Analysis Overview
SHA256
612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc
Threat Level: Known bad
The file 612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc was found to be: Known bad.
Malicious Activity Summary
Glupteba
Glupteba payload
Detect ZGRat V1
Rhadamanthys
ZGRat
Stealc
Suspicious use of NtCreateUserProcessOtherParentProcess
Windows security bypass
Detects DLL dropped by Raspberry Robin.
Lumma Stealer
Modifies firewall policy service
Modifies boot configuration data using bcdedit
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Drops file in Drivers directory
Possible attempt to disable PatchGuard
Modifies Windows Firewall
Executes dropped EXE
Windows security modification
Themida packer
Reads user/profile data of web browsers
Loads dropped DLL
Checks BIOS information in registry
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Checks whether UAC is enabled
Checks installed software on the system
Adds Run key to start application
Looks up external IP address via web service
Manipulates WinMon driver.
Enumerates connected drives
Manipulates WinMonFS driver.
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in System32 directory
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Launches sc.exe
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
Suspicious behavior: LoadsDriver
Runs ping.exe
Creates scheduled task(s)
Checks processor information in registry
Uses Task Scheduler COM API
Suspicious use of SendNotifyMessage
Modifies system certificate store
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-29 01:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-29 01:49
Reported
2024-03-29 01:54
Platform
win10-20240214-en
Max time kernel
299s
Max time network
304s
Command Line
Signatures
Detects DLL dropped by Raspberry Robin.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" | C:\Users\Admin\Pictures\EGFMIE0HspTwhrp9Vg10GnlB.exe | N/A |
Rhadamanthys
Stealc
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2388 created 2616 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | c:\windows\system32\sihost.exe |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\C9dYqX8ZI442Ea4vJ2wCIN6U.exe = "0" | C:\Users\Admin\Pictures\C9dYqX8ZI442Ea4vJ2wCIN6U.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\N1sraEeXasnb5X7yvJ8f7pNf.exe = "0" | C:\Users\Admin\Pictures\N1sraEeXasnb5X7yvJ8f7pNf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\Pictures\C9dYqX8ZI442Ea4vJ2wCIN6U.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\Pictures\C9dYqX8ZI442Ea4vJ2wCIN6U.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\Pictures\C9dYqX8ZI442Ea4vJ2wCIN6U.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\Pictures\C9dYqX8ZI442Ea4vJ2wCIN6U.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\rNMrTXmsHJIWWcIZithOUutF.exe = "0" | C:\Users\Admin\Pictures\rNMrTXmsHJIWWcIZithOUutF.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\Pictures\C9dYqX8ZI442Ea4vJ2wCIN6U.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\Pictures\C9dYqX8ZI442Ea4vJ2wCIN6U.exe | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Pictures\EGFMIE0HspTwhrp9Vg10GnlB.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Pictures\EGFMIE0HspTwhrp9Vg10GnlB.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Pictures\EGFMIE0HspTwhrp9Vg10GnlB.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zy977ElWNpMkV5lmR2qeKuDA.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Lfj4MeXwkeddxHho4nxYXYlP.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d69ua2BrwvasOsjCXa0r29Tt.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QG7kj1F16yzCemMNz9Hhqc2v.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\akpMqRoioNG8DRay1U9NcBYU.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\szKFtM9DOhLojFVz8XKkEfuv.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b1DEGOVQe73Vpy8twCPjWMcC.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dt68cEhlNOXTMJUCx70Cr82y.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vanlkXfj9lDQxnRMwqcwnJy2.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FVXyqznyDIWayurZoGo22UXc.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8OUJxII7dG8zcAD1nXYbVpxm.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\Pictures\C9dYqX8ZI442Ea4vJ2wCIN6U.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\C9dYqX8ZI442Ea4vJ2wCIN6U.exe = "0" | C:\Users\Admin\Pictures\C9dYqX8ZI442Ea4vJ2wCIN6U.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\Pictures\C9dYqX8ZI442Ea4vJ2wCIN6U.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\Pictures\C9dYqX8ZI442Ea4vJ2wCIN6U.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\rNMrTXmsHJIWWcIZithOUutF.exe = "0" | C:\Users\Admin\Pictures\rNMrTXmsHJIWWcIZithOUutF.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\N1sraEeXasnb5X7yvJ8f7pNf.exe = "0" | C:\Users\Admin\Pictures\N1sraEeXasnb5X7yvJ8f7pNf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\Pictures\C9dYqX8ZI442Ea4vJ2wCIN6U.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\Pictures\C9dYqX8ZI442Ea4vJ2wCIN6U.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\Pictures\C9dYqX8ZI442Ea4vJ2wCIN6U.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\rNMrTXmsHJIWWcIZithOUutF.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\N1sraEeXasnb5X7yvJ8f7pNf.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\C9dYqX8ZI442Ea4vJ2wCIN6U.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Pictures\EGFMIE0HspTwhrp9Vg10GnlB.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Users\Admin\Pictures\mk3WQcH8hwwW6omJDWRMUiVV.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\Pictures\mk3WQcH8hwwW6omJDWRMUiVV.exe | N/A |
| File opened (read-only) | \??\D: | C:\Users\Admin\Pictures\mk3WQcH8hwwW6omJDWRMUiVV.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\Pictures\mk3WQcH8hwwW6omJDWRMUiVV.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\Pictures\EGFMIE0HspTwhrp9Vg10GnlB.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\Pictures\EGFMIE0HspTwhrp9Vg10GnlB.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\Pictures\EGFMIE0HspTwhrp9Vg10GnlB.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Users\Admin\Pictures\EGFMIE0HspTwhrp9Vg10GnlB.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Pictures\EGFMIE0HspTwhrp9Vg10GnlB.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4156 set thread context of 2780 | N/A | C:\Users\Admin\AppData\Local\Temp\612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
| PID 1484 set thread context of 2388 | N/A | C:\Users\Admin\Pictures\lYKbr8qQyiCcc2Mgx2t603lZ.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\rNMrTXmsHJIWWcIZithOUutF.exe | N/A |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\N1sraEeXasnb5X7yvJ8f7pNf.exe | N/A |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\C9dYqX8ZI442Ea4vJ2wCIN6U.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\N1sraEeXasnb5X7yvJ8f7pNf.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\N1sraEeXasnb5X7yvJ8f7pNf.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\C9dYqX8ZI442Ea4vJ2wCIN6U.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\C9dYqX8ZI442Ea4vJ2wCIN6U.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\rNMrTXmsHJIWWcIZithOUutF.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\rNMrTXmsHJIWWcIZithOUutF.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Pictures\lYKbr8qQyiCcc2Mgx2t603lZ.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u2zc.1.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u2zc.1.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u2zc.1.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\u2zc.0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\u2zc.0.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace\Session | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" | C:\Users\Admin\Pictures\C9dYqX8ZI442Ea4vJ2wCIN6U.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" | C:\Users\Admin\Pictures\C9dYqX8ZI442Ea4vJ2wCIN6U.