Malware Analysis Report

2024-11-30 02:14

Sample ID 240329-b8ywzaed4t
Target 627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3
SHA256 627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3
Tags
glupteba stealc zgrat discovery dropper evasion loader persistence rat rootkit spyware stealer themida trojan rhadamanthys upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3

Threat Level: Known bad

The file 627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3 was found to be: Known bad.

Malicious Activity Summary

glupteba stealc zgrat discovery dropper evasion loader persistence rat rootkit spyware stealer themida trojan rhadamanthys upx

Glupteba payload

Modifies firewall policy service

Windows security bypass

Detects DLL dropped by Raspberry Robin.

Suspicious use of NtCreateUserProcessOtherParentProcess

Detect ZGRat V1

Rhadamanthys

Glupteba

ZGRat

Stealc

Modifies boot configuration data using bcdedit

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Modifies Windows Firewall

Possible attempt to disable PatchGuard

Drops file in Drivers directory

Downloads MZ/PE file

Executes dropped EXE

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Loads dropped DLL

Reads data files stored by FTP clients

UPX packed file

Checks BIOS information in registry

Windows security modification

Drops startup file

Themida packer

Manipulates WinMonFS driver.

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Manipulates WinMon driver.

Adds Run key to start application

Looks up external IP address via web service

Enumerates connected drives

Checks whether UAC is enabled

Drops file in System32 directory

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Launches sc.exe

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Enumerates physical storage devices

Program crash

Checks processor information in registry

Runs ping.exe

Suspicious behavior: LoadsDriver

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-29 01:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-29 01:49

Reported

2024-03-29 01:54

Platform

win7-20240220-en

Max time kernel

295s

Max time network

280s

Command Line

"C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" C:\Users\Admin\Pictures\BbJ8EuidI6f3vr0PGoq1JQUf.exe N/A

Stealc

stealer stealc

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\DHrvSEeITEsDtreM6gGvTEBG.exe = "0" C:\Users\Admin\Pictures\DHrvSEeITEsDtreM6gGvTEBG.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\pdyn7oD3qnJKXzo2cIjFmbrQ.exe = "0" C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\1DVryZKSd4vk6OCDZceFCDUO.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\1DVryZKSd4vk6OCDZceFCDUO.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\1DVryZKSd4vk6OCDZceFCDUO.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\1DVryZKSd4vk6OCDZceFCDUO.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\1DVryZKSd4vk6OCDZceFCDUO.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\1DVryZKSd4vk6OCDZceFCDUO.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\1DVryZKSd4vk6OCDZceFCDUO.exe = "0" C:\Users\Admin\Pictures\1DVryZKSd4vk6OCDZceFCDUO.exe N/A

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Pictures\BbJ8EuidI6f3vr0PGoq1JQUf.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\Winmon.sys C:\Windows\rss\csrss.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Pictures\BbJ8EuidI6f3vr0PGoq1JQUf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Pictures\BbJ8EuidI6f3vr0PGoq1JQUf.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\REl8avza6TsZc0fbbkzhw2v3.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wmmL3OeNwhjNKfqHON2dJXP1.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1AOXHZT8Fl4OUGOT8vYTEsu2.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YlAVuaPPJyyT5P5nYbeFTcTG.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KzDr3KzxtGcUVQapfWML4NLn.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NtRgrIDbcMkxj1YHMo9vxCsm.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tJwHiYTpVZmwNYjLe9YHPLJR.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xxvpx1LyKkbOGqJsxcnBqSdI.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sertI4XG92dn6WZzlOd0UFfU.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Users\Admin\Pictures\DHrvSEeITEsDtreM6gGvTEBG.exe N/A
N/A N/A C:\Users\Admin\Pictures\DHrvSEeITEsDtreM6gGvTEBG.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\Pictures\2EQBVA9X0HNy4n6ZPVpufbI6.exe N/A
N/A N/A C:\Users\Admin\Pictures\2EQBVA9X0HNy4n6ZPVpufbI6.exe N/A
N/A N/A C:\Users\Admin\Pictures\2EQBVA9X0HNy4n6ZPVpufbI6.exe N/A
N/A N/A C:\Users\Admin\Pictures\2EQBVA9X0HNy4n6ZPVpufbI6.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Users\Admin\Pictures\2EQBVA9X0HNy4n6ZPVpufbI6.exe N/A
N/A N/A C:\Users\Admin\Pictures\2EQBVA9X0HNy4n6ZPVpufbI6.exe N/A
N/A N/A C:\Users\Admin\Pictures\2EQBVA9X0HNy4n6ZPVpufbI6.exe N/A
N/A N/A C:\Users\Admin\Pictures\2EQBVA9X0HNy4n6ZPVpufbI6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1lc.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1lc.0.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\1DVryZKSd4vk6OCDZceFCDUO.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\1DVryZKSd4vk6OCDZceFCDUO.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\1DVryZKSd4vk6OCDZceFCDUO.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\1DVryZKSd4vk6OCDZceFCDUO.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\DHrvSEeITEsDtreM6gGvTEBG.exe = "0" C:\Users\Admin\Pictures\DHrvSEeITEsDtreM6gGvTEBG.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\pdyn7oD3qnJKXzo2cIjFmbrQ.exe = "0" C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\1DVryZKSd4vk6OCDZceFCDUO.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\1DVryZKSd4vk6OCDZceFCDUO.exe = "0" C:\Users\Admin\Pictures\1DVryZKSd4vk6OCDZceFCDUO.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\1DVryZKSd4vk6OCDZceFCDUO.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\1DVryZKSd4vk6OCDZceFCDUO.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\DHrvSEeITEsDtreM6gGvTEBG.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Pictures\BbJ8EuidI6f3vr0PGoq1JQUf.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A

Manipulates WinMon driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMon C:\Windows\rss\csrss.exe N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Users\Admin\Pictures\BbJ8EuidI6f3vr0PGoq1JQUf.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\Pictures\BbJ8EuidI6f3vr0PGoq1JQUf.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\Pictures\BbJ8EuidI6f3vr0PGoq1JQUf.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\Pictures\BbJ8EuidI6f3vr0PGoq1JQUf.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\BbJ8EuidI6f3vr0PGoq1JQUf.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2700 set thread context of 2948 N/A C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\1DVryZKSd4vk6OCDZceFCDUO.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\DHrvSEeITEsDtreM6gGvTEBG.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\1DVryZKSd4vk6OCDZceFCDUO.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\1DVryZKSd4vk6OCDZceFCDUO.exe N/A
File opened for modification C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\DHrvSEeITEsDtreM6gGvTEBG.exe N/A
File opened for modification C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\DHrvSEeITEsDtreM6gGvTEBG.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20240329014946.cab C:\Windows\system32\makecab.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u1lc.1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u1lc.1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u1lc.1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\u1lc.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\u1lc.0.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-522 = "N. Central Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-551 = "North Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time" C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time" C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time" C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time" C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-572 = "China Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time" C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-472 = "Ekaterinburg Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" C:\Windows\windefender.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\DHrvSEeITEsDtreM6gGvTEBG.exe N/A
N/A N/A C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
N/A N/A C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
N/A N/A C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
N/A N/A C:\Users\Admin\Pictures\1DVryZKSd4vk6OCDZceFCDUO.exe N/A
N/A N/A C:\Users\Admin\Pictures\1DVryZKSd4vk6OCDZceFCDUO.exe N/A
N/A N/A C:\Users\Admin\Pictures\1DVryZKSd4vk6OCDZceFCDUO.exe N/A
N/A N/A C:\Users\Admin\Pictures\1DVryZKSd4vk6OCDZceFCDUO.exe N/A
N/A N/A C:\Users\Admin\Pictures\1DVryZKSd4vk6OCDZceFCDUO.exe N/A
N/A N/A C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
N/A N/A C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
N/A N/A C:\Users\Admin\Pictures\DHrvSEeITEsDtreM6gGvTEBG.exe N/A
N/A N/A C:\Users\Admin\Pictures\DHrvSEeITEsDtreM6gGvTEBG.exe N/A
N/A N/A C:\Users\Admin\Pictures\DHrvSEeITEsDtreM6gGvTEBG.exe N/A
N/A N/A C:\Users\Admin\Pictures\DHrvSEeITEsDtreM6gGvTEBG.exe N/A
N/A N/A C:\Users\Admin\Pictures\DHrvSEeITEsDtreM6gGvTEBG.exe N/A
N/A N/A C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1lc.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\DHrvSEeITEsDtreM6gGvTEBG.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\DHrvSEeITEsDtreM6gGvTEBG.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2700 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2700 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2700 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2700 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2700 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2700 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2700 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2700 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2700 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2700 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2700 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2700 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2948 wrote to memory of 2064 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\2EQBVA9X0HNy4n6ZPVpufbI6.exe
PID 2948 wrote to memory of 2064 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\2EQBVA9X0HNy4n6ZPVpufbI6.exe
PID 2948 wrote to memory of 2064 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\2EQBVA9X0HNy4n6ZPVpufbI6.exe
PID 2948 wrote to memory of 2064 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\2EQBVA9X0HNy4n6ZPVpufbI6.exe
PID 2948 wrote to memory of 2276 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe
PID 2948 wrote to memory of 2276 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe
PID 2948 wrote to memory of 2276 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe
PID 2948 wrote to memory of 2276 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe
PID 2948 wrote to memory of 2896 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\kq1YoTxsBk1xxrMNhaHUnVgD.exe
PID 2948 wrote to memory of 2896 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\kq1YoTxsBk1xxrMNhaHUnVgD.exe
PID 2948 wrote to memory of 2896 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\kq1YoTxsBk1xxrMNhaHUnVgD.exe
PID 2948 wrote to memory of 2896 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\kq1YoTxsBk1xxrMNhaHUnVgD.exe
PID 2948 wrote to memory of 2848 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\1DVryZKSd4vk6OCDZceFCDUO.exe
PID 2948 wrote to memory of 2848 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\1DVryZKSd4vk6OCDZceFCDUO.exe
PID 2948 wrote to memory of 2848 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\1DVryZKSd4vk6OCDZceFCDUO.exe
PID 2948 wrote to memory of 2848 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\1DVryZKSd4vk6OCDZceFCDUO.exe
PID 2948 wrote to memory of 2616 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\DHrvSEeITEsDtreM6gGvTEBG.exe
PID 2948 wrote to memory of 2616 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\DHrvSEeITEsDtreM6gGvTEBG.exe
PID 2948 wrote to memory of 2616 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\DHrvSEeITEsDtreM6gGvTEBG.exe
PID 2948 wrote to memory of 2616 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\DHrvSEeITEsDtreM6gGvTEBG.exe
PID 992 wrote to memory of 448 N/A C:\Users\Admin\Pictures\1DVryZKSd4vk6OCDZceFCDUO.exe C:\Windows\system32\cmd.exe
PID 992 wrote to memory of 448 N/A C:\Users\Admin\Pictures\1DVryZKSd4vk6OCDZceFCDUO.exe C:\Windows\system32\cmd.exe
PID 992 wrote to memory of 448 N/A C:\Users\Admin\Pictures\1DVryZKSd4vk6OCDZceFCDUO.exe C:\Windows\system32\cmd.exe
PID 992 wrote to memory of 448 N/A C:\Users\Admin\Pictures\1DVryZKSd4vk6OCDZceFCDUO.exe C:\Windows\system32\cmd.exe
PID 488 wrote to memory of 3024 N/A C:\Users\Admin\Pictures\DHrvSEeITEsDtreM6gGvTEBG.exe C:\Windows\system32\cmd.exe
PID 488 wrote to memory of 3024 N/A C:\Users\Admin\Pictures\DHrvSEeITEsDtreM6gGvTEBG.exe C:\Windows\system32\cmd.exe
PID 488 wrote to memory of 3024 N/A C:\Users\Admin\Pictures\DHrvSEeITEsDtreM6gGvTEBG.exe C:\Windows\system32\cmd.exe
PID 488 wrote to memory of 3024 N/A C:\Users\Admin\Pictures\DHrvSEeITEsDtreM6gGvTEBG.exe C:\Windows\system32\cmd.exe
PID 448 wrote to memory of 1292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 448 wrote to memory of 1292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 448 wrote to memory of 1292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 648 wrote to memory of 2100 N/A C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe C:\Windows\system32\cmd.exe
PID 648 wrote to memory of 2100 N/A C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe C:\Windows\system32\cmd.exe
PID 648 wrote to memory of 2100 N/A C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe C:\Windows\system32\cmd.exe
PID 648 wrote to memory of 2100 N/A C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe C:\Windows\system32\cmd.exe
PID 2100 wrote to memory of 2828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2100 wrote to memory of 2828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2100 wrote to memory of 2828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3024 wrote to memory of 1572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3024 wrote to memory of 1572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3024 wrote to memory of 1572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 488 wrote to memory of 1952 N/A C:\Users\Admin\Pictures\DHrvSEeITEsDtreM6gGvTEBG.exe C:\Windows\rss\csrss.exe
PID 488 wrote to memory of 1952 N/A C:\Users\Admin\Pictures\DHrvSEeITEsDtreM6gGvTEBG.exe C:\Windows\rss\csrss.exe
PID 488 wrote to memory of 1952 N/A C:\Users\Admin\Pictures\DHrvSEeITEsDtreM6gGvTEBG.exe C:\Windows\rss\csrss.exe
PID 488 wrote to memory of 1952 N/A C:\Users\Admin\Pictures\DHrvSEeITEsDtreM6gGvTEBG.exe C:\Windows\rss\csrss.exe
PID 1952 wrote to memory of 1288 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1952 wrote to memory of 1288 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1952 wrote to memory of 1288 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1952 wrote to memory of 1288 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2064 wrote to memory of 2416 N/A C:\Users\Admin\Pictures\2EQBVA9X0HNy4n6ZPVpufbI6.exe C:\Users\Admin\AppData\Local\Temp\u1lc.0.exe
PID 2064 wrote to memory of 2416 N/A C:\Users\Admin\Pictures\2EQBVA9X0HNy4n6ZPVpufbI6.exe C:\Users\Admin\AppData\Local\Temp\u1lc.0.exe
PID 2064 wrote to memory of 2416 N/A C:\Users\Admin\Pictures\2EQBVA9X0HNy4n6ZPVpufbI6.exe C:\Users\Admin\AppData\Local\Temp\u1lc.0.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe

