0x0000000004490000-memory.dmp

memory/3268-404-0x0000000004090000-0x0000000004490000-memory.dmp

memory/3268-407-0x00007FF9E77A0000-0x00007FF9E79A9000-memory.dmp

memory/3268-411-0x0000000076E90000-0x00000000770E2000-memory.dmp

memory/3504-413-0x0000000000640000-0x0000000000649000-memory.dmp

memory/3504-425-0x0000000076E90000-0x00000000770E2000-memory.dmp

memory/3504-422-0x00007FF9E77A0000-0x00007FF9E79A9000-memory.dmp

memory/3504-419-0x0000000002390000-0x0000000002790000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_llonoco1.ota.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\u3tw.0.exe

MD5 bb9c579553855366be205788003e7841
SHA1 828e5b2f7388da912c39b7336f1d361221df8021
SHA256 970a048241568ba8350ff7b3d4ec9a4d241c981eff4ec2e97c1bf082537e5d61
SHA512 78a60497c9deb917096c59ea86699e36ef3db1809e327ca94ae62d4d45d6fac5aca1b5fe5fc12f5e363e8c52ae42a6c72110a1f0f6b9455e00feb2fbe464a20d

memory/4964-562-0x0000000000400000-0x0000000000B10000-memory.dmp

memory/2500-566-0x0000000000400000-0x0000000000ECF000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 19d93f5f22e0ed1688815aab43b1fb6c
SHA1 d79067036b97dc779b6c816edcc86a445eb26164
SHA256 1bd9351509cae5f1b9c69dc3a27cc8368ed4a3ab831ab322c1c511aafab53930
SHA512 41f15077e0be7ed2327100c167ddf9e8ce28048b0478cfbd50d567187348d5599b55fd6716546cd7e1378aedfd9c94792ea719cbb6973e5f693e7845f85deaf6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 80e05a83b3a08c8ae1b2563d40d5dd87
SHA1 957468a64872bf04ace81f4517adec3f0e9d25eb
SHA256 27425ba450ed614a8c5506d6a04ddbb686ecd39c69989c273d7e75fa7f3fa49e
SHA512 72da0488e5594c41c527ae003b98ebb74fe4b2058b23f6c4bf47a68a81c2dbfb73410cd51f1df51d062bac9e47ba0f12cffba1d86fdc64f3a19fec566fd65544

memory/3648-579-0x0000000000400000-0x0000000000B06000-memory.dmp

memory/792-585-0x0000000000400000-0x0000000000ECF000-memory.dmp

memory/4072-586-0x0000000000400000-0x0000000000ECF000-memory.dmp

memory/4140-840-0x00000000002E0000-0x00000000007A5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c7650cd20390daeb7169ccdb036555c9
SHA1 2920e61155adf1e91b879116cbf7ccd7b31f4ad3
SHA256 9bd5bc786c565655b1f4d93ce69257c98e5b0cdc9febfe90d7930e187db96ba8
SHA512 004e435136600c0b9d2712b6b81b9b271256f0ff39836921bff1fa41ea3e5fd43dbeed6fde36feda107b22af5bf709b0005d050ddf960be02ec11e861f5f19ef

memory/5088-963-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5c4a046bdf0b7c4f145637425df96142
SHA1 42795043774c1c9ec1a2023abb23a29b7a8a876d
SHA256 970a015fb4e16b87c46d6a11b01074560146b6314fb18f381434a37946216fb6
SHA512 b3fd50ab9d0d0f05bfafa6ff3841af045dccc4b9da8399bc73f9938e0c96d80f19df9ba0aac49447fc1b9b73388fa6ee5e7f122891139edfc40660ade1d9c289

memory/5088-1043-0x0000000000400000-0x0000000000AEC000-memory.dmp

memory/3648-1110-0x0000000000400000-0x0000000000B06000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f0e5b81b5b774c6e45c95b9f99120135
SHA1 cad3d957247857adced4ed7f6f9bdc1255b44721
SHA256 126ccb08589bfad4c92d47353017050d6da52708faa12bc2b671e8cd6374772e
SHA512 96b6b2e36cf944b09de14a6b926aab9ea4728ade7a52ea6f24271f5223deed19453a1eaecdca12b27c0c22ede626d06727d1fa8d000a364203da580a43594d3c

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 76c81c705846f47df261ce736f58b8a9
SHA1 ff394fedacb64c651bda20f01ab5bd981ecf975d
SHA256 51792042439163d4199fbdb72ca2f4af9ab9c171414d1a733d3ca1f4016e8743
SHA512 441f67469b9afbae4aa3ddca7b981e6dc40a7763be91b481e56c468eab5f90afa8d56658ab0288e560511e98fb21fd341ff38290c06abc1a1ad862f06dceed99

memory/2500-1128-0x0000000000400000-0x0000000000ECF000-memory.dmp

memory/792-1129-0x0000000000400000-0x0000000000ECF000-memory.dmp

memory/4072-1130-0x0000000000400000-0x0000000000ECF000-memory.dmp

memory/4692-1131-0x0000000000400000-0x0000000000ECF000-memory.dmp

C:\Users\Admin\Pictures\nvEgXPvRALAzyhRcDjKRaQOF.exe

MD5 d5e362b4b76f8d663629014c1bb09c62
SHA1 1dbacc95fdb2ec36fcf240110945e823e2968799
SHA256 70c64207d3246e85c043231bf9e56d6dadf185fbcfb5474d81637fea4fd7916b
SHA512 509651fe8d57bbb7b26101bc3709fd9a9c722d98741637e60b6d65bfd128208574a2b7f099bc8373c54e682456bc76817c8efc14fe49e9604ecaa83ed625adce