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2491 = "Aus Central W. Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" | C:\Users\Admin\Pictures\C9dYqX8ZI442Ea4vJ2wCIN6U.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" | C:\Users\Admin\Pictures\C9dYqX8ZI442Ea4vJ2wCIN6U.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" | C:\Users\Admin\Pictures\C9dYqX8ZI442Ea4vJ2wCIN6U.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" | C:\Users\Admin\Pictures\C9dYqX8ZI442Ea4vJ2wCIN6U.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" | C:\Users\Admin\Pictures\C9dYqX8ZI442Ea4vJ2wCIN6U.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" | C:\Users\Admin\Pictures\C9dYqX8ZI442Ea4vJ2wCIN6U.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-262 = "GMT Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" | C:\Users\Admin\Pictures\C9dYqX8ZI442Ea4vJ2wCIN6U.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" | C:\Users\Admin\Pictures\C9dYqX8ZI442Ea4vJ2wCIN6U.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" | C:\Users\Admin\Pictures\C9dYqX8ZI442Ea4vJ2wCIN6U.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" | C:\Users\Admin\Pictures\C9dYqX8ZI442Ea4vJ2wCIN6U.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" | C:\Users\Admin\Pictures\C9dYqX8ZI442Ea4vJ2wCIN6U.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 | C:\Users\Admin\Pictures\mk3WQcH8hwwW6omJDWRMUiVV.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\Pictures\mk3WQcH8hwwW6omJDWRMUiVV.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\Pictures\mk3WQcH8hwwW6omJDWRMUiVV.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2zc.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2zc.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2zc.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2zc.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2zc.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2zc.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2zc.1.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2zc.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2zc.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2zc.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2zc.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2zc.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2zc.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2zc.1.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
c:\windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe
"C:\Users\Admin\AppData\Local\Temp\612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
C:\Users\Admin\Pictures\aDWUP5vaS4snh5wUdxwYbnd2.exe
"C:\Users\Admin\Pictures\aDWUP5vaS4snh5wUdxwYbnd2.exe"
C:\Users\Admin\Pictures\lYKbr8qQyiCcc2Mgx2t603lZ.exe
"C:\Users\Admin\Pictures\lYKbr8qQyiCcc2Mgx2t603lZ.exe"
C:\Users\Admin\Pictures\AsBDbWxLP0euwaKttSZbnJwM.exe
"C:\Users\Admin\Pictures\AsBDbWxLP0euwaKttSZbnJwM.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 836
C:\Users\Admin\Pictures\C9dYqX8ZI442Ea4vJ2wCIN6U.exe
"C:\Users\Admin\Pictures\C9dYqX8ZI442Ea4vJ2wCIN6U.exe"
C:\Users\Admin\Pictures\N1sraEeXasnb5X7yvJ8f7pNf.exe
"C:\Users\Admin\Pictures\N1sraEeXasnb5X7yvJ8f7pNf.exe"
C:\Users\Admin\Pictures\rNMrTXmsHJIWWcIZithOUutF.exe
"C:\Users\Admin\Pictures\rNMrTXmsHJIWWcIZithOUutF.exe"
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Users\Admin\AppData\Local\Temp\u2zc.0.exe
"C:\Users\Admin\AppData\Local\Temp\u2zc.0.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 632
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\Pictures\mk3WQcH8hwwW6omJDWRMUiVV.exe
"C:\Users\Admin\Pictures\mk3WQcH8hwwW6omJDWRMUiVV.exe" --silent --allusers=0
C:\Users\Admin\Pictures\mk3WQcH8hwwW6omJDWRMUiVV.exe
C:\Users\Admin\Pictures\mk3WQcH8hwwW6omJDWRMUiVV.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2a4,0x2a8,0x2ac,0x280,0x2b0,0x6dc4e1d0,0x6dc4e1dc,0x6dc4e1e8
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\mk3WQcH8hwwW6omJDWRMUiVV.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\mk3WQcH8hwwW6omJDWRMUiVV.exe" --version
C:\Users\Admin\Pictures\mk3WQcH8hwwW6omJDWRMUiVV.exe
"C:\Users\Admin\Pictures\mk3WQcH8hwwW6omJDWRMUiVV.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=512 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240329014949" --session-guid=75ab71f1-e75b-40f4-b6bf-4c71265c9c70 --server-tracking-blob=MzEyNTE0M2RjMjE2YTZhZDhhYWIxZjdhNzdjNjFlMjQ2OWNkZTU5ZmI1OGRlZTMyMDZhMGE3YTBlNmFlY2RmYjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N180NTYiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMCIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTE2NzY5NzMuNjQ0MyIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N180NTYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6ImZjZjViZGE2LTY0M2QtNGM5Ny05YzVlLTY2NmViYTZiMDk1YSJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=5004000000000000
C:\Users\Admin\Pictures\mk3WQcH8hwwW6omJDWRMUiVV.exe
C:\Users\Admin\Pictures\mk3WQcH8hwwW6omJDWRMUiVV.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2b0,0x2b4,0x2b8,0x280,0x2bc,0x6d2ce1d0,0x6d2ce1dc,0x6d2ce1e8
C:\Users\Admin\AppData\Local\Temp\u2zc.1.exe
"C:\Users\Admin\AppData\Local\Temp\u2zc.1.exe"
C:\Users\Admin\Pictures\EGFMIE0HspTwhrp9Vg10GnlB.exe
"C:\Users\Admin\Pictures\EGFMIE0HspTwhrp9Vg10GnlB.exe"
\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Users\Admin\Pictures\C9dYqX8ZI442Ea4vJ2wCIN6U.exe
"C:\Users\Admin\Pictures\C9dYqX8ZI442Ea4vJ2wCIN6U.exe"
C:\Users\Admin\Pictures\N1sraEeXasnb5X7yvJ8f7pNf.exe
"C:\Users\Admin\Pictures\N1sraEeXasnb5X7yvJ8f7pNf.exe"
C:\Users\Admin\Pictures\rNMrTXmsHJIWWcIZithOUutF.exe
"C:\Users\Admin\Pictures\rNMrTXmsHJIWWcIZithOUutF.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290149491\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290149491\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290149491\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290149491\assistant\assistant_installer.exe" --version
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290149491\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290149491\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0xd50040,0xd5004c,0xd50058
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k smphost
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KFIEHIIIJD.exe"
C:\Users\Admin\AppData\Local\Temp\KFIEHIIIJD.exe
"C:\Users\Admin\AppData\Local\Temp\KFIEHIIIJD.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\KFIEHIIIJD.exe
C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| US | 104.21.79.77:443 | yip.su | tcp |
| US | 8.8.8.8:53 | piramidglobaltobacco.id | udp |
| US | 8.8.8.8:53 | shipofdestiny.com | udp |
| DE | 185.172.128.144:80 | 185.172.128.144 | tcp |
| AT | 5.42.64.17:80 | 5.42.64.17 | tcp |
| US | 8.8.8.8:53 | sty.ink | udp |
| US | 8.8.8.8:53 | operandotwo.com | udp |
| US | 8.8.8.8:53 | namemail.org | udp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| US | 8.8.8.8:53 | cu82342.tw1.ru | udp |
| SG | 217.21.73.190:443 | piramidglobaltobacco.id | tcp |
| US | 172.67.152.98:443 | shipofdestiny.com | tcp |
| US | 172.67.152.98:443 | shipofdestiny.com | tcp |
| US | 172.67.160.247:443 | operandotwo.com | tcp |
| US | 172.67.200.219:443 | sty.ink | tcp |
| US | 172.67.200.219:443 | sty.ink | tcp |
| NL | 185.26.182.112:80 | net.geo.opera.com | tcp |
| US | 8.8.8.8:53 | 77.79.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.110.86.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.68.20.104.in-addr.arpa | udp |
| RU | 176.57.210.144:443 | cu82342.tw1.ru | tcp |
| NL | 185.26.182.112:443 | net.geo.opera.com | tcp |
| US | 8.8.8.8:53 | lawyerbuyer.org | udp |
| US | 8.8.8.8:53 | guseman.org | udp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 8.8.8.8:53 | 144.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.64.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.152.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 247.160.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 219.200.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.182.26.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.73.21.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.210.57.176.in-addr.arpa | udp |