"C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Users\Admin\Pictures\2EQBVA9X0HNy4n6ZPVpufbI6.exe

"C:\Users\Admin\Pictures\2EQBVA9X0HNy4n6ZPVpufbI6.exe"

C:\Users\Admin\Pictures\kq1YoTxsBk1xxrMNhaHUnVgD.exe

"C:\Users\Admin\Pictures\kq1YoTxsBk1xxrMNhaHUnVgD.exe"

C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe

"C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe"

C:\Users\Admin\Pictures\1DVryZKSd4vk6OCDZceFCDUO.exe

"C:\Users\Admin\Pictures\1DVryZKSd4vk6OCDZceFCDUO.exe"

C:\Users\Admin\Pictures\DHrvSEeITEsDtreM6gGvTEBG.exe

"C:\Users\Admin\Pictures\DHrvSEeITEsDtreM6gGvTEBG.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240329014946.log C:\Windows\Logs\CBS\CbsPersist_20240329014946.cab

C:\Users\Admin\Pictures\DHrvSEeITEsDtreM6gGvTEBG.exe

"C:\Users\Admin\Pictures\DHrvSEeITEsDtreM6gGvTEBG.exe"

C:\Users\Admin\Pictures\1DVryZKSd4vk6OCDZceFCDUO.exe

"C:\Users\Admin\Pictures\1DVryZKSd4vk6OCDZceFCDUO.exe"

C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe

"C:\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\u1lc.0.exe

"C:\Users\Admin\AppData\Local\Temp\u1lc.0.exe"

C:\Users\Admin\Pictures\BbJ8EuidI6f3vr0PGoq1JQUf.exe

"C:\Users\Admin\Pictures\BbJ8EuidI6f3vr0PGoq1JQUf.exe"

C:\Users\Admin\AppData\Local\Temp\u1lc.1.exe

"C:\Users\Admin\AppData\Local\Temp\u1lc.1.exe"

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GHJKEHJEGC.exe"

C:\Users\Admin\AppData\Local\Temp\GHJKEHJEGC.exe

"C:\Users\Admin\AppData\Local\Temp\GHJKEHJEGC.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\GHJKEHJEGC.exe

C:\Windows\SysWOW64\PING.EXE

ping 2.2.2.2 -n 1 -w 3000

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 yip.su udp
US 104.20.68.143:443 pastebin.com tcp
US 172.67.169.89:443 yip.su tcp
US 8.8.8.8:53 piramidglobaltobacco.id udp
US 8.8.8.8:53 shipofdestiny.com udp
US 8.8.8.8:53 sty.ink udp
US 8.8.8.8:53 operandotwo.com udp
US 8.8.8.8:53 shipofdestiny.com udp
US 8.8.8.8:53 sty.ink udp
US 8.8.8.8:53 namemail.org udp
US 8.8.8.8:53 cu82342.tw1.ru udp
DE 185.172.128.144:80 185.172.128.144 tcp
AT 5.42.64.17:80 5.42.64.17 tcp
US 8.8.8.8:53 net.geo.opera.com udp
SG 217.21.73.190:443 piramidglobaltobacco.id tcp
US 104.21.32.142:443 shipofdestiny.com tcp
US 104.21.32.142:443 shipofdestiny.com tcp
US 172.67.200.219:443 sty.ink tcp
RU 176.57.210.144:443 cu82342.tw1.ru tcp
US 172.67.200.219:443 sty.ink tcp
US 104.21.15.5:443 operandotwo.com tcp
NL 185.26.182.111:80 net.geo.opera.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 lawyerbuyer.org udp
US 8.8.8.8:53 lawyerbuyer.org udp
GB 95.101.143.25:80 apps.identrust.com tcp
NL 185.26.182.111:443 net.geo.opera.com tcp
US 172.67.170.65:443 lawyerbuyer.org tcp
US 172.67.170.65:443 lawyerbuyer.org tcp
US 8.8.8.8:53 guseman.org udp
US 104.21.80.30:443 guseman.org tcp
DE 185.172.128.90:80 185.172.128.90 tcp
DE 185.172.128.65:80 185.172.128.65 tcp
US 8.8.8.8:53 6196d7d2-1acc-4b94-8ed3-9cb7bed1f774.uuid.statsexplorer.org udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
DE 185.172.128.65:80 185.172.128.65 tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 8.8.8.8:53 iplogger.com udp
US 172.67.188.178:443 iplogger.com tcp
DE 185.172.128.144:80 185.172.128.144 tcp
DE 185.172.128.209:80 185.172.128.209 tcp
US 46.226.167.187:80 46.226.167.187 tcp
US 8.8.8.8:53 api.myip.com udp
US 104.26.9.59:443 api.myip.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 download.iolo.net udp
FR 185.93.2.246:80 download.iolo.net tcp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
DE 185.172.128.65:80 185.172.128.65 tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard20.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard20.blob.core.windows.net tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 server15.statsexplorer.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun3.l.google.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
IT 142.251.27.127:19302 stun3.l.google.com udp
BG 185.82.216.108:443 server15.statsexplorer.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.108:443 server15.statsexplorer.org tcp
BG 185.82.216.108:443 server15.statsexplorer.org tcp

Files

memory/2948-0-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2948-1-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2948-2-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2948-3-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2948-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2948-5-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2948-7-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2948-9-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar3B43.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1d491d5c0f46711ce4e07cabf54252b3
SHA1 222e61dba33c522dc9df2f168861a92d912b72e7
SHA256 c32b52b2686a5c515d7ced15e209caab6f8385010a4dc21476c8f96969a4e476
SHA512 2042bcfef0258ec42606284173b96bc0fec1f2df1ae61554dd20ed2d62d429b90fe47b2d4502ae0619ed13482695d5cf789af52de84031ddea71fb565a614ae1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 06ebbe78e2df560c59e3981e04d544da
SHA1 0a7349c5357075fb62bc1f68deeadebb8c38edc7
SHA256 dda4aaa026ec03d445acdcfa1cc1fe1f7edd2afa95ff49729c1c781139566771
SHA512 420c6cbc5527aaf32af056f4695216d74381b47960efb78cc6f212b07b03581e632c018fd118bd1f4b1d61f7db637ae69444ee33407b1b9f5686c694e5e23308