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403290032291452564.dll

MD5 117176ddeaf70e57d1747704942549e4
SHA1 75e3ab6b3469d93cce9ea2f7e22b71b987ccdf2b
SHA256 3c5b34de987116a4d3240e319c0da89a951c96b81e6705476a0fea27b22b20af
SHA512 ca2a356929c92d314aab63d7f3b246d72783212dfa3a4507f28d41a51ca0eedc78e85b1cd453aa8e02c12509f847a0216bb702154f903291c804c8a98ec378b9

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 0ce1e8b741d2b68250cffdeb3fb9f4ff
SHA1 243086ca0c91f9ded65bde5b854d0b034c3f00fc
SHA256 e0c9366f28fa4f5ae0e2a8f167ed2789a513c40d22556debec2e7070225f5bd4
SHA512 e94eea0d0f54af610acbdd443c3ab41d231db7dd374ae8863f38d83d707ea873f94a4941aa6a7cf27794527e1d8153d0e1ad4a3b72a3d17c8fd9c0bd73282679

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 92fbdfccf6a63acef2743631d16652a7
SHA1 971968b1378dd89d59d7f84bf92f16fc68664506
SHA256 b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512 b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

memory/4140-1245-0x00000000002E0000-0x00000000007A5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d58a4630eb2866ce2f98b0758558771c
SHA1 0a50dc4c3a4684cade9786efac76970fbed1840a
SHA256 80072e3a0e14378945f981e17620d9a5162364e8b02cc321f919b2c2c097b403
SHA512 bef293f13a5d6b619d08f7ee17212c979c523919da44723abce299f60e65a54a0b32a643fdaecd94783030fa85d32be74bcb54b94858b42916e4ec048d154de8

memory/5076-1288-0x0000000000400000-0x0000000000ECF000-memory.dmp

memory/2248-1289-0x0000000000400000-0x0000000000ECF000-memory.dmp

memory/5088-1314-0x0000000000400000-0x0000000000AEC000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b0f711abee6999fa9b6aeafa22866631
SHA1 d25c4cdb3eaf83361478066fac7c602e79f6012e
SHA256 bc2a727c3bb9e63582311e73279b0218c64180e43ba2a2ebb1e1bb2802c1fb02
SHA512 506c07619f0c9163b50d154181de861d2a7ceef8fc1a4640cc7811f266b0e83ba98a10bbf2bbe93f1a72ff0a290a290eb4276de048b77a8abac3ee5b01af7aaa

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 fd9948f748110a072dd4d690aae3194c
SHA1 7b1f39dbc4266274476ef5784cac159e61c9db97
SHA256 fd1a996b87adb3a1f64601363c366fd2281804237c1ca6d96b4ca18f9b551921
SHA512 a5c2506550f0459be574109c204e1507585b0fdd150cd4a72a035dd6df2b2125db114d8343447e14e2e5c806cfb53dcbe9a8168ecf263b36283e1132a246e654

memory/2248-1357-0x0000000000400000-0x0000000000ECF000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 13253341e352726ffeac6a95e1e736f4
SHA1 6fc077d51d1f2f909a05a1e58aaafb33e80664f0
SHA256 17bb6285457ede4d5b959ecf1fc79b23284982db0073b29c535171c140504989
SHA512 96aa984d1a618ad42f2a9aba1f43215f6f7ebe64678059db9497ed029d7312f858d488360a442a4e2924240dfacca004ec7e6eab48cc672f491c6437d9fad16f

C:\Users\Admin\AppData\Local\Temp\u3tw.1.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/2724-1418-0x0000000000400000-0x0000000000ECF000-memory.dmp

memory/4964-1421-0x0000000000400000-0x0000000000B10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4140-1433-0x00000000002E0000-0x00000000007A5000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 2afdbe3b99a4736083066a13e4b5d11a
SHA1 4d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA256 8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512 d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

memory/5076-1445-0x0000000000400000-0x0000000000ECF000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 2f919e2efcfe70e33d9d531b9f556b50
SHA1 b9efd61ce348219bc30d6890d2e6471b93e17d5b
SHA256 176972be9b84dd2009cfe0510ef7167b53ec9520bdcf914beec84829b690c2fd
SHA512 8c9564d8086d0f4bfaf1c66df8d4aff05f2653f598d5f51c1f2d3343f5adeed30b6528407051a27b5a88202c99aa67a2322286c94bac8f2e4ab23f4d37fd97bc

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290032291\opera_package

MD5 401c352990789be2f40fe8f9c5c7a5ac
SHA1 d7c1e902487511d3f4e1a57abdee8a94d5483ed4
SHA256 f62f4ebc7eca46d9cddfb02cc0305da5efdd6f3601fb0f53da555e19558869a3
SHA512 efc6d4224e3721e91efb2ea8f4b74685cba607260c69d08eac26866c52b8127080a42799d9f76ab1661b8ca63c946fcf35dddf0a63ab3cd258ea44a27dd769c8

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290032291\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe

MD5 20d293b9bf23403179ca48086ba88867
SHA1 dedf311108f607a387d486d812514a2defbd1b9e
SHA256 fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348
SHA512 5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6