| US | 172.67.170.65:443 | lawyerbuyer.org | tcp |
| US | 172.67.170.65:443 | lawyerbuyer.org | tcp |
| US | 104.21.80.30:443 | guseman.org | tcp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.170.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.80.21.104.in-addr.arpa | udp |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| US | 8.8.8.8:53 | herdbescuitinjurywu.shop | udp |
| US | 172.67.206.194:443 | herdbescuitinjurywu.shop | tcp |
| US | 8.8.8.8:53 | 194.206.67.172.in-addr.arpa | udp |
| US | 172.67.206.194:443 | herdbescuitinjurywu.shop | tcp |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| US | 8.8.8.8:53 | 65.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.144:80 | 185.172.128.144 | tcp |
| DE | 185.172.128.209:80 | 185.172.128.209 | tcp |
| US | 8.8.8.8:53 | 209.128.172.185.in-addr.arpa | udp |
| US | 172.67.206.194:443 | herdbescuitinjurywu.shop | tcp |
| US | 172.67.206.194:443 | herdbescuitinjurywu.shop | tcp |
| US | 8.8.8.8:53 | desktop-netinstaller-sub.osp.opera.software | udp |
| US | 8.8.8.8:53 | autoupdate.geo.opera.com | udp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| NL | 185.26.182.124:443 | autoupdate.geo.opera.com | tcp |
| NL | 185.26.182.124:443 | autoupdate.geo.opera.com | tcp |
| US | 8.8.8.8:53 | 124.182.26.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.217.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | features.opera-api2.com | udp |
| US | 8.8.8.8:53 | download.opera.com | udp |
| NL | 185.26.182.118:443 | features.opera-api2.com | tcp |
| NL | 185.26.182.122:443 | download.opera.com | tcp |
| US | 8.8.8.8:53 | 118.182.26.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.182.26.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | svc.iolo.com | udp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 8.8.8.8:53 | 45.87.157.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | download3.operacdn.com | udp |
| GB | 95.101.143.176:443 | download3.operacdn.com | tcp |
| US | 8.8.8.8:53 | 176.143.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | download.iolo.net | udp |
| FR | 185.93.2.248:443 | download.iolo.net | tcp |
| US | 8.8.8.8:53 | 248.2.93.185.in-addr.arpa | udp |
| US | 46.226.167.187:80 | 46.226.167.187 | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 8.8.8.8:53 | 187.167.226.46.in-addr.arpa | udp |
| US | 172.67.75.163:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 8.8.8.8:53 | 163.75.67.172.in-addr.arpa | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 192.186.117.34.in-addr.arpa | udp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | download5.operacdn.com | udp |
| US | 104.18.11.89:443 | download5.operacdn.com | tcp |
| US | 8.8.8.8:53 | svc.iolo.com | udp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 8.8.8.8:53 | 89.11.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104ef41c-22a6-4644-9f01-4330b8b3d3bf.uuid.statsexplorer.org | udp |
| US | 8.8.8.8:53 | westus2-2.in.applicationinsights.azure.com | udp |
| US | 20.9.155.145:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| US | 8.8.8.8:53 | 145.155.9.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | server6.statsexplorer.org | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | stun.l.google.com | udp |
| US | 74.125.250.129:19302 | stun.l.google.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| BG | 185.82.216.108:443 | server6.statsexplorer.org | tcp |
| US | 8.8.8.8:53 | carsalessystem.com | udp |
| US | 104.21.94.82:443 | carsalessystem.com | tcp |
| US | 8.8.8.8:53 | 129.250.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.134.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.94.21.104.in-addr.arpa | udp |
| BG | 185.82.216.108:443 | server6.statsexplorer.org | tcp |
| US | 8.8.8.8:53 | 193.98.74.40.in-addr.arpa | udp |
| BG | 185.82.216.108:443 | server6.statsexplorer.org | tcp |
| BG | 185.82.216.108:443 | server6.statsexplorer.org | tcp |
| N/A | 127.0.0.1:31465 | tcp | |
| BG | 185.82.216.108:443 | server6.statsexplorer.org | tcp |
Files
memory/4156-0-0x0000020E2BB10000-0x0000020E2BB26000-memory.dmp
memory/4156-1-0x00007FF8FAF30000-0x00007FF8FB91C000-memory.dmp
memory/4156-2-0x0000020E2BF00000-0x0000020E2BF10000-memory.dmp
memory/4156-3-0x0000020E46D10000-0x0000020E46D6C000-memory.dmp
memory/2780-4-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2780-5-0x00000000737C0000-0x0000000073EAE000-memory.dmp
memory/2780-6-0x0000000005030000-0x0000000005040000-memory.dmp
C:\Users\Admin\Pictures\TssN5pcF06H9iAaybGoyoDNu.exe
| MD5 | 5b423612b36cde7f2745455c5dd82577 |
| SHA1 | 0187c7c80743b44e9e0c193e993294e3b969cc3d |
| SHA256 | e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09 |
| SHA512 | c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c |
C:\Users\Admin\Pictures\pGmhTy6rgsMPCF8fmXtYfE2X.exe
| MD5 | 85d53108f66427aa94a673f90ad206ff |
| SHA1 | 477caec3453ae85111029202b95ea1848de8e7bb |
| SHA256 | 84191e819c1604a3dee2bac4b7550d273903bd4f2010d90c23c1953dee3f7573 |
| SHA512 | 1059041656ff33f1a845d1e485ad87a875bd546a01904d2186523a3cc1caf39eae9ec5b75ebbf18962c9a01d0f6f6d557dfc53adab630ba890dc4dc789370b85 |
C:\Users\Admin\Pictures\aDWUP5vaS4snh5wUdxwYbnd2.exe
| MD5 | 8bc396803bf0c509173078f354cb293b |
| SHA1 | 8a8e2298863cf6d5b5ad1c1f1efdb4f372f1cfa0 |
| SHA256 | e79bb6f916ff4f4bcca0dd2bb4c16233090265c38f3aeaa4a19bb125138773bb |
| SHA512 | da3e916fb3b662584e3f1c8e5e6ac3c75c2f8aba0113597257cae5e9515944055e59d242efd08155939ea7044c7bf15a242f8d950e0a4a996889cbad1e20cd83 |
memory/3864-27-0x0000000000B90000-0x0000000000C90000-memory.dmp
memory/3864-28-0x0000000002700000-0x000000000276E000-memory.dmp
memory/3864-29-0x0000000000400000-0x0000000000B0E000-memory.dmp
C:\Users\Admin\Pictures\be6dmLbKRQdXFF2WvvxOu2eU.exe
| MD5 | a40fa87a1e9df07a52cd9074ef2f8640 |
| SHA1 | 451e83eafa82665a5e7703d1bf158dc1a9cc2087 |
| SHA256 | 25058dab8bcbe320fcbf098623434b02c9913bd8bf8c7ad237baa63cde0295a5 |
| SHA512 | 4ecf080e74cb39750d335b5ae42580f915a80bda6e6968b11039b51c6d0471e03fa512662cc1c1d9fe4ab9bff0495fd90ee4ed099cbcc008040a80df44ee1e9f |
C:\Users\Admin\Pictures\lYKbr8qQyiCcc2Mgx2t603lZ.exe
| MD5 | 7960d8afbbac06f216cceeb1531093bb |
| SHA1 | 008221bf66a0749447cffcb86f2d1ec80e23fc76 |
| SHA256 | f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84 |
| SHA512 | 35d12e81eb892aeb2237049beca61a81469dea5b1c9b7a0b9f49fbf95a95c756509d9e76c732fb10b504f9f9692e1fbe83ea2fd09d791f793a928c01974b8147 |
memory/1484-43-0x0000000000670000-0x00000000006DE000-memory.dmp
memory/1484-44-0x00000000737C0000-0x0000000073EAE000-memory.dmp
memory/1484-45-0x0000000002930000-0x0000000002940000-memory.dmp
C:\Users\Admin\Pictures\AsBDbWxLP0euwaKttSZbnJwM.exe
| MD5 | e2a6c1f58b137874e490b8d94382fcdb |
| SHA1 | 71529c5d708091b1e1a580227dc52e62a140edd1 |
| SHA256 | 4801879a7afb9d03f7edcbe76cd9306cb024d80abc8512c4995aa97e8fd52437 |
| SHA512 | 24d12ce668e5189a4ba80520a4eaf480d17d3a07d8d0d4312964968f8489143df225881ec70e39e0c62e381061626801ead72d70cea164e2c3870bfbd7bc4eff |
memory/2388-56-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2388-59-0x0000000000400000-0x000000000046D000-memory.dmp
memory/1484-60-0x00000000029E0000-0x00000000049E0000-memory.dmp
C:\Users\Admin\Pictures\C9dYqX8ZI442Ea4vJ2wCIN6U.exe
| MD5 | 80fbcd8bcab6ddca53a467dfc54b2123 |
| SHA1 | 5394a3de0dc598eeba66870d9070f54e8b137ede |
| SHA256 | fff7af7e094a0f3d5e5b87eebbb5290e3d7570e192426e81909278abf8d0350b |
| SHA512 | d7d14f7465da79ac9bfb1d88431e397e5f13fe7339f819b8e0404110bd73d10224d20c2b68178da3b7504de17c0b475f97ade83ab93d842310cf3baa605ac42c |
memory/2444-70-0x0000000000C70000-0x0000000000CBA000-memory.dmp
memory/2444-66-0x0000000000B10000-0x0000000000C10000-memory.dmp
memory/2444-72-0x0000000002740000-0x0000000002780000-memory.dmp
memory/2444-79-0x0000000002740000-0x0000000002780000-memory.dmp