\Users\Admin\Pictures\2EQBVA9X0HNy4n6ZPVpufbI6.exe

MD5 8bc396803bf0c509173078f354cb293b
SHA1 8a8e2298863cf6d5b5ad1c1f1efdb4f372f1cfa0
SHA256 e79bb6f916ff4f4bcca0dd2bb4c16233090265c38f3aeaa4a19bb125138773bb
SHA512 da3e916fb3b662584e3f1c8e5e6ac3c75c2f8aba0113597257cae5e9515944055e59d242efd08155939ea7044c7bf15a242f8d950e0a4a996889cbad1e20cd83

memory/2064-194-0x0000000000B80000-0x0000000000BEE000-memory.dmp

memory/2064-193-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2064-195-0x0000000000400000-0x0000000000B0E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b311d766b7216abb51e5a7eee37445cb
SHA1 ecf7328773f56c167db2fde2f099b2068494da72
SHA256 de51da78f006df15778b5e03c43fde6406697b884947e50e1bb5eb384b0bbdc5
SHA512 84f3681a5bb064491d9882bfa5e8d287a08122933c868cb9ac9711daa41a117a15a29060190ceb192c9d69e9a88951a2cac03bcee5e17e4edfc730779679ecfd

\Users\Admin\Pictures\pdyn7oD3qnJKXzo2cIjFmbrQ.exe

MD5 80fbcd8bcab6ddca53a467dfc54b2123
SHA1 5394a3de0dc598eeba66870d9070f54e8b137ede
SHA256 fff7af7e094a0f3d5e5b87eebbb5290e3d7570e192426e81909278abf8d0350b
SHA512 d7d14f7465da79ac9bfb1d88431e397e5f13fe7339f819b8e0404110bd73d10224d20c2b68178da3b7504de17c0b475f97ade83ab93d842310cf3baa605ac42c

memory/2276-292-0x0000000002810000-0x0000000002C08000-memory.dmp

C:\Users\Admin\Pictures\kq1YoTxsBk1xxrMNhaHUnVgD.exe

MD5 e2a6c1f58b137874e490b8d94382fcdb
SHA1 71529c5d708091b1e1a580227dc52e62a140edd1
SHA256 4801879a7afb9d03f7edcbe76cd9306cb024d80abc8512c4995aa97e8fd52437
SHA512 24d12ce668e5189a4ba80520a4eaf480d17d3a07d8d0d4312964968f8489143df225881ec70e39e0c62e381061626801ead72d70cea164e2c3870bfbd7bc4eff

\Users\Admin\Pictures\1DVryZKSd4vk6OCDZceFCDUO.exe

MD5 ac5f59828c7112f4d6f37f3daea03a4c
SHA1 780cbc00e9a044da535af3f1da25445c893a8e53
SHA256 6b0109f5a9106f6cfa857fd3380aaed9c3d461bd8303d58a22af7a42b658b1fc
SHA512 7b68ba612901c89af3a50c5241c03001911a7f8b4cb60966a8578b9eb9dfdbd3c917391af1c12e75217d557c1c2367971a8a9edd05a3fb0aafe68774e46db873

memory/2896-325-0x0000000000230000-0x0000000000330000-memory.dmp

memory/2896-327-0x00000000003A0000-0x00000000003EA000-memory.dmp

memory/2896-326-0x0000000000400000-0x0000000000B06000-memory.dmp

memory/2276-342-0x0000000002810000-0x0000000002C08000-memory.dmp

memory/2616-351-0x0000000002870000-0x0000000002C68000-memory.dmp

memory/2276-352-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6b3d955d67519c748d4659e755f15476
SHA1 c0108aa642fb9d6d661bb2e76baddfc4af87c000
SHA256 a0ff49f3c01bd529b9e90d0a80f080b14e0c9af840be7f4cde1e120d033df691
SHA512 467d228f10ec80f38c29437eac17cf89d8897b598c967286750daa63b5035401a48a80c6407b3fa9f2c197249141be42098538a624f89570e2b8131d2e078c6c

memory/2276-328-0x0000000002C10000-0x00000000034FB000-memory.dmp

memory/2616-383-0x0000000002870000-0x0000000002C68000-memory.dmp

memory/2616-384-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 16b8c125c93ed1140f8bb35ed9a5ae24
SHA1 90ade4c4eb491c15749e3af23015941f73054951
SHA256 d014160acd848d181cf723aaca0a1c86c81f33ea657c38bb6ba4939923e174fe
SHA512 962067ed51e154fe5ef46df01ba3b9cd271679aea69a99e01e4660c8ceedf3705097ae7251e1ca40fdce68fc0084725a39710272cdb5d063b4a199c4df81a950

memory/992-389-0x00000000027E0000-0x0000000002BD8000-memory.dmp

memory/2616-391-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/488-390-0x0000000002760000-0x0000000002B58000-memory.dmp

memory/648-393-0x0000000002790000-0x0000000002B88000-memory.dmp

memory/2848-394-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/992-396-0x00000000027E0000-0x0000000002BD8000-memory.dmp

memory/2276-395-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/992-398-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2616-401-0x0000000002870000-0x0000000002C68000-memory.dmp

memory/488-400-0x0000000002760000-0x0000000002B58000-memory.dmp

memory/488-403-0x0000000002B60000-0x000000000344B000-memory.dmp

memory/488-405-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/648-407-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/648-408-0x0000000002790000-0x0000000002B88000-memory.dmp

memory/2848-406-0x00000000706F0000-0x00000000706F6000-memory.dmp

memory/2848-409-0x0000000070700000-0x0000000070706000-memory.dmp

memory/992-448-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1952-457-0x0000000002610000-0x0000000002A08000-memory.dmp

memory/488-458-0x0000000002760000-0x0000000002B58000-memory.dmp

memory/488-456-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2064-459-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/648-460-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1952-462-0x0000000002610000-0x0000000002A08000-memory.dmp

memory/2896-463-0x00000000003A0000-0x00000000003EA000-memory.dmp

memory/2064-461-0x0000000000400000-0x0000000000B0E000-memory.dmp

memory/1952-464-0x0000000000400000-0x0000000000ECD000-memory.dmp

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 13aaafe14eb60d6a718230e82c671d57
SHA1 e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256 f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512 ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

memory/2624-471-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 5c399d34d8dc01741269ff1f1aca7554
SHA1 e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256 e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA512 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 f0616fa8bc54ece07e3107057f74e4db
SHA1 b33995c4f9a004b7d806c4bb36040ee844781fca
SHA256 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026
SHA512 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

memory/2624-485-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e3b40f28da6d5bff9819224fe0e2a7a1
SHA1 c144aebb5ccb01aeeb5fdf4d946cf1a45117d3a4
SHA256 af5e7f078612f559ef5c6c99ce13243e4b65f76d3377d30de9c9842d65131a8b
SHA512 37cd21f733ff419a27a7edd5030cbc6f24e6a2f559634cb8094facbd649a4b5524c9d9b229df7039d028d9aef75bc26793dab48b8defc0a59591f75febc77dfe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

\Users\Admin\AppData\Local\Temp\u1lc.0.exe

MD5 a533c58be371236669106ab5243b05bb
SHA1 59e8eae350fd911b9d74940fd5a0793f6b4fddc0
SHA256 6f746358af1862e923dee83621f64d56b2e8d8f8936e71d4d6bc565e97e58b09
SHA512 83970ca812ebef5e7c7a4e32c6b6a48d0028f688241441fedfa00e9171592bbc6fa883f0bc7f2603d31f687b1510633bca5468b3ecb96481aa62451c85885f8d

memory/2416-522-0x00000000001B0000-0x00000000001D7000-memory.dmp

memory/2416-523-0x0000000000400000-0x0000000000AEA000-memory.dmp

memory/2416-521-0x00000000002D0000-0x00000000003D0000-memory.dmp

memory/2064-527-0x0000000000400000-0x0000000000B0E000-memory.dmp

memory/2416-528-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/1952-577-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2416-579-0x0000000000400000-0x0000000000AEA000-memory.dmp

memory/1952-580-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1952-581-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2416-584-0x00000000002D0000-0x00000000003D0000-memory.dmp

C:\Users\Admin\Pictures\BbJ8EuidI6f3vr0PGoq1JQUf.exe

MD5 858bb0a3b4fa6a54586402e3ee117076
SHA1 997c31f043347883ea5ed2323a558b6cc5ea9c8e
SHA256 d97a7fc44bf341b9b2b2e65b46dab4f7d329afe15b4308b5aa56d5bfd7b99d35
SHA512 e8374b115f056b5d345c9b5f9c42b3d49e0640d7fad869448f686add6e52b783ecc7fd35ee15a67b944843491a91becf5b7c0bd5603eda01042dd2904c1ad8fd

memory/1952-592-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2948-593-0x000000000BAC0000-0x000000000C5CA000-memory.dmp

memory/2528-594-0x000000013FD00000-0x000000014080A000-memory.dmp

memory/2528-596-0x000000013FD00000-0x000000014080A000-memory.dmp

memory/2528-595-0x000007FEFD340000-0x000007FEFD3AC000-memory.dmp

memory/2528-598-0x000000013FD00000-0x000000014080A000-memory.dmp

memory/2528-600-0x000000013FD00000-0x000000014080A000-memory.dmp

memory/2528-603-0x000000013FD00000-0x000000014080A000-memory.dmp

memory/2528-604-0x000000013FD00000-0x000000014080A000-memory.dmp

memory/2528-605-0x000000013FD00000-0x000000014080A000-memory.dmp

memory/2528-602-0x000000013FD00000-0x000000014080A000-memory.dmp

memory/2528-601-0x000007FE80010000-0x000007FE80011000-memory.dmp

memory/2528-599-0x00000000772C0000-0x0000000077469000-memory.dmp

memory/2528-597-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/1952-615-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2528-617-0x000000013FD00000-0x000000014080A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u1lc.1.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/2064-633-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/2064-632-0x0000000000400000-0x0000000000B0E000-memory.dmp

memory/1516-639-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 d4d796eca3447520597aa4858644b631
SHA1 7a40e1fd473d9b62d68716ac4a6ffb9419228982
SHA256 1ae89279d22d41c2352dc22417f1f45f072e0bcc0fb2fb0f15921e9f3e8b3a6a
SHA512 8a70d389cc90f92e6b2e9098822101de78f70a548e8a2679af3389d1fc55e2570aaf2c2a4b1f9b35d44a8f79d904b8f382158edec427e07cc8f53e86917cd797