memory/2444-71-0x0000000000400000-0x0000000000B06000-memory.dmp
memory/2444-83-0x0000000002740000-0x0000000002780000-memory.dmp
memory/2444-85-0x0000000002740000-0x0000000002780000-memory.dmp
memory/2444-90-0x0000000002740000-0x0000000002780000-memory.dmp
C:\Users\Admin\Pictures\N1sraEeXasnb5X7yvJ8f7pNf.exe
| MD5 | ac5f59828c7112f4d6f37f3daea03a4c |
| SHA1 | 780cbc00e9a044da535af3f1da25445c893a8e53 |
| SHA256 | 6b0109f5a9106f6cfa857fd3380aaed9c3d461bd8303d58a22af7a42b658b1fc |
| SHA512 | 7b68ba612901c89af3a50c5241c03001911a7f8b4cb60966a8578b9eb9dfdbd3c917391af1c12e75217d557c1c2367971a8a9edd05a3fb0aafe68774e46db873 |
memory/2388-93-0x0000000000400000-0x000000000046D000-memory.dmp
memory/1128-94-0x0000000002A90000-0x0000000002E8B000-memory.dmp
memory/1128-95-0x0000000002F90000-0x000000000387B000-memory.dmp
memory/5068-96-0x0000000002B10000-0x0000000002F0E000-memory.dmp
memory/2308-97-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/4156-98-0x00007FF8FAF30000-0x00007FF8FB91C000-memory.dmp
memory/1128-99-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/2308-100-0x0000000002B30000-0x0000000002F38000-memory.dmp
memory/5068-101-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/2444-103-0x0000000003120000-0x0000000003220000-memory.dmp
memory/2444-102-0x0000000003120000-0x0000000003220000-memory.dmp
memory/2444-104-0x0000000003120000-0x0000000003220000-memory.dmp
memory/2444-105-0x0000000003120000-0x0000000003220000-memory.dmp
memory/2444-106-0x0000000003120000-0x0000000003220000-memory.dmp
memory/2444-107-0x0000000003120000-0x0000000003220000-memory.dmp
memory/2444-109-0x0000000003120000-0x0000000003220000-memory.dmp
memory/2444-108-0x0000000003120000-0x0000000003220000-memory.dmp
memory/2444-110-0x0000000003120000-0x0000000003220000-memory.dmp
memory/2444-112-0x0000000003120000-0x0000000003220000-memory.dmp
memory/2444-111-0x0000000003120000-0x0000000003220000-memory.dmp
memory/2444-117-0x0000000003120000-0x0000000003220000-memory.dmp
memory/2444-116-0x0000000003120000-0x0000000003220000-memory.dmp
memory/2444-118-0x0000000003120000-0x0000000003220000-memory.dmp
memory/2444-119-0x0000000003120000-0x0000000003220000-memory.dmp
memory/2444-115-0x0000000003120000-0x0000000003220000-memory.dmp
memory/2444-114-0x0000000003120000-0x0000000003220000-memory.dmp
memory/2444-113-0x0000000003120000-0x0000000003220000-memory.dmp
memory/2388-120-0x0000000003860000-0x0000000003C60000-memory.dmp
memory/2388-123-0x0000000003860000-0x0000000003C60000-memory.dmp
memory/2444-122-0x0000000003120000-0x0000000003220000-memory.dmp
memory/2444-125-0x0000000003120000-0x0000000003220000-memory.dmp
memory/2444-121-0x0000000003120000-0x0000000003220000-memory.dmp
memory/2444-126-0x0000000003120000-0x0000000003220000-memory.dmp
memory/2444-128-0x0000000003120000-0x0000000003220000-memory.dmp
memory/2444-129-0x0000000003120000-0x0000000003220000-memory.dmp
memory/2388-127-0x00007FF9179A0000-0x00007FF917B7B000-memory.dmp
memory/2444-135-0x0000000003120000-0x0000000003220000-memory.dmp
memory/200-140-0x0000000004590000-0x0000000004990000-memory.dmp
memory/2444-142-0x0000000003120000-0x0000000003220000-memory.dmp
memory/2444-144-0x0000000003220000-0x0000000003260000-memory.dmp
memory/200-145-0x0000000077290000-0x0000000077452000-memory.dmp
memory/2444-146-0x0000000003220000-0x0000000003260000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u2zc.0.exe
| MD5 | a533c58be371236669106ab5243b05bb |
| SHA1 | 59e8eae350fd911b9d74940fd5a0793f6b4fddc0 |
| SHA256 | 6f746358af1862e923dee83621f64d56b2e8d8f8936e71d4d6bc565e97e58b09 |
| SHA512 | 83970ca812ebef5e7c7a4e32c6b6a48d0028f688241441fedfa00e9171592bbc6fa883f0bc7f2603d31f687b1510633bca5468b3ecb96481aa62451c85885f8d |
memory/200-141-0x00007FF9179A0000-0x00007FF917B7B000-memory.dmp
memory/2444-139-0x0000000003120000-0x0000000003220000-memory.dmp
memory/2444-134-0x0000000003120000-0x0000000003220000-memory.dmp
memory/200-133-0x00000000008C0000-0x00000000008C9000-memory.dmp
memory/2444-132-0x0000000003120000-0x0000000003220000-memory.dmp
memory/2388-131-0x0000000077290000-0x0000000077452000-memory.dmp
memory/2444-150-0x0000000003220000-0x0000000003260000-memory.dmp
memory/2444-151-0x0000000003220000-0x0000000003260000-memory.dmp
memory/2444-149-0x0000000003220000-0x0000000003260000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zg24h52a.jy5.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3864-346-0x0000000000400000-0x0000000000B0E000-memory.dmp
memory/2444-374-0x0000000000400000-0x0000000000B06000-memory.dmp
memory/1128-403-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/5068-428-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/2308-431-0x0000000000400000-0x0000000000ECD000-memory.dmp
C:\Users\Admin\Pictures\mk3WQcH8hwwW6omJDWRMUiVV.exe
| MD5 | ed088ab8c2691ebbd0174a5b6f1363c6 |
| SHA1 | ff6dcba0cb1f4288b27d7366b6689f7f17931bd2 |
| SHA256 | 8612f909dbe76c5d32f5d7093d5b8d34e3dbd92d820b7e6efc2c5dde0060b6b9 |
| SHA512 | ca2f3429fb248ed5b7256ca3075a835d98ebb9f1799ac1ae50c0e69784b72f192475e971abfab5618f4fba9264c9e9c0e14ff65aad87e3ace09ba441cea54ce9 |
\Users\Admin\AppData\Local\Temp\Opera_installer_240329014948552512.dll
| MD5 | 117176ddeaf70e57d1747704942549e4 |
| SHA1 | 75e3ab6b3469d93cce9ea2f7e22b71b987ccdf2b |
| SHA256 | 3c5b34de987116a4d3240e319c0da89a951c96b81e6705476a0fea27b22b20af |
| SHA512 | ca2a356929c92d314aab63d7f3b246d72783212dfa3a4507f28d41a51ca0eedc78e85b1cd453aa8e02c12509f847a0216bb702154f903291c804c8a98ec378b9 |
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
| MD5 | bbc118781322bbdecff007e10f3e384d |
| SHA1 | 1d440bc5f506c5d5d27e736c75d331adaa2f4841 |
| SHA256 | 6798988b3aefc01f97ddd7ead007a20800ea960edbc93551d1e0d740e712bdc5 |
| SHA512 | a7bb3cf6b51e58cc7fe8e912b43d5ba9d48fe97750773e4f9e6a0751fca73f878ebe91fb5296d952b134d065af8fcaaa37645eb0239012f9307095f91ce2ce15 |
C:\Users\Admin\AppData\Local\Temp\u2zc.1.exe
| MD5 | 397926927bca55be4a77839b1c44de6e |
| SHA1 | e10f3434ef3021c399dbba047832f02b3c898dbd |
| SHA256 | 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7 |
| SHA512 | cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954 |
memory/3864-657-0x0000000000400000-0x0000000000B0E000-memory.dmp
memory/4308-794-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | 6fd7d804c86c720d2bacf605311aaab7 |
| SHA1 | d45f716fee1b0ce34f47eb2cc03a4858d34a9057 |
| SHA256 | 80080a60e4bb4af5a5a44a21faf5ea041b21c33f361ae4d29f91100404ad137a |
| SHA512 | f81164c26893d53cfd50e21226d88ad5989e547263ebbb2475890b2b1b2489f054eb8f1f7f2a3414f7c486b47fb86671fc0a3e0d59424f575527082c7924d090 |
memory/5068-968-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/1128-965-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/2308-972-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/4308-976-0x0000000000400000-0x0000000000AEA000-memory.dmp
C:\Users\Admin\Pictures\EGFMIE0HspTwhrp9Vg10GnlB.exe
| MD5 | 858bb0a3b4fa6a54586402e3ee117076 |
| SHA1 | 997c31f043347883ea5ed2323a558b6cc5ea9c8e |
| SHA256 | d97a7fc44bf341b9b2b2e65b46dab4f7d329afe15b4308b5aa56d5bfd7b99d35 |
| SHA512 | e8374b115f056b5d345c9b5f9c42b3d49e0640d7fad869448f686add6e52b783ecc7fd35ee15a67b944843491a91becf5b7c0bd5603eda01042dd2904c1ad8fd |
memory/4532-1128-0x0000000000400000-0x00000000008AD000-memory.dmp
memory/4676-1134-0x00007FF6B7510000-0x00007FF6B801A000-memory.dmp
memory/4676-1145-0x00007FF6B7510000-0x00007FF6B801A000-memory.dmp
memory/4676-1137-0x00007FF6B7510000-0x00007FF6B801A000-memory.dmp
memory/4676-1150-0x00007FF6B7510000-0x00007FF6B801A000-memory.dmp
memory/4676-1153-0x00007FF6B7510000-0x00007FF6B801A000-memory.dmp
memory/4676-1157-0x00007FF6B7510000-0x00007FF6B801A000-memory.dmp
memory/4676-1162-0x00007FF6B7510000-0x00007FF6B801A000-memory.dmp
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 8ef9853d1881c5fe4d681bfb31282a01 |
| SHA1 | a05609065520e4b4e553784c566430ad9736f19f |
| SHA256 | 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2 |
| SHA512 | 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 276ab0828a01c40f3a39cde978df6597 |