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 0a264a294c4aa4c327061748a36a837b
SHA1 c870e4b6a80eb2344cf54ca3fc8e1b4a5c680822
SHA256 135b0e5b78294d4c985e034c6b3efb69c9dca9ce0bbf13eed96cd7c8eeb59f90
SHA512 068c0a8066273071694b4b0d75504d85fe5c3179b8608226835b029f95560f8cd668f7623ccb293441f72eb44ce0ddf0915623db6c650ee75e9b77c3a33e9539

memory/2564-672-0x0000000000100000-0x00000000039F8000-memory.dmp

memory/2564-674-0x0000000003FC0000-0x0000000003FD0000-memory.dmp

memory/2564-673-0x000000001F030000-0x000000001F140000-memory.dmp

memory/2564-675-0x0000000003FE0000-0x0000000003FEC000-memory.dmp

memory/2564-676-0x0000000003FD0000-0x0000000003FE4000-memory.dmp

memory/2564-677-0x0000000004000000-0x0000000004024000-memory.dmp

memory/2564-686-0x0000000004030000-0x000000000403A000-memory.dmp

memory/2564-687-0x0000000005880000-0x00000000058AA000-memory.dmp

memory/2564-688-0x000000001EC50000-0x000000001ED02000-memory.dmp

memory/2564-689-0x000000001DFA0000-0x000000001E01A000-memory.dmp

memory/2564-690-0x000000001F510000-0x000000001F572000-memory.dmp

memory/2564-691-0x0000000004040000-0x000000000404A000-memory.dmp

memory/2564-695-0x000000001FD00000-0x0000000020000000-memory.dmp

memory/2948-700-0x000000000BAC0000-0x000000000C5CA000-memory.dmp

memory/2564-701-0x000000001E040000-0x000000001E0C0000-memory.dmp

memory/2564-703-0x000007FEF4C30000-0x000007FEF561C000-memory.dmp

memory/2564-702-0x000000001E020000-0x000000001E02A000-memory.dmp

memory/2564-705-0x000000001E0C0000-0x000000001E0E2000-memory.dmp

memory/2564-711-0x000000001E040000-0x000000001E0C0000-memory.dmp

memory/2564-710-0x000000001E040000-0x000000001E0C0000-memory.dmp

memory/2528-709-0x00000000772C0000-0x0000000077469000-memory.dmp

memory/2564-714-0x000000001E030000-0x000000001E03C000-memory.dmp

memory/2528-708-0x000007FEFD340000-0x000007FEFD3AC000-memory.dmp

memory/2564-707-0x00000000058C0000-0x00000000058CA000-memory.dmp

memory/2564-706-0x000000013FD00000-0x000000014080A000-memory.dmp

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\Users\Admin\AppData\Local\Temp\GHJKEHJEGC.exe

MD5 fe380780b5c35bd6d54541791151c2be
SHA1 7fe3a583cf91474c733f85cebf3c857682e269e1
SHA256 b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53
SHA512 ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c

C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\bd92d7984d802ff9a1e24336bd1ccb4209c69a1bd116225cd9479ac9d0f516c4\8bc0c7d7da84407da04a80f94880ed84.tmp

MD5 6a21c5392631e976dd7bf48469e072c9
SHA1 c6ca9ebc1c5a4cc7fe1d848e5381e28e5c694c36
SHA256 e495dfdee8567e91d280c19bea45d0922e04040fb759bfdc0b6f9ae7e2ffb84e
SHA512 495950161f937d9954b7c60653836881ea97367840b5bc4d24acbf820eb2c62b2b147a2c50413a9bf6ea1728db844b4bcf340799afc9297cd1802ea01e0e5258

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 fafbf2197151d5ce947872a4b0bcbe16
SHA1 a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020
SHA256 feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71
SHA512 acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-29 01:49

Reported

2024-03-29 01:54

Platform

win10-20240221-en

Max time kernel

299s

Max time network

277s

Command Line

sihost.exe

Signatures

Detects DLL dropped by Raspberry Robin.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" C:\Users\Admin\Pictures\wO4B4pKhjMSrNYpZuOdWiDn6.exe N/A

Rhadamanthys

stealer rhadamanthys

Stealc

stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2728 created 2976 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe c:\windows\system32\sihost.exe

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\dnEauYhBXp737FI6Xq5npTkd.exe = "0" C:\Users\Admin\Pictures\dnEauYhBXp737FI6Xq5npTkd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\M0HVBzEYCUfC8uFCUlcL2AGy.exe = "0" C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Pj2W3AxLbkebczkXN9NMODEB.exe = "0" C:\Users\Admin\Pictures\Pj2W3AxLbkebczkXN9NMODEB.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Pictures\wO4B4pKhjMSrNYpZuOdWiDn6.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Pictures\wO4B4pKhjMSrNYpZuOdWiDn6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Pictures\wO4B4pKhjMSrNYpZuOdWiDn6.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\USANecnJCkiXRtR5m2EG52Ik.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sr26o6VLe0VZDAjl9CSC1px6.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eIFIDxIY3LQmYocCbEDEdbdp.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ObyeYQqCa1DILWJqcE1He5Wo.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smrfMqU0fkPB4phv3BlZfoO0.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H3b62ovWdR6iwL0252Qikfxu.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z0sDgEWIoL1TCwByqj7gOWCG.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e5Ln31OLuTUxOnk3lcOX3ZFT.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OF7FPDB3MmDwqjojN29AbUqj.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YmSPQ3JkIqoP746DQswIm8C3.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4Qb2bwU6jtyICBea1GrfwiMz.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\98vAUqcxh0OULd8xEzpiDmfd.exe N/A
N/A N/A C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3jw.0.exe N/A
N/A N/A C:\Users\Admin\Pictures\dnEauYhBXp737FI6Xq5npTkd.exe N/A
N/A N/A C:\Users\Admin\Pictures\Pj2W3AxLbkebczkXN9NMODEB.exe N/A
N/A N/A C:\Users\Admin\Pictures\tLZ0HXwLBJe46oxNEwat508w.exe N/A
N/A N/A C:\Users\Admin\Pictures\rTpvbFRIqV8bd1X04TQ3bSZe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3jw.1.exe N/A
N/A N/A C:\Users\Admin\Pictures\Pj2W3AxLbkebczkXN9NMODEB.exe N/A
N/A N/A C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe N/A
N/A N/A C:\Users\Admin\Pictures\dnEauYhBXp737FI6Xq5npTkd.exe N/A
N/A N/A C:\Users\Admin\Pictures\1JigME3SsUIhiv0lQ9CM9ysq.exe N/A
N/A N/A C:\Users\Admin\Pictures\1JigME3SsUIhiv0lQ9CM9ysq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\1JigME3SsUIhiv0lQ9CM9ysq.exe N/A
N/A N/A C:\Users\Admin\Pictures\1JigME3SsUIhiv0lQ9CM9ysq.exe N/A
N/A N/A C:\Users\Admin\Pictures\1JigME3SsUIhiv0lQ9CM9ysq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCBKECAKFB.exe N/A
N/A N/A C:\Users\Admin\Pictures\wO4B4pKhjMSrNYpZuOdWiDn6.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290150371\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290150371\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290150371\assistant\assistant_installer.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\M0HVBzEYCUfC8uFCUlcL2AGy.exe = "0" C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\dnEauYhBXp737FI6Xq5npTkd.exe = "0" C:\Users\Admin\Pictures\dnEauYhBXp737FI6Xq5npTkd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Pj2W3AxLbkebczkXN9NMODEB.exe = "0" C:\Users\Admin\Pictures\Pj2W3AxLbkebczkXN9NMODEB.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\dnEauYhBXp737FI6Xq5npTkd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\Pj2W3AxLbkebczkXN9NMODEB.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Pictures\wO4B4pKhjMSrNYpZuOdWiDn6.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\Pictures\1JigME3SsUIhiv0lQ9CM9ysq.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\1JigME3SsUIhiv0lQ9CM9ysq.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Pictures\1JigME3SsUIhiv0lQ9CM9ysq.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\1JigME3SsUIhiv0lQ9CM9ysq.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\Pictures\wO4B4pKhjMSrNYpZuOdWiDn6.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Users\Admin\Pictures\wO4B4pKhjMSrNYpZuOdWiDn6.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\Pictures\wO4B4pKhjMSrNYpZuOdWiDn6.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\Pictures\wO4B4pKhjMSrNYpZuOdWiDn6.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\wO4B4pKhjMSrNYpZuOdWiDn6.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\Pj2W3AxLbkebczkXN9NMODEB.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\dnEauYhBXp737FI6Xq5npTkd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\dnEauYhBXp737FI6Xq5npTkd.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\dnEauYhBXp737FI6Xq5npTkd.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\Pj2W3AxLbkebczkXN9NMODEB.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\Pj2W3AxLbkebczkXN9NMODEB.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u3jw.1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u3jw.1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u3jw.1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\u3jw.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\u3jw.0.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\Pictures\Pj2W3AxLbkebczkXN9NMODEB.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\Pictures\Pj2W3AxLbkebczkXN9NMODEB.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\Pictures\Pj2W3AxLbkebczkXN9NMODEB.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\Pictures\dnEauYhBXp737FI6Xq5npTkd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\Pictures\Pj2W3AxLbkebczkXN9NMODEB.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\Pictures\dnEauYhBXp737FI6Xq5npTkd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\Pictures\Pj2W3AxLbkebczkXN9NMODEB.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\Pictures\Pj2W3AxLbkebczkXN9NMODEB.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\Pictures\dnEauYhBXp737FI6Xq5npTkd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\Pictures\Pj2W3AxLbkebczkXN9NMODEB.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\Pictures\Pj2W3AxLbkebczkXN9NMODEB.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" C:\Users\Admin\Pictures\dnEauYhBXp737FI6Xq5npTkd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace C:\Windows\system32\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\Pictures\dnEauYhBXp737FI6Xq5npTkd.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Windows\windefender.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\1JigME3SsUIhiv0lQ9CM9ysq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Users\Admin\Pictures\1JigME3SsUIhiv0lQ9CM9ysq.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\1JigME3SsUIhiv0lQ9CM9ysq.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\1JigME3SsUIhiv0lQ9CM9ysq.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\1JigME3SsUIhiv0lQ9CM9ysq.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3jw.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3jw.0.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Users\Admin\Pictures\tLZ0HXwLBJe46oxNEwat508w.exe N/A
N/A N/A C:\Users\Admin\Pictures\tLZ0HXwLBJe46oxNEwat508w.exe N/A
N/A N/A C:\Users\Admin\Pictures\tLZ0HXwLBJe46oxNEwat508w.exe N/A
N/A N/A C:\Users\Admin\Pictures\tLZ0HXwLBJe46oxNEwat508w.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\Pj2W3AxLbkebczkXN9NMODEB.exe N/A
N/A N/A C:\Users\Admin\Pictures\dnEauYhBXp737FI6Xq5npTkd.exe N/A
N/A N/A C:\Users\Admin\Pictures\dnEauYhBXp737FI6Xq5npTkd.exe N/A
N/A N/A C:\Users\Admin\Pictures\Pj2W3AxLbkebczkXN9NMODEB.exe N/A
N/A N/A C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe N/A
N/A N/A C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3jw.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3jw.0.exe N/A
N/A N/A C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe N/A
N/A N/A C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\Pj2W3AxLbkebczkXN9NMODEB.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\Pj2W3AxLbkebczkXN9NMODEB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\dnEauYhBXp737FI6Xq5npTkd.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\dnEauYhBXp737FI6Xq5npTkd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3076 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 3076 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 3076 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 3076 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 3076 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 3076 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 3076 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 3076 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 4648 wrote to memory of 4604 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\98vAUqcxh0OULd8xEzpiDmfd.exe
PID 4648 wrote to memory of 4604 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\98vAUqcxh0OULd8xEzpiDmfd.exe
PID 4648 wrote to memory of 4604 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\98vAUqcxh0OULd8xEzpiDmfd.exe
PID 4648 wrote to memory of 1940 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe
PID 4648 wrote to memory of 1940 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe
PID 4648 wrote to memory of 1940 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe
PID 4604 wrote to memory of 2680 N/A C:\Users\Admin\Pictures\98vAUqcxh0OULd8xEzpiDmfd.exe C:\Users\Admin\AppData\Local\Temp\u3jw.0.exe
PID 4604 wrote to memory of 2680 N/A C:\Users\Admin\Pictures\98vAUqcxh0OULd8xEzpiDmfd.exe C:\Users\Admin\AppData\Local\Temp\u3jw.0.exe
PID 4604 wrote to memory of 2680 N/A C:\Users\Admin\Pictures\98vAUqcxh0OULd8xEzpiDmfd.exe C:\Users\Admin\AppData\Local\Temp\u3jw.0.exe
PID 4648 wrote to memory of 4884 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\dnEauYhBXp737FI6Xq5npTkd.exe
PID 4648 wrote to memory of 4884 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\dnEauYhBXp737FI6Xq5npTkd.exe
PID 4648 wrote to memory of 4884 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\dnEauYhBXp737FI6Xq5npTkd.exe
PID 4648 wrote to memory of 4288 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\Pj2W3AxLbkebczkXN9NMODEB.exe
PID 4648 wrote to memory of 4288 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\Pj2W3AxLbkebczkXN9NMODEB.exe
PID 4648 wrote to memory of 4288 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\Pj2W3AxLbkebczkXN9NMODEB.exe
PID 4648 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\tLZ0HXwLBJe46oxNEwat508w.exe
PID 4648 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\tLZ0HXwLBJe46oxNEwat508w.exe
PID 4648 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\tLZ0HXwLBJe46oxNEwat508w.exe
PID 1940 wrote to memory of 4560 N/A C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1940 wrote to memory of 4560 N/A C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1940 wrote to memory of 4560 N/A C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4884 wrote to memory of 1816 N/A C:\Users\Admin\Pictures\dnEauYhBXp737FI6Xq5npTkd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4884 wrote to memory of 1816 N/A C:\Users\Admin\Pictures\dnEauYhBXp737FI6Xq5npTkd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4884 wrote to memory of 1816 N/A C:\Users\Admin\Pictures\dnEauYhBXp737FI6Xq5npTkd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4288 wrote to memory of 5064 N/A C:\Users\Admin\Pictures\Pj2W3AxLbkebczkXN9NMODEB.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4288 wrote to memory of 5064 N/A C:\Users\Admin\Pictures\Pj2W3AxLbkebczkXN9NMODEB.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4288 wrote to memory of 5064 N/A C:\Users\Admin\Pictures\Pj2W3AxLbkebczkXN9NMODEB.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4648 wrote to memory of 3616 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\rTpvbFRIqV8bd1X04TQ3bSZe.exe
PID 4648 wrote to memory of 3616 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\rTpvbFRIqV8bd1X04TQ3bSZe.exe
PID 4648 wrote to memory of 3616 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\rTpvbFRIqV8bd1X04TQ3bSZe.exe
PID 3616 wrote to memory of 2928 N/A C:\Users\Admin\Pictures\rTpvbFRIqV8bd1X04TQ3bSZe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3616 wrote to memory of 2928 N/A C:\Users\Admin\Pictures\rTpvbFRIqV8bd1X04TQ3bSZe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3616 wrote to memory of 2928 N/A C:\Users\Admin\Pictures\rTpvbFRIqV8bd1X04TQ3bSZe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3616 wrote to memory of 2728 N/A C:\Users\Admin\Pictures\rTpvbFRIqV8bd1X04TQ3bSZe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3616 wrote to memory of 2728 N/A C:\Users\Admin\Pictures\rTpvbFRIqV8bd1X04TQ3bSZe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3616 wrote to memory of 2728 N/A C:\Users\Admin\Pictures\rTpvbFRIqV8bd1X04TQ3bSZe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3616 wrote to memory of 2728 N/A C:\Users\Admin\Pictures\rTpvbFRIqV8bd1X04TQ3bSZe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3616 wrote to memory of 2728 N/A C:\Users\Admin\Pictures\rTpvbFRIqV8bd1X04TQ3bSZe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3616 wrote to memory of 2728 N/A C:\Users\Admin\Pictures\rTpvbFRIqV8bd1X04TQ3bSZe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3616 wrote to memory of 2728 N/A C:\Users\Admin\Pictures\rTpvbFRIqV8bd1X04TQ3bSZe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3616 wrote to memory of 2728 N/A C:\Users\Admin\Pictures\rTpvbFRIqV8bd1X04TQ3bSZe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3616 wrote to memory of 2728 N/A C:\Users\Admin\Pictures\rTpvbFRIqV8bd1X04TQ3bSZe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3616 wrote to memory of 2728 N/A C:\Users\Admin\Pictures\rTpvbFRIqV8bd1X04TQ3bSZe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3616 wrote to memory of 2728 N/A C:\Users\Admin\Pictures\rTpvbFRIqV8bd1X04TQ3bSZe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2728 wrote to memory of 2452 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 2728 wrote to memory of 2452 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 2728 wrote to memory of 2452 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 2728 wrote to memory of 2452 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 2728 wrote to memory of 2452 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 4604 wrote to memory of 4036 N/A C:\Users\Admin\Pictures\98vAUqcxh0OULd8xEzpiDmfd.exe C:\Users\Admin\AppData\Local\Temp\u3jw.1.exe
PID 4604 wrote to memory of 4036 N/A C:\Users\Admin\Pictures\98vAUqcxh0OULd8xEzpiDmfd.exe C:\Users\Admin\AppData\Local\Temp\u3jw.1.exe
PID 4604 wrote to memory of 4036 N/A C:\Users\Admin\Pictures\98vAUqcxh0OULd8xEzpiDmfd.exe C:\Users\Admin\AppData\Local\Temp\u3jw.1.exe
PID 4920 wrote to memory of 4912 N/A C:\Users\Admin\Pictures\dnEauYhBXp737FI6Xq5npTkd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 4912 N/A C:\Users\Admin\Pictures\dnEauYhBXp737FI6Xq5npTkd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 4912 N/A C:\Users\Admin\Pictures\dnEauYhBXp737FI6Xq5npTkd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4516 wrote to memory of 4600 N/A C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

c:\windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe

"C:\Users\Admin\AppData\Local\Temp\627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"

C:\Users\Admin\Pictures\98vAUqcxh0OULd8xEzpiDmfd.exe

"C:\Users\Admin\Pictures\98vAUqcxh0OULd8xEzpiDmfd.exe"

C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe

"C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe"

C:\Users\Admin\AppData\Local\Temp\u3jw.0.exe

"C:\Users\Admin\AppData\Local\Temp\u3jw.0.exe"

C:\Users\Admin\Pictures\dnEauYhBXp737FI6Xq5npTkd.exe

"C:\Users\Admin\Pictures\dnEauYhBXp737FI6Xq5npTkd.exe"

C:\Users\Admin\Pictures\Pj2W3AxLbkebczkXN9NMODEB.exe

"C:\Users\Admin\Pictures\Pj2W3AxLbkebczkXN9NMODEB.exe"

C:\Users\Admin\Pictures\tLZ0HXwLBJe46oxNEwat508w.exe

"C:\Users\Admin\Pictures\tLZ0HXwLBJe46oxNEwat508w.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\Pictures\rTpvbFRIqV8bd1X04TQ3bSZe.exe

"C:\Users\Admin\Pictures\rTpvbFRIqV8bd1X04TQ3bSZe.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 844