| SHA1 | 0b6c53ba74777f44d017707d6826b25ce79f2c78 |
| SHA256 | fee7d9e589f0f513f4b2f2704677e9ae0baabc9083684b3f3ca323c3b1a6e266 |
| SHA512 | 643821c0e6b3c3ade1a2d684f72e7d7f1174b184168a9f7b692369e55d7317f80c332e7d433a08ce070495c43abb9d0e8b846fab5be1a6f0ca1717767dedb257 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 1c19c16e21c97ed42d5beabc93391fc5 |
| SHA1 | 8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68 |
| SHA256 | 1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05 |
| SHA512 | 7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 694aaed21135bea1ccb6f31ba1c3d8ad |
| SHA1 | 95ac7a86f199eb139374443e4f9892b55df81fcf |
| SHA256 | 1cdb21e5f2d1f61935e09e5304040bb23f0e0b694cae9e7a9c7b5106d5beac5a |
| SHA512 | 328618e3efc18d879ef0db2e6d6cbdb2b230da82d7c864a2f13286fa7ff9ecf3fdb7209813b80965e4a197881b13a1d6e6cbd14db1a09b681332a6d07a7bece1 |
memory/4308-1323-0x0000000000400000-0x0000000000AEA000-memory.dmp
memory/1128-1325-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/4532-1329-0x0000000000400000-0x00000000008AD000-memory.dmp
memory/5068-1334-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/2308-1344-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/4676-1788-0x00007FF6B7510000-0x00007FF6B801A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290149491\opera_package
| MD5 | 401c352990789be2f40fe8f9c5c7a5ac |
| SHA1 | d7c1e902487511d3f4e1a57abdee8a94d5483ed4 |
| SHA256 | f62f4ebc7eca46d9cddfb02cc0305da5efdd6f3601fb0f53da555e19558869a3 |
| SHA512 | efc6d4224e3721e91efb2ea8f4b74685cba607260c69d08eac26866c52b8127080a42799d9f76ab1661b8ca63c946fcf35dddf0a63ab3cd258ea44a27dd769c8 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 781d53d5e56f7a40cfea30cebc1835de |
| SHA1 | 0f2c48993b38cd7a8d64ab27f61ddda85eaf44e0 |
| SHA256 | 25cba1b19e93225deb58c049f674b0e238a13f17a7105e94ac02da00b2df7f3f |
| SHA512 | bfeaab4afc634ed8495b4e973491e50756b429bbb01f2450648e26b3f1d03836659a1638ca548899557710f623883a632cdbde934768e6e2659e44152625df18 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | db01a2c1c7e70b2b038edf8ad5ad9826 |
| SHA1 | 540217c647a73bad8d8a79e3a0f3998b5abd199b |
| SHA256 | 413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d |
| SHA512 | c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 4a35641ad417bdde0dd851cf591acc88 |
| SHA1 | ae0d8e5a9c8dcbcf3cdc19c8bd00d1be53c39235 |
| SHA256 | a6e1ad00ddeabcb60520cad2b93d2eedfd9722604669d261632380046660b0f9 |
| SHA512 | 8640a5ed189cfae44ba43cc060c1a736830ba94e9a7bee08be88ca98c624e947d6c88a2f43d1cc393a6910d36d1113586eca44a77bcf3e214c5aa369e966d7ea |
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | 8a01e35bda098ff807d5ac1143e2ffca |
| SHA1 | 6a6b08907596a2eb44bb758c0536ca7dc9acbfe1 |
| SHA256 | 27bc793a66da972cc4da1fb017374ac592fc98e163a09183eefc970909cabf49 |
| SHA512 | 219a7efc8d83c04d60ed3a32660a76ee3d610ec56717a57a7775d08058cce4b7e74bf6ac9c83f5eca16b50e23ab9f00881ef79dfe7eb269e400b10cdb401d8c7 |
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 0f38a17bbaa7b6f75f51c671be981097 |
| SHA1 | ee95e5225cfb623b6ddd58902bf72504993e2030 |
| SHA256 | 03f4d293b34e18f429d34282179a04a705d448f3b88b88982486997f6cd51f39 |
| SHA512 | 429100ae213ea857fa3fefea7b512bb616219f76cf2a55a4735776650806d42582ff886cd4779a1406d2bc9d0f514c93e40c3d12d9e764ffa8b880067bd704a2 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290149491\additional_file0.tmp
| MD5 | 20d293b9bf23403179ca48086ba88867 |
| SHA1 | dedf311108f607a387d486d812514a2defbd1b9e |
| SHA256 | fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348 |
| SHA512 | 5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290149491\assistant\assistant_installer.exe
| MD5 | b3f05009b53af6435e86cfd939717e82 |
| SHA1 | 770877e7c5f03e8d684984fe430bdfcc2cf41b26 |
| SHA256 | 3ea8d40fcede1fc03e5603246d75d13e8d44d7229d4c390c39a55534053027f7 |
| SHA512 | d2dee80aaa79b19f1eb1db85079a05f621780e06bfea9e838b62d757ba29399f9090ec7c6ff553377c9b712f3ba8dd812cdff39f3e28829928e86746a8ac6b27 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290149491\assistant\dbgcore.DLL
| MD5 | 8b6f64e5d3a608b434079e50a1277913 |
| SHA1 | 03f431fabf1c99a48b449099455c1575893d9f32 |
| SHA256 | 926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2 |
| SHA512 | c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c |
\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290149491\assistant\dbghelp.dll
| MD5 | 925ea07f594d3fce3f73ede370d92ef7 |
| SHA1 | f67ea921368c288a9d3728158c3f80213d89d7c2 |
| SHA256 | 6d02ebd4ec9a6093f21cd8ccefb9445fa0ab7b1f69ac868a5cfc5d28ed8d2de9 |
| SHA512 | a809851da820d9fdd8fb860a8f549311dcc2579df2c6f6fba74f50d5d8bf94baa834b09fb5476ac248f18d1deb6b47d4fdd6d658889d5d45ca8774a9264483d2 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 8ddfa6cf3048c61a2481dad55133dfa1 |
| SHA1 | 8129493492f5b94d9a70c8338284beba83071d65 |
| SHA256 | fe681266c57f55f71b0103f09c379017add5743c5039faa579113b9132d46779 |
| SHA512 | 399db391e235a1645fc0583dd8dbfbaab7a96b7b4e5dddaa00e73fa731b3caa3f5ba7ca6fd9bc200ce6fa6cdd13a9e926381ae8e92f76611cb07624dc90b31ac |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 97003aba77c853edb78cd947aae7cdc6 |
| SHA1 | 1aedbb544286db82ebc0764f9aa4d1b12fc98866 |
| SHA256 | ff27d6713d1b285fa6b3995d595bcca9dee153cb1a8c4e3fe72bf8b55f973bca |
| SHA512 | 878b8c3fe2b841de929101a403d95636835665711d981f6045cbef5b3ba1a6de54e4c5de5c4e4c32e8e52a6b66135a9a83f1a1d1d6346b429fd3e18e856776ca |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 95c3c6c5e49e32ab0558940ba6ea3f30 |
| SHA1 | 37990c50eafd6a90f1b1a59b9340f2e2d5021527 |
| SHA256 | a9eda8e74e81441fa555420a7c1b16013699b3d1147fca46a3b8283a8e298055 |
| SHA512 | e9ea984c627ac7f7524511322c2f4e78f239631900e0bc1ca0ae1de1e7e90f32badd87594f101993d8656222335a299440c22ae3fec252f10a61f41d5c60cf6c |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 0173ef0ada113cbf853c7a9b65d95bb1 |
| SHA1 | b980665881d066f3ae2ec97b664569ae322c0d3d |
| SHA256 | 0e47ad458b0141be3c39cf297e07939d9d2e4b299e82dc6f3de67bb981aba639 |
| SHA512 | 3cc626bf6b18f2a48ae1be727eace1f89c6a592f61c44be87c38b4a7c133312c7cd65a83ab9a8b08dbbb09dd3bc17c62f9cd922f740696929655131f9346f32f |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 44b9b8c6075f6a1967ad5c8255fe3364 |
| SHA1 | d10105dff34377f042709a364cfc25429eab0394 |
| SHA256 | 88bf3afb192295187dda867415634690ca0a88d16ab7daaed30f86ea0a436328 |
| SHA512 | c0d35e0a87b888793559629dbe736c04efabec357c6a006481e15b35aa977d80f951dc5a2be1761885667cd0cf103b38c0e18b746783736f5d9d02302aa4e235 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 66cd15758286316edf5e88df54db65ee |
| SHA1 | 8476543df46a912e7977d7c7848e26dfda81706e |
| SHA256 | ad782a21f9553e4d8064fe0fddb7f5e871db2d9e1f52ac5eaa3593e0bf9ad26f |
| SHA512 | 9352e2bd4b28d68d110fc0b2b262ac9d0d8935120d4287b6c2c7b83f5c0b4896f955fffc801347dce0f846cb4f011662837f5a72f35cb1a80e7e16bf9d451e2a |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-29 01:49
Reported
2024-03-29 01:54
Platform
win7-20240319-en
Max time kernel
282s
Max time network
287s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" | C:\Users\Admin\Pictures\8EwrdpAH4C3cgb6QTKApj5cx.exe | N/A |
Stealc
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\JaY74HK4rRWJ0l9C6VdAtVUn.exe = "0" | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\K970yedMhsEufgWIrsuXWrM1.exe = "0" | C:\Users\Admin\Pictures\K970yedMhsEufgWIrsuXWrM1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
ZGRat
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Pictures\8EwrdpAH4C3cgb6QTKApj5cx.exe | N/A |
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\Winmon.sys | C:\Windows\rss\csrss.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Possible attempt to disable PatchGuard