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 660

C:\Users\Admin\AppData\Local\Temp\u3jw.1.exe

"C:\Users\Admin\AppData\Local\Temp\u3jw.1.exe"

C:\Users\Admin\Pictures\Pj2W3AxLbkebczkXN9NMODEB.exe

"C:\Users\Admin\Pictures\Pj2W3AxLbkebczkXN9NMODEB.exe"

C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe

"C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe"

C:\Users\Admin\Pictures\dnEauYhBXp737FI6Xq5npTkd.exe

"C:\Users\Admin\Pictures\dnEauYhBXp737FI6Xq5npTkd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Users\Admin\Pictures\1JigME3SsUIhiv0lQ9CM9ysq.exe

"C:\Users\Admin\Pictures\1JigME3SsUIhiv0lQ9CM9ysq.exe" --silent --allusers=0

C:\Users\Admin\Pictures\1JigME3SsUIhiv0lQ9CM9ysq.exe

C:\Users\Admin\Pictures\1JigME3SsUIhiv0lQ9CM9ysq.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2a0,0x2a4,0x2a8,0x27c,0x2ac,0x6d69e1d0,0x6d69e1dc,0x6d69e1e8

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\1JigME3SsUIhiv0lQ9CM9ysq.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\1JigME3SsUIhiv0lQ9CM9ysq.exe" --version

C:\Users\Admin\Pictures\1JigME3SsUIhiv0lQ9CM9ysq.exe

"C:\Users\Admin\Pictures\1JigME3SsUIhiv0lQ9CM9ysq.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2440 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240329015037" --session-guid=b559bfbf-0fd0-4efb-a107-5e13275a352b --server-tracking-blob=N2MzMTJmYWMwZThiN2ExMTA0NDNlMTQ3Nzc5Mjg5N2NmZjRlNjgyZjQ0NDg4ZTVhNmVlYjM2NWQ1NzcxMmExODp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N180NTYiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMCIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTE2NzY5ODEuMTMwNSIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N180NTYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6IjcwY2MyOGIyLWZhOWYtNDVmZS1hZTExLTEzM2E5YWQyZWZkMiJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=4804000000000000

C:\Users\Admin\Pictures\1JigME3SsUIhiv0lQ9CM9ysq.exe

C:\Users\Admin\Pictures\1JigME3SsUIhiv0lQ9CM9ysq.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2ac,0x2b0,0x2b4,0x27c,0x2b8,0x6cd1e1d0,0x6cd1e1dc,0x6cd1e1e8

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GCBKECAKFB.exe"

C:\Users\Admin\AppData\Local\Temp\GCBKECAKFB.exe

"C:\Users\Admin\AppData\Local\Temp\GCBKECAKFB.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\GCBKECAKFB.exe

C:\Windows\SysWOW64\PING.EXE

ping 2.2.2.2 -n 1 -w 3000

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\Pictures\wO4B4pKhjMSrNYpZuOdWiDn6.exe

"C:\Users\Admin\Pictures\wO4B4pKhjMSrNYpZuOdWiDn6.exe"

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290150371\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290150371\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290150371\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290150371\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290150371\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290150371\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0xc10040,0xc1004c,0xc10058

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 yip.su udp
US 104.20.68.143:443 pastebin.com tcp
US 172.67.169.89:443 yip.su tcp
US 8.8.8.8:53 piramidglobaltobacco.id udp
US 8.8.8.8:53 shipofdestiny.com udp
DE 185.172.128.144:80 185.172.128.144 tcp
AT 5.42.64.17:80 5.42.64.17 tcp
US 8.8.8.8:53 sty.ink udp
US 8.8.8.8:53 operandotwo.com udp
US 8.8.8.8:53 namemail.org udp
US 8.8.8.8:53 cu82342.tw1.ru udp
US 8.8.8.8:53 net.geo.opera.com udp
SG 217.21.73.190:443 piramidglobaltobacco.id tcp
US 172.67.152.98:443 shipofdestiny.com tcp
US 172.67.152.98:443 shipofdestiny.com tcp
US 172.67.200.219:443 sty.ink tcp
US 172.67.200.219:443 sty.ink tcp
NL 185.26.182.112:80 net.geo.opera.com tcp
US 104.21.15.5:443 operandotwo.com tcp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 143.68.20.104.in-addr.arpa udp
US 8.8.8.8:53 89.169.67.172.in-addr.arpa udp
US 8.8.8.8:53 144.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 219.200.67.172.in-addr.arpa udp
US 8.8.8.8:53 17.64.42.5.in-addr.arpa udp
US 8.8.8.8:53 190.73.21.217.in-addr.arpa udp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
RU 176.57.210.144:443 cu82342.tw1.ru tcp
NL 185.26.182.112:443 net.geo.opera.com tcp
US 8.8.8.8:53 lawyerbuyer.org udp
US 8.8.8.8:53 guseman.org udp
US 172.67.170.65:443 lawyerbuyer.org tcp
US 172.67.170.65:443 lawyerbuyer.org tcp
US 172.67.173.167:443 guseman.org tcp
US 8.8.8.8:53 98.152.67.172.in-addr.arpa udp
US 8.8.8.8:53 5.15.21.104.in-addr.arpa udp
US 8.8.8.8:53 112.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 144.210.57.176.in-addr.arpa udp
US 8.8.8.8:53 65.170.67.172.in-addr.arpa udp
US 8.8.8.8:53 167.173.67.172.in-addr.arpa udp
DE 185.172.128.65:80 185.172.128.65 tcp
DE 185.172.128.65:80 185.172.128.65 tcp
US 8.8.8.8:53 65.128.172.185.in-addr.arpa udp
DE 185.172.128.144:80 185.172.128.144 tcp
DE 185.172.128.209:80 185.172.128.209 tcp
US 8.8.8.8:53 209.128.172.185.in-addr.arpa udp
US 172.67.206.194:443 tcp
US 8.8.8.8:53 iplogger.com udp
US 104.21.76.57:443 iplogger.com tcp
US 172.67.206.194:443 tcp
US 172.67.206.194:443 tcp
US 172.67.206.194:443 tcp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 download.iolo.net udp
FR 185.93.2.248:443 tcp
US 8.8.8.8:53 248.2.93.185.in-addr.arpa udp
DE 185.172.128.65:80 tcp
US 20.9.155.148:443 tcp
US 8.8.8.8:53 148.155.9.20.in-addr.arpa udp
NL 82.145.216.20:443 tcp
NL 82.145.216.20:443 tcp
US 8.8.8.8:53 download.opera.com udp
US 8.8.8.8:53 features.opera-api2.com udp
NL 82.145.217.121:443 tcp
NL 185.26.182.111:443 features.opera-api2.com tcp
US 8.8.8.8:53 111.182.26.185.in-addr.arpa udp
NL 195.20.16.45:80 195.20.16.45 tcp
US 8.8.8.8:53 api.myip.com udp
US 104.26.9.59:443 api.myip.com tcp
NL 185.26.182.122:443 download.opera.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 45.16.20.195.in-addr.arpa udp
US 8.8.8.8:53 59.9.26.104.in-addr.arpa udp
US 8.8.8.8:53 122.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 download5.operacdn.com udp
US 104.18.10.89:443 download5.operacdn.com tcp
US 8.8.8.8:53 89.10.18.104.in-addr.arpa udp
GB 104.86.110.241:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 server6.statsexplorer.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun4.l.google.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
CH 172.217.210.127:19302 stun4.l.google.com udp
BG 185.82.216.108:443 server6.statsexplorer.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 127.210.217.172.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 udp
N/A 104.115.33.152:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.157.87.45:80 tcp
US 8.8.8.8:53 udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
BG 185.82.216.108:443 server6.statsexplorer.org tcp
N/A 20.157.87.45:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 88.221.135.208:80 tcp
GB 88.221.135.208:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
IE 52.111.236.22:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 19.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 120.150.79.40.in-addr.arpa udp
BG 185.82.216.108:443 server6.statsexplorer.org tcp
BG 185.82.216.108:443 server6.statsexplorer.org tcp
N/A 127.0.0.1:31465 tcp
BG 185.82.216.108:443 server6.statsexplorer.org tcp

Files

memory/4648-0-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4648-1-0x0000000073A60000-0x000000007414E000-memory.dmp

memory/4648-2-0x00000000056C0000-0x00000000056D0000-memory.dmp

C:\Users\Admin\Pictures\KhtHEHz0QFwK96n9HPYVqkZD.exe

MD5 5b423612b36cde7f2745455c5dd82577
SHA1 0187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256 e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512 c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

C:\Users\Admin\Pictures\dAkRzkLFDMgR4jxfrugQjga0.exe

MD5 8029eabc9f5fd43f48264fe226b8cd91
SHA1 1b4d42cc76799cec28eea1624c96940bdb25ade4
SHA256 de9576669a1fb624ec2eecec8c7ebf9bcec0bd8f32cc82d15c2afa02a9fab71b
SHA512 67df40a50113ba24a9d6d953428c8f3495e1320400839819a02bf0c76cea9f2ee4278c074e49f3d7399d0d58adae39c84768ebd2ca77d97cf002100dd6ae54a5

C:\Users\Admin\Pictures\98vAUqcxh0OULd8xEzpiDmfd.exe

MD5 8bc396803bf0c509173078f354cb293b
SHA1 8a8e2298863cf6d5b5ad1c1f1efdb4f372f1cfa0
SHA256 e79bb6f916ff4f4bcca0dd2bb4c16233090265c38f3aeaa4a19bb125138773bb
SHA512 da3e916fb3b662584e3f1c8e5e6ac3c75c2f8aba0113597257cae5e9515944055e59d242efd08155939ea7044c7bf15a242f8d950e0a4a996889cbad1e20cd83

memory/4604-24-0x0000000000BA0000-0x0000000000C0E000-memory.dmp

memory/4604-23-0x0000000000C10000-0x0000000000D10000-memory.dmp

memory/4604-25-0x0000000000400000-0x0000000000B0E000-memory.dmp

C:\Users\Admin\Pictures\MvRCBTq4ffKDN8dZ0g9sXEHF.exe

MD5 cfee123c71b90f5b68384f80a6a90dfb
SHA1 07c91b2d7a53a557d0121e55ccd49b84e9d2a3f9
SHA256 e5ff9947ae3d0cc998d06d0b1b1ca78fe6e6506005ba51be88369d62bdce09d2
SHA512 9b45bdabb512d0ded708388e18bf736a1862eced03f89b989ab8f0bfa1e02c6b9e3c4f6adfa376af39e5a36ee17d136f5648952d9d2860bb6426c3ebc198cfb7

C:\Users\Admin\Pictures\M0HVBzEYCUfC8uFCUlcL2AGy.exe

MD5 80fbcd8bcab6ddca53a467dfc54b2123
SHA1 5394a3de0dc598eeba66870d9070f54e8b137ede
SHA256 fff7af7e094a0f3d5e5b87eebbb5290e3d7570e192426e81909278abf8d0350b
SHA512 d7d14f7465da79ac9bfb1d88431e397e5f13fe7339f819b8e0404110bd73d10224d20c2b68178da3b7504de17c0b475f97ade83ab93d842310cf3baa605ac42c

memory/1940-40-0x0000000002B60000-0x0000000002F5D000-memory.dmp

memory/1940-41-0x0000000002F60000-0x000000000384B000-memory.dmp

memory/1940-43-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u3jw.0.exe

MD5 a533c58be371236669106ab5243b05bb
SHA1 59e8eae350fd911b9d74940fd5a0793f6b4fddc0
SHA256 6f746358af1862e923dee83621f64d56b2e8d8f8936e71d4d6bc565e97e58b09
SHA512 83970ca812ebef5e7c7a4e32c6b6a48d0028f688241441fedfa00e9171592bbc6fa883f0bc7f2603d31f687b1510633bca5468b3ecb96481aa62451c85885f8d

memory/2680-54-0x0000000000B50000-0x0000000000B77000-memory.dmp

C:\Users\Admin\AppData\Local\ANkbyJsCxl1p6AHzGcQsQ8z5.exe

MD5 ac5f59828c7112f4d6f37f3daea03a4c
SHA1 780cbc00e9a044da535af3f1da25445c893a8e53
SHA256 6b0109f5a9106f6cfa857fd3380aaed9c3d461bd8303d58a22af7a42b658b1fc
SHA512 7b68ba612901c89af3a50c5241c03001911a7f8b4cb60966a8578b9eb9dfdbd3c917391af1c12e75217d557c1c2367971a8a9edd05a3fb0aafe68774e46db873

memory/2680-49-0x0000000000CD0000-0x0000000000DD0000-memory.dmp

memory/2680-59-0x0000000000400000-0x0000000000AEA000-memory.dmp

memory/4884-60-0x0000000002B90000-0x0000000002F89000-memory.dmp

memory/4884-61-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/4288-70-0x0000000002BC0000-0x0000000002FC2000-memory.dmp

memory/4648-71-0x0000000073A60000-0x000000007414E000-memory.dmp

C:\Users\Admin\Pictures\tLZ0HXwLBJe46oxNEwat508w.exe

MD5 e2a6c1f58b137874e490b8d94382fcdb
SHA1 71529c5d708091b1e1a580227dc52e62a140edd1
SHA256 4801879a7afb9d03f7edcbe76cd9306cb024d80abc8512c4995aa97e8fd52437
SHA512 24d12ce668e5189a4ba80520a4eaf480d17d3a07d8d0d4312964968f8489143df225881ec70e39e0c62e381061626801ead72d70cea164e2c3870bfbd7bc4eff

memory/4648-81-0x00000000056C0000-0x00000000056D0000-memory.dmp

memory/4288-80-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2596-82-0x0000000000D50000-0x0000000000D9A000-memory.dmp

memory/2596-83-0x0000000000400000-0x0000000000B06000-memory.dmp

memory/4604-87-0x0000000000400000-0x0000000000B0E000-memory.dmp

memory/1940-88-0x0000000002B60000-0x0000000002F5D000-memory.dmp

memory/4604-86-0x0000000000C10000-0x0000000000D10000-memory.dmp

memory/2596-85-0x0000000000DC0000-0x0000000000EC0000-memory.dmp

memory/2596-84-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

C:\Users\Admin\Pictures\rTpvbFRIqV8bd1X04TQ3bSZe.exe

MD5 7960d8afbbac06f216cceeb1531093bb
SHA1 008221bf66a0749447cffcb86f2d1ec80e23fc76
SHA256 f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84
SHA512 35d12e81eb892aeb2237049beca61a81469dea5b1c9b7a0b9f49fbf95a95c756509d9e76c732fb10b504f9f9692e1fbe83ea2fd09d791f793a928c01974b8147

memory/4560-98-0x0000000073A60000-0x000000007414E000-memory.dmp

memory/4560-100-0x0000000006850000-0x0000000006886000-memory.dmp

memory/1816-101-0x0000000073A60000-0x000000007414E000-memory.dmp

memory/3616-104-0x0000000000120000-0x000000000018E000-memory.dmp

memory/4560-102-0x0000000006F10000-0x0000000007538000-memory.dmp

memory/1940-106-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1816-108-0x0000000007110000-0x0000000007120000-memory.dmp

memory/4560-109-0x00000000068D0000-0x00000000068E0000-memory.dmp

memory/3616-113-0x00000000049A0000-0x00000000049B0000-memory.dmp

memory/4560-115-0x00000000068D0000-0x00000000068E0000-memory.dmp

memory/4560-116-0x0000000006E60000-0x0000000006E82000-memory.dmp

memory/1816-119-0x0000000007110000-0x0000000007120000-memory.dmp

memory/4560-120-0x0000000007710000-0x0000000007776000-memory.dmp

memory/2728-122-0x0000000000400000-0x000000000046D000-memory.dmp

memory/4884-123-0x0000000002B90000-0x0000000002F89000-memory.dmp

memory/5064-125-0x0000000006ED0000-0x0000000006EE0000-memory.dmp

memory/4560-124-0x00000000077F0000-0x0000000007856000-memory.dmp

memory/3616-121-0x0000000073A60000-0x000000007414E000-memory.dmp

memory/4560-126-0x0000000007860000-0x0000000007BB0000-memory.dmp

memory/2728-114-0x0000000000400000-0x000000000046D000-memory.dmp

memory/3616-127-0x00000000023E0000-0x00000000043E0000-memory.dmp

memory/2596-128-0x0000000003260000-0x0000000003360000-memory.dmp

memory/2596-129-0x0000000003260000-0x0000000003360000-memory.dmp

memory/2596-130-0x0000000003260000-0x0000000003360000-memory.dmp

memory/5064-112-0x0000000073A60000-0x000000007414E000-memory.dmp

memory/2596-131-0x0000000003260000-0x0000000003360000-memory.dmp

memory/2596-132-0x0000000003260000-0x0000000003360000-memory.dmp

memory/2596-135-0x0000000003260000-0x0000000003360000-memory.dmp

memory/2596-134-0x0000000003260000-0x0000000003360000-memory.dmp

memory/2596-136-0x0000000003260000-0x0000000003360000-memory.dmp

memory/2596-133-0x0000000003260000-0x0000000003360000-memory.dmp

memory/2596-137-0x0000000003260000-0x0000000003360000-memory.dmp

memory/2596-139-0x0000000003260000-0x0000000003360000-memory.dmp

memory/2596-140-0x0000000003260000-0x0000000003360000-memory.dmp

memory/2596-138-0x0000000003260000-0x0000000003360000-memory.dmp

memory/2596-141-0x0000000003260000-0x0000000003360000-memory.dmp

memory/2596-144-0x0000000003260000-0x0000000003360000-memory.dmp

memory/2596-143-0x0000000003260000-0x0000000003360000-memory.dmp

memory/2596-145-0x0000000003260000-0x0000000003360000-memory.dmp

memory/2596-147-0x0000000003260000-0x0000000003360000-memory.dmp

memory/4560-146-0x00000000077C0000-0x00000000077DC000-memory.dmp

memory/2596-142-0x0000000003260000-0x0000000003360000-memory.dmp

memory/2680-162-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gnwfhih4.o44.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2728-187-0x0000000003930000-0x0000000003D30000-memory.dmp

memory/2728-190-0x0000000003930000-0x0000000003D30000-memory.dmp

memory/2728-195-0x00007FF8B2BD0000-0x00007FF8B2DAB000-memory.dmp

memory/2452-216-0x00000000005F0000-0x00000000005F9000-memory.dmp

memory/2728-212-0x00000000774A0000-0x0000000077662000-memory.dmp

memory/2452-232-0x0000000000AB0000-0x0000000000EB0000-memory.dmp

memory/2452-238-0x00007FF8B2BD0000-0x00007FF8B2DAB000-memory.dmp

memory/2452-254-0x00000000774A0000-0x0000000077662000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u3jw.1.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/4604-339-0x0000000000400000-0x0000000000B0E000-memory.dmp

memory/1940-441-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2680-443-0x0000000000400000-0x0000000000AEA000-memory.dmp

memory/4884-444-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/4288-445-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2596-446-0x0000000000400000-0x0000000000B06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 b3e64b0d04f45f9344ab573302961573
SHA1 ad5a28e4ea7b5262104a6cb52119c29af57cc1ea
SHA256 21e4f9764bc40cea5164d5309a1f840bfe1498acf2eff51149b0d16d4a5b533e
SHA512 b83124dae68e2f9485d2d35e86a7beab378e9773682b3703ad795627b5d2c5c62b08b757a62036ea9246e8ba1f6054d9255b09b17d564ae45700a094fda93cde

memory/2680-1004-0x0000000000400000-0x0000000000AEA000-memory.dmp

memory/4036-1014-0x0000000000400000-0x00000000008AD000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a21bff6c7232719de5602ac6598861c7
SHA1 1f6d465dbc02fb7f80c9f6faa8ada826061e9b84
SHA256 1f882b3af5a8c42c27697ef698e8e739f069f31157ed0e5ec38326f225c96243
SHA512 f63f16bf035e2f1fc7cf1e0bd73db428514e4207d3faf424682a9c1b7c40b1c67addd78e2e49f8fe59ba2b090f30b2bfb33f362613a6600b9e0753117f3bdb3d