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Pictures\8EwrdpAH4C3cgb6QTKApj5cx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Pictures\8EwrdpAH4C3cgb6QTKApj5cx.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\i3DQ4Walaz06RJnt5OsDZyAt.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3Mzh4j90mWIqVqo26Ud1F9CB.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\du8AwV6dvFtqlPyn4Y6pTF0J.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anZoWh7EuccZhEvlHyn8ZKE3.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bTlqQgkFmOxOIfous4efzRFy.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5biexEEyFuQdSLrnQM6DEJ4T.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zxVWZg7cwGo44fnqqTNQLiBd.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\L0pL8kYhD11g2PuwAAwGwJbZ.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IfTIamfFSeYRImyogNbtn8QY.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\JaY74HK4rRWJ0l9C6VdAtVUn.exe = "0" | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\K970yedMhsEufgWIrsuXWrM1.exe = "0" | C:\Users\Admin\Pictures\K970yedMhsEufgWIrsuXWrM1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\K970yedMhsEufgWIrsuXWrM1.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Pictures\8EwrdpAH4C3cgb6QTKApj5cx.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Manipulates WinMon driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMon | C:\Windows\rss\csrss.exe | N/A |
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\Pictures\8EwrdpAH4C3cgb6QTKApj5cx.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Users\Admin\Pictures\8EwrdpAH4C3cgb6QTKApj5cx.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\Pictures\8EwrdpAH4C3cgb6QTKApj5cx.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\Pictures\8EwrdpAH4C3cgb6QTKApj5cx.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Pictures\8EwrdpAH4C3cgb6QTKApj5cx.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2924 set thread context of 1268 | N/A | C:\Users\Admin\AppData\Local\Temp\612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\K970yedMhsEufgWIrsuXWrM1.exe | N/A |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\ueK8QLoxeFkVi3QaWLpNnpMp.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\K970yedMhsEufgWIrsuXWrM1.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\K970yedMhsEufgWIrsuXWrM1.exe | N/A |
| File created | C:\Windows\Logs\CBS\CbsPersist_20240329014944.cab | C:\Windows\system32\makecab.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u2a4.1.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u2a4.1.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u2a4.1.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\u2a4.0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\u2a4.0.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-472 = "Ekaterinburg Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time" | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-581 = "North Asia East Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-522 = "N. Central Asia Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" | C:\Windows\windefender.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Pictures\K970yedMhsEufgWIrsuXWrM1.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\Pictures\K970yedMhsEufgWIrsuXWrM1.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Pictures\ueK8QLoxeFkVi3QaWLpNnpMp.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\Pictures\ueK8QLoxeFkVi3QaWLpNnpMp.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\rss\csrss.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2a4.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2a4.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2a4.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2a4.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2a4.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2a4.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2a4.1.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2a4.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2a4.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2a4.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2a4.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2a4.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2a4.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2a4.1.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe
"C:\Users\Admin\AppData\Local\Temp\612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2924 -s 716
C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe
"C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe"
C:\Users\Admin\Pictures\K970yedMhsEufgWIrsuXWrM1.exe
"C:\Users\Admin\Pictures\K970yedMhsEufgWIrsuXWrM1.exe"
C:\Users\Admin\Pictures\sJGSvmuPwzIuepWAR2BAkFqv.exe
"C:\Users\Admin\Pictures\sJGSvmuPwzIuepWAR2BAkFqv.exe"
C:\Users\Admin\Pictures\GMlBUdzBYPSvv1md2A3fGDaT.exe
"C:\Users\Admin\Pictures\GMlBUdzBYPSvv1md2A3fGDaT.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240329014944.log C:\Windows\Logs\CBS\CbsPersist_20240329014944.cab
C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe
"C:\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe"
C:\Users\Admin\Pictures\K970yedMhsEufgWIrsuXWrM1.exe
"C:\Users\Admin\Pictures\K970yedMhsEufgWIrsuXWrM1.exe"
C:\Users\Admin\Pictures\ueK8QLoxeFkVi3QaWLpNnpMp.exe
"C:\Users\Admin\Pictures\ueK8QLoxeFkVi3QaWLpNnpMp.exe"
C:\Users\Admin\AppData\Local\Temp\u2a4.0.exe
"C:\Users\Admin\AppData\Local\Temp\u2a4.0.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Users\Admin\Pictures\ueK8QLoxeFkVi3QaWLpNnpMp.exe
"C:\Users\Admin\Pictures\ueK8QLoxeFkVi3QaWLpNnpMp.exe"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Users\Admin\AppData\Local\Temp\u2a4.1.exe
"C:\Users\Admin\AppData\Local\Temp\u2a4.1.exe"
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
C:\Users\Admin\Pictures\8EwrdpAH4C3cgb6QTKApj5cx.exe
"C:\Users\Admin\Pictures\8EwrdpAH4C3cgb6QTKApj5cx.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HIIEBAFCBK.exe"
C:\Users\Admin\AppData\Local\Temp\HIIEBAFCBK.exe
"C:\Users\Admin\AppData\Local\Temp\HIIEBAFCBK.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\HIIEBAFCBK.exe
C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.169.89:443 | yip.su | tcp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | piramidglobaltobacco.id | udp |
| US | 8.8.8.8:53 | shipofdestiny.com | udp |
| US | 8.8.8.8:53 | sty.ink | udp |
| US | 8.8.8.8:53 | operandotwo.com | udp |
| US | 8.8.8.8:53 | sty.ink | udp |
| US | 8.8.8.8:53 | shipofdestiny.com | udp |
| US | 8.8.8.8:53 | namemail.org | udp |
| DE | 185.172.128.144:80 | 185.172.128.144 | tcp |
| AT | 5.42.64.17:80 | 5.42.64.17 | tcp |
| US | 8.8.8.8:53 | cu82342.tw1.ru | udp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| SG | 217.21.73.190:443 | piramidglobaltobacco.id | tcp |
| US | 172.67.200.219:443 | sty.ink | tcp |
| US | 104.21.32.142:443 | shipofdestiny.com | tcp |
| US | 104.21.15.5:443 | operandotwo.com | tcp |
| US | 104.21.32.142:443 | shipofdestiny.com | tcp |
| US | 172.67.200.219:443 | sty.ink | tcp |
| RU | 176.57.210.144:443 | cu82342.tw1.ru | tcp |
| NL | 185.26.182.112:80 | net.geo.opera.com | tcp |
| US | 8.8.8.8:53 | lawyerbuyer.org | udp |
| US | 172.67.170.65:443 | lawyerbuyer.org | tcp |
| US | 172.67.170.65:443 | lawyerbuyer.org | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 95.101.143.25:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | guseman.org | udp |
| US | 104.21.80.30:443 | guseman.org | tcp |
| NL | 185.26.182.112:443 | net.geo.opera.com | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| DE | 185.172.128.144:80 | 185.172.128.144 | tcp |
| DE | 185.172.128.209:80 | 185.172.128.209 | tcp |
| US | 8.8.8.8:53 | 0f11e6c0-281e-4861-b036-6165184c7e7b.uuid.statsexplorer.org | udp |
| US | 8.8.8.8:53 | svc.iolo.com | udp |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 8.8.8.8:53 | download.iolo.net | udp |
| FR | 185.93.2.246:80 | download.iolo.net | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 20.150.79.68:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 8.8.8.8:53 | westus2-2.in.applicationinsights.azure.com | udp |