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 1c19c16e21c97ed42d5beabc93391fc5
SHA1 8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA256 1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA512 7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b928b80e45eccd55eda1973b0f71f378
SHA1 904d13cd1cdd17f943a64801c3801af8f4416e21
SHA256 1f65bd7ef696c5ae6305d909c723a07aa19b4bcc5e482f8af9777d9da7a7ce98
SHA512 ba48cc267776d94dbf637e8ee672ca3046da23b65a92cc4e6c3c13b695c2f70ec95b7abf662da46b16730e14671db766f7d0ba58d636688a609bd50969d6e610

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

memory/2680-1192-0x0000000000400000-0x0000000000AEA000-memory.dmp

memory/4884-1193-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/4288-1194-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1940-1191-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/4288-1209-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1940-1213-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/4884-1208-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2680-1300-0x0000000000400000-0x0000000000AEA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 a3bd49eb679c59f5060ed40eda2a9e61
SHA1 4df35ffec7bba7de3f23be76017123033eebf88e
SHA256 f2e2efb46f1414a8921e0a5b644c0467258f26a6c9cfdafc02f4ae2f0e29eb8e
SHA512 0849387cebf3592a4f0f896f900bb36603038fb987dc8e8f87e0fcfb5f6cae05ed12262b07064dd04a5eb3a0692137b0c1fec24e1f3f3c7c8938a7e98b649a2f

memory/4036-1359-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/4516-1772-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/4920-1776-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 eb437e79fad240e0bd8687a2436efffa
SHA1 e1bb1a1dfc2d71bed406290c45ae8f18d7bd184d
SHA256 2bc5b5261e9c87e26d6d571fd6e5766f406b7db30484cfc462591693072562cf
SHA512 8720d41012df133f6f93a9bab5ae4ee4023eaf81194b2de569213a1924a561c5d23816e921258101b7f70e9e61a8ad2a3959a179d4a6ef1f27a8ba1e6469b69f

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\Pictures\1JigME3SsUIhiv0lQ9CM9ysq.exe

MD5 7b6be621e7a2648b3cf6b150b0d7d67d
SHA1 b192b36649d2f557db58433fee91471a56cc6b45
SHA256 4c7ef34f73805400e95d1b3af747d8fdfc9bfc3f9f4c94ca684e0b8fb89b9c5d
SHA512 dca0d46b50c0ba61607dcb65018c7b7e5007dd813be8f6c8766c929e337105c98e3d7710f7061a06d1061be15ac3b652f6dc00d096b86b49224f6d60b8ce3323

\Users\Admin\AppData\Local\Temp\Opera_installer_2403290150371992440.dll

MD5 117176ddeaf70e57d1747704942549e4
SHA1 75e3ab6b3469d93cce9ea2f7e22b71b987ccdf2b
SHA256 3c5b34de987116a4d3240e319c0da89a951c96b81e6705476a0fea27b22b20af
SHA512 ca2a356929c92d314aab63d7f3b246d72783212dfa3a4507f28d41a51ca0eedc78e85b1cd453aa8e02c12509f847a0216bb702154f903291c804c8a98ec378b9

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 ce9db011d548ea9c7a493af6c3f9c50d
SHA1 c4ddb4dfb090bb31473477cb248a3a89fffb3d31
SHA256 064166e236387249280157b129591e090afd5803aaf57b70ce44f83078bd142a
SHA512 bd074f215016bc0076a0f08a10b6c444944e202609e7e776a89c3826af01b61adb08241566e465298f02a2a842b23f8e27539b970e84c5f8438e4db123467e20

memory/2680-2048-0x0000000000400000-0x0000000000AEA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GCBKECAKFB.exe

MD5 fe380780b5c35bd6d54541791151c2be
SHA1 7fe3a583cf91474c733f85cebf3c857682e269e1
SHA256 b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53
SHA512 ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c

memory/4796-2054-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/4516-2058-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9164c10c3aaba3d97b9a69263bea7d59
SHA1 2d5e482a7b8421d943a7595d1a5ca20e8652fc76
SHA256 5feb45653049cb1c74198baf9fc7a8584b1659237bd7a9f25812e7daab801d3b
SHA512 8d4fd339c5f2bf6da337e2af0e84b67ae5f6cd93d063b11d3af48478a01edcb3af9f5833ccf7afd6c45b70d3b815dca95579bde2edc8938a6521a7bb9d57fd8e

memory/4920-2060-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e4e8d5a8213b6b789580c554ad7245d4
SHA1 c6af4f0d8b24309f034330b97a3004d72f1ec74f
SHA256 93337adb0b316525d18277fc24e63519f670f98e23ffce157bfd013946b7e7a3
SHA512 31fb5da98b0b8ceffb4dd1628c0e6261637e34374cdd8b32482d8a29609a69b5a9dbaf646eb726f2f38055c1278b5b3fb66aaf75339a7a34ddc13ce50aa9d701

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 db01a2c1c7e70b2b038edf8ad5ad9826
SHA1 540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256 413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512 c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

C:\Users\Admin\Pictures\wO4B4pKhjMSrNYpZuOdWiDn6.exe

MD5 858bb0a3b4fa6a54586402e3ee117076
SHA1 997c31f043347883ea5ed2323a558b6cc5ea9c8e
SHA256 d97a7fc44bf341b9b2b2e65b46dab4f7d329afe15b4308b5aa56d5bfd7b99d35
SHA512 e8374b115f056b5d345c9b5f9c42b3d49e0640d7fad869448f686add6e52b783ecc7fd35ee15a67b944843491a91becf5b7c0bd5603eda01042dd2904c1ad8fd

memory/5896-2190-0x00007FF6C0720000-0x00007FF6C122A000-memory.dmp

C:\Windows\System32\GroupPolicy\gpt.ini

MD5 8ef9853d1881c5fe4d681bfb31282a01
SHA1 a05609065520e4b4e553784c566430ad9736f19f
SHA256 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA512 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6322ea9ef48c03f663bfa6147ab2eb02
SHA1 465c0c23243a0cebdc386327b78aa397eaf1efad
SHA256 b55aa9aad7bf167dc6c2c9b32144f9f2fdfc36e96abbc29f3f0d22378c80171b
SHA512 18be54b5e339bb00b0d9bff161855ac6cbefbaf84d15de79cf675cb15d062f0bbf128dfa47efd3f4b2d01a3cf31fbd715158034592f37468fc9287059b99fed8

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7706eb2038f3b95d9d56f5faace9439f
SHA1 e6fee5a63c05d8bda0dc93f873494f9cd5c3a5fa
SHA256 a948802154d1b84824a623f6dfa7b8169563e1eb32978e128eaf311b3f54d0d3
SHA512 f87c68b83142cceacdd5fa6cb135bd2ab7ad89b37f0dd8a006698b2efa15071ccfc13b9b28c0425c7f3ca1d7a2b503371c84fa87610fda024afb9ba903ccea67

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e2199f807236cbc949d5d89e426a1274
SHA1 14e250e60e17f8d9452209186722f9477aa3786c
SHA256 3f52c52563dcfcd56f4b2ae26da0873686d52b1c9b26d1c16ae5e4702cd8045f
SHA512 31ee8aaa89cdb1376c8ca221f61266cc48826dd5f27f89c2bfe9b33f41fee82941c82313f8436d4133a54e4eb2435e7ef57e3f20b4f7038abbd81648c9fd5883

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 459a7fb379ebd72f9ccffac18f9cf532
SHA1 e591a1fab2593be52035072247f5a90be0921466
SHA256 596fbdc52433bd336b55df76b4ba6a40b650417c15e7544ba9d62a0c27317366
SHA512 a0905e6e6f121f93df3a5286c36634dca1ff28fd605a63602815fea7df768be53670ccf15f3bb6076bca7ba24f7f4f92e77f26dedafb7cef36d9a4a22d06d489

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c61f7668f90fccfc4af5228f51e47556
SHA1 f24cb5feeebad981c8889c3e8a642ef17dcd6253
SHA256 483b83d0303e6ab286683206738c0704e16871598e404e788efb34ec09458ee9
SHA512 296f7ce54f5eb6115240559c721687ea2372386048ca4e0dba37c92904d3fa19c221bbd2b0ab84ebc6c2137a575a80dc01501b40b8155e01a1d7e36f790ab26a

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290150371\opera_package

MD5 401c352990789be2f40fe8f9c5c7a5ac
SHA1 d7c1e902487511d3f4e1a57abdee8a94d5483ed4
SHA256 f62f4ebc7eca46d9cddfb02cc0305da5efdd6f3601fb0f53da555e19558869a3
SHA512 efc6d4224e3721e91efb2ea8f4b74685cba607260c69d08eac26866c52b8127080a42799d9f76ab1661b8ca63c946fcf35dddf0a63ab3cd258ea44a27dd769c8

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290150371\additional_file0.tmp

MD5 20d293b9bf23403179ca48086ba88867
SHA1 dedf311108f607a387d486d812514a2defbd1b9e
SHA256 fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348
SHA512 5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290150371\assistant\assistant_installer.exe

MD5 b3f05009b53af6435e86cfd939717e82
SHA1 770877e7c5f03e8d684984fe430bdfcc2cf41b26
SHA256 3ea8d40fcede1fc03e5603246d75d13e8d44d7229d4c390c39a55534053027f7
SHA512 d2dee80aaa79b19f1eb1db85079a05f621780e06bfea9e838b62d757ba29399f9090ec7c6ff553377c9b712f3ba8dd812cdff39f3e28829928e86746a8ac6b27

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290150371\assistant\dbghelp.dll

MD5 925ea07f594d3fce3f73ede370d92ef7
SHA1 f67ea921368c288a9d3728158c3f80213d89d7c2
SHA256 6d02ebd4ec9a6093f21cd8ccefb9445fa0ab7b1f69ac868a5cfc5d28ed8d2de9
SHA512 a809851da820d9fdd8fb860a8f549311dcc2579df2c6f6fba74f50d5d8bf94baa834b09fb5476ac248f18d1deb6b47d4fdd6d658889d5d45ca8774a9264483d2