| US | 20.9.155.145:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 20.9.155.145:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| DE | 185.172.128.65:80 | 185.172.128.65 | tcp |
| US | 46.226.167.187:80 | 46.226.167.187 | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 104.26.9.59:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 20.9.155.145:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 20.9.155.145:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 20.9.155.145:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 20.9.155.145:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 20.9.155.145:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 20.9.155.145:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 20.9.155.145:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 20.9.155.145:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 20.9.155.145:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 20.9.155.145:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard20.blob.core.windows.net | udp |
| US | 20.150.70.36:443 | vsblobprodscussu5shard20.blob.core.windows.net | tcp |
| US | 8.8.8.8:53 | server4.statsexplorer.org | udp |
| US | 8.8.8.8:53 | stun.l.google.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| BG | 185.82.216.108:443 | server4.statsexplorer.org | tcp |
| GB | 142.251.29.127:19302 | stun.l.google.com | udp |
| US | 8.8.8.8:53 | carsalessystem.com | udp |
| US | 104.21.94.82:443 | carsalessystem.com | tcp |
| US | 8.8.8.8:53 | westus2-2.in.applicationinsights.azure.com | udp |
| US | 20.9.155.145:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 20.9.155.145:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| BG | 185.82.216.108:443 | server4.statsexplorer.org | tcp |
| BG | 185.82.216.108:443 | server4.statsexplorer.org | tcp |
Files
memory/2924-0-0x0000000000360000-0x0000000000376000-memory.dmp
memory/2924-1-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp
memory/2924-2-0x000000001B0F0000-0x000000001B170000-memory.dmp
memory/2924-3-0x000000001A960000-0x000000001A9BC000-memory.dmp
memory/1268-4-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1268-5-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1268-6-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1268-7-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1268-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1268-9-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1268-11-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1268-13-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1268-14-0x0000000074C40000-0x000000007532E000-memory.dmp
memory/1268-15-0x0000000004C00000-0x0000000004C40000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar5642.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
\Users\Admin\Pictures\JaY74HK4rRWJ0l9C6VdAtVUn.exe
| MD5 | 80fbcd8bcab6ddca53a467dfc54b2123 |
| SHA1 | 5394a3de0dc598eeba66870d9070f54e8b137ede |
| SHA256 | fff7af7e094a0f3d5e5b87eebbb5290e3d7570e192426e81909278abf8d0350b |
| SHA512 | d7d14f7465da79ac9bfb1d88431e397e5f13fe7339f819b8e0404110bd73d10224d20c2b68178da3b7504de17c0b475f97ade83ab93d842310cf3baa605ac42c |
memory/2948-198-0x0000000002860000-0x0000000002C58000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 38ae55ecea3aaac49e7821cc39d88081 |
| SHA1 | f2339c7214a38c7b6ddaf35a2b107ad90b7f13cc |
| SHA256 | 1947dfa998ceac9531f73ab68dbbeb28df94d6ea4744cef62a35c42b0fdb0001 |
| SHA512 | 543c08028748de3482e4d5a40d298a69a4049e418c2435d2b4c9107dc8a9eb204ee78f1113ba88331a788eacf6841ad140f28e63856e64c6c6aee773ba8fe8de |
memory/2948-236-0x0000000002C60000-0x000000000354B000-memory.dmp
memory/2948-228-0x0000000002860000-0x0000000002C58000-memory.dmp
memory/2948-245-0x0000000000400000-0x0000000000ECD000-memory.dmp
\Users\Admin\Pictures\sJGSvmuPwzIuepWAR2BAkFqv.exe
| MD5 | 8bc396803bf0c509173078f354cb293b |
| SHA1 | 8a8e2298863cf6d5b5ad1c1f1efdb4f372f1cfa0 |
| SHA256 | e79bb6f916ff4f4bcca0dd2bb4c16233090265c38f3aeaa4a19bb125138773bb |
| SHA512 | da3e916fb3b662584e3f1c8e5e6ac3c75c2f8aba0113597257cae5e9515944055e59d242efd08155939ea7044c7bf15a242f8d950e0a4a996889cbad1e20cd83 |
memory/956-276-0x00000000026A0000-0x0000000002A98000-memory.dmp
C:\Users\Admin\Pictures\GMlBUdzBYPSvv1md2A3fGDaT.exe
| MD5 | e2a6c1f58b137874e490b8d94382fcdb |
| SHA1 | 71529c5d708091b1e1a580227dc52e62a140edd1 |
| SHA256 | 4801879a7afb9d03f7edcbe76cd9306cb024d80abc8512c4995aa97e8fd52437 |
| SHA512 | 24d12ce668e5189a4ba80520a4eaf480d17d3a07d8d0d4312964968f8489143df225881ec70e39e0c62e381061626801ead72d70cea164e2c3870bfbd7bc4eff |
memory/956-283-0x0000000002AA0000-0x000000000338B000-memory.dmp
memory/956-282-0x00000000026A0000-0x0000000002A98000-memory.dmp
memory/1568-281-0x0000000000220000-0x000000000026A000-memory.dmp
memory/1568-280-0x0000000000C74000-0x0000000000C9F000-memory.dmp
memory/1568-279-0x0000000000400000-0x0000000000B06000-memory.dmp
memory/956-284-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/2956-285-0x0000000000CC0000-0x0000000000DC0000-memory.dmp
memory/2956-287-0x0000000000230000-0x000000000029E000-memory.dmp
memory/2956-288-0x0000000000400000-0x0000000000B0E000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 05aae452fc02c6597c4e461c0326973b |
| SHA1 | 7d8ef4b7233d8a5826bfad07aa7a762bb2f13939 |
| SHA256 | 7d21ad8b3cd7dcc95617ad9fd61c63692f464e876a95aa4a14cb2ea896cc44d2 |
| SHA512 | ee230c8d6b0c1cddbfb2f60e735e25fac20c67a825e4a2668bbb4597eaddda4983d75203551f430319af994fb911f372d66cd837233fdc46289b2b32449d483f |
memory/2632-415-0x0000000002890000-0x0000000002C88000-memory.dmp
C:\Users\Admin\Pictures\ueK8QLoxeFkVi3QaWLpNnpMp.exe
| MD5 | ac5f59828c7112f4d6f37f3daea03a4c |
| SHA1 | 780cbc00e9a044da535af3f1da25445c893a8e53 |
| SHA256 | 6b0109f5a9106f6cfa857fd3380aaed9c3d461bd8303d58a22af7a42b658b1fc |
| SHA512 | 7b68ba612901c89af3a50c5241c03001911a7f8b4cb60966a8578b9eb9dfdbd3c917391af1c12e75217d557c1c2367971a8a9edd05a3fb0aafe68774e46db873 |
memory/1656-431-0x0000000002750000-0x0000000002B48000-memory.dmp
memory/2632-432-0x0000000002890000-0x0000000002C88000-memory.dmp
memory/2924-433-0x000000001B0F0000-0x000000001B170000-memory.dmp
memory/2924-418-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp
memory/1268-434-0x0000000074C40000-0x000000007532E000-memory.dmp
memory/1656-435-0x0000000002750000-0x0000000002B48000-memory.dmp
memory/1268-436-0x0000000004C00000-0x0000000004C40000-memory.dmp
memory/2948-437-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/2784-417-0x0000000002740000-0x0000000002B38000-memory.dmp
memory/2632-439-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/2784-440-0x0000000002740000-0x0000000002B38000-memory.dmp
memory/956-438-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/2784-441-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/1656-442-0x0000000000400000-0x0000000000ECD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u2a4.0.exe
| MD5 | a533c58be371236669106ab5243b05bb |
| SHA1 | 59e8eae350fd911b9d74940fd5a0793f6b4fddc0 |
| SHA256 | 6f746358af1862e923dee83621f64d56b2e8d8f8936e71d4d6bc565e97e58b09 |
| SHA512 | 83970ca812ebef5e7c7a4e32c6b6a48d0028f688241441fedfa00e9171592bbc6fa883f0bc7f2603d31f687b1510633bca5468b3ecb96481aa62451c85885f8d |
memory/1652-458-0x00000000002B0000-0x00000000003B0000-memory.dmp
memory/2956-459-0x0000000000400000-0x0000000000B0E000-memory.dmp
memory/1652-460-0x00000000001B0000-0x00000000001D7000-memory.dmp
memory/1652-461-0x0000000000400000-0x0000000000AEA000-memory.dmp
memory/1548-464-0x0000000002830000-0x0000000002C28000-memory.dmp
memory/1656-465-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/1548-466-0x0000000002830000-0x0000000002C28000-memory.dmp
memory/2632-467-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/2784-468-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/2956-469-0x0000000000CC0000-0x0000000000DC0000-memory.dmp
memory/1548-470-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/2632-479-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/1736-480-0x0000000002830000-0x0000000002C28000-memory.dmp
memory/1736-481-0x0000000002830000-0x0000000002C28000-memory.dmp
memory/1736-482-0x0000000002C30000-0x000000000351B000-memory.dmp
memory/1736-483-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/1548-485-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/1548-486-0x0000000002830000-0x0000000002C28000-memory.dmp
memory/2784-487-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/1652-489-0x0000000000400000-0x0000000000AEA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 13aaafe14eb60d6a718230e82c671d57 |
| SHA1 | e039dd924d12f264521b8e689426fb7ca95a0a7b |
| SHA256 | f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3 |
| SHA512 | ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3 |
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | f0616fa8bc54ece07e3107057f74e4db |
| SHA1 | b33995c4f9a004b7d806c4bb36040ee844781fca |
| SHA256 | 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026 |
| SHA512 | 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c |
memory/1652-511-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 1afff8d5352aecef2ecd47ffa02d7f7d |
| SHA1 | 8b115b84efdb3a1b87f750d35822b2609e665bef |
| SHA256 | c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1 |
| SHA512 | e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb |
memory/2956-532-0x0000000000400000-0x0000000000B0E000-memory.dmp
memory/2956-538-0x0000000000CC0000-0x0000000000DC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u2a4.1.exe
| MD5 | 397926927bca55be4a77839b1c44de6e |
| SHA1 | e10f3434ef3021c399dbba047832f02b3c898dbd |
| SHA256 | 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7 |
| SHA512 | cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954 |
memory/1844-554-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/1736-555-0x0000000000400000-0x0000000000ECD000-memory.dmp
\Users\Admin\AppData\Local\Temp\symsrv.dll
| MD5 | 5c399d34d8dc01741269ff1f1aca7554 |
| SHA1 | e0ceed500d3cef5558f3f55d33ba9c3a709e8f55 |
| SHA256 | e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f |
| SHA512 | 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d |
memory/1844-492-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2544-556-0x0000000000240000-0x0000000000241000-memory.dmp
memory/1652-559-0x0000000000400000-0x0000000000AEA000-memory.dmp
memory/1652-560-0x00000000002B0000-0x00000000003B0000-memory.dmp
memory/1736-563-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/2544-568-0x0000000000400000-0x00000000008AD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | 96a3ada7cef5b8114d7c2955e4334eab |
| SHA1 | b73a9ad18ea7feb068ebf51e463f2ad1b4e9c2f0 |
| SHA256 | 92582416c0b65a727a13ef8975ca76462de4126c45ed89c5379011c5fdc8f18a |
| SHA512 | 713c44f24998e73695817c0a87c9575de442039d0e7ad6568491915b3ad105c2a9cc356a2dab0a38c2163d803c4d32a65ee5d1d07f4961f618ab70bfdf90a2ce |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8accf7b33f30d35863c9dae5ebd13420 |
| SHA1 | 3c70e4ae2fca38ccc7c1379aeee7bb75f662c173 |
| SHA256 | 09bdc68c09da47da5ab62e9cb42f9e585e29b71d0496b448170dc28aa74360df |
| SHA512 | 633904fb1ba4cd271ff309f5c9aed23ca37113e40f6415f8e6ac339c1fd7835f74cc61e29e5c4bddc41c55ae5485bbf06b8106dbbe9fbe4f9c4f273e66b4c331 |
memory/1736-610-0x0000000002830000-0x0000000002C28000-memory.dmp
memory/2544-614-0x0000000000400000-0x00000000008AD000-memory.dmp
memory/1736-616-0x0000000000400000-0x0000000000ECD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | 9b1767678f4241fb328890b0a58603a6 |
| SHA1 | ad66c7ee240b68fa7d4e65c97a8263364edb71f0 |
| SHA256 | 49a39ecf14f0bcbbe28d456fa0684a4d6f3b7d57d63d6b40a336d4a3ad49875e |
| SHA512 | ba91ec52e615b8053722df0b3f5616c6642ea6943ca6b3f08348a96b9697bdabea439c8ff58b39e1b7ed5951cdcf9d91f811a00cd32fecafe980c44d828618ad |
memory/2544-628-0x0000000000400000-0x00000000008AD000-memory.dmp
memory/268-630-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp
memory/2544-629-0x0000000000400000-0x00000000008AD000-memory.dmp
memory/268-636-0x0000000001080000-0x0000000004978000-memory.dmp
memory/1736-658-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/268-659-0x000000001EA80000-0x000000001EB00000-memory.dmp
memory/268-663-0x000000001EE60000-0x000000001EF70000-memory.dmp
memory/268-664-0x0000000000610000-0x0000000000620000-memory.dmp
memory/268-665-0x0000000000E00000-0x0000000000E0C000-memory.dmp
memory/268-666-0x0000000000BA0000-0x0000000000BB4000-memory.dmp
memory/268-667-0x0000000001060000-0x0000000001084000-memory.dmp
memory/1652-669-0x0000000000400000-0x0000000000AEA000-memory.dmp
memory/268-679-0x0000000000EC0000-0x0000000000ECA000-memory.dmp
memory/268-680-0x000000001EB00000-0x000000001EB2A000-memory.dmp
memory/268-681-0x000000001F230000-0x000000001F2E2000-memory.dmp
memory/268-682-0x000000001EDB0000-0x000000001EE2A000-memory.dmp
memory/268-683-0x0000000000D40000-0x0000000000DA2000-memory.dmp
memory/268-684-0x0000000000560000-0x000000000056A000-memory.dmp
memory/268-688-0x000000001F840000-0x000000001FB40000-memory.dmp
memory/268-690-0x0000000000580000-0x000000000058A000-memory.dmp
memory/268-691-0x000000001EA80000-0x000000001EB00000-memory.dmp
memory/268-692-0x000000001EA80000-0x000000001EB00000-memory.dmp
memory/268-693-0x0000000000FE0000-0x0000000000FEA000-memory.dmp
memory/268-694-0x0000000000FF0000-0x0000000001012000-memory.dmp
memory/1736-697-0x0000000000400000-0x0000000000ECD000-memory.dmp
memory/268-698-0x0000000001010000-0x000000000101C000-memory.dmp
memory/1652-702-0x0000000000400000-0x0000000000AEA000-memory.dmp
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
\Users\Admin\Pictures\8EwrdpAH4C3cgb6QTKApj5cx.exe
| MD5 | 858bb0a3b4fa6a54586402e3ee117076 |
| SHA1 | 997c31f043347883ea5ed2323a558b6cc5ea9c8e |
| SHA256 | d97a7fc44bf341b9b2b2e65b46dab4f7d329afe15b4308b5aa56d5bfd7b99d35 |
| SHA512 | e8374b115f056b5d345c9b5f9c42b3d49e0640d7fad869448f686add6e52b783ecc7fd35ee15a67b944843491a91becf5b7c0bd5603eda01042dd2904c1ad8fd |
memory/1652-748-0x0000000000400000-0x0000000000AEA000-memory.dmp
memory/1736-750-0x0000000000400000-0x0000000000ECD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HIIEBAFCBK.exe
| MD5 | fe380780b5c35bd6d54541791151c2be |
| SHA1 | 7fe3a583cf91474c733f85cebf3c857682e269e1 |
| SHA256 | b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53 |
| SHA512 | ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c |
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 8ef9853d1881c5fe4d681bfb31282a01 |
| SHA1 | a05609065520e4b4e553784c566430ad9736f19f |
| SHA256 | 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2 |
| SHA512 | 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005 |
C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\28c4f66bcbca2409245b90c06d7863f72bfb26e723ef2b7a683ac77baf129093\b8154cc47ac84782b68e92d1426658f7.tmp
| MD5 | 0796b50bb845dba8f6afd9614ceb3fa9 |
| SHA1 | 256b752aaaec4eabaa609f01032a60d1b8d05de2 |
| SHA256 | 0d9e26044205691168b980f77cff7f3030c22ed7a8d8dd5dd82bbf0990405ed2 |
| SHA512 | 003599ca1fcfd00c5ad9924d8f61198360728bf5fb92b7aa7f764b137e1cebaed590314ccc8bb2822bb50524be0ed9eb23085f23dbf972dbc8bc487a757297cc |
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
| MD5 | fd2727132edd0b59fa33733daa11d9ef |
| SHA1 | 63e36198d90c4c2b9b09dd6786b82aba5f03d29a |
| SHA256 | 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e |
| SHA512 | 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e |
C:\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | e2f68dc7fbd6e0bf031ca3809a739346 |
| SHA1 | 9c35494898e65c8a62887f28e04c0359ab6f63f5 |
| SHA256 | b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4 |
| SHA512 | 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579 |
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
| MD5 | fafbf2197151d5ce947872a4b0bcbe16 |
| SHA1 | a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020 |
| SHA256 | feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71 |
| SHA512 | acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6